berbew | f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe
Size

59KB
MD5

18d296a84326f9c0ba5d59c7281778c1
SHA1

0fa4680d9a843dba5cdecc8557e38e1c827a1dd4
SHA256

f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4
SHA512

1a6eb16598cc3ed967c9c2823361b226c66cf1fd94106e0f213a2fe438c7d2664706f253e3a32b30eaaa65c9783582f3d8e56fd7f8c09979e57e1533fcd79cf6
SSDEEP

1536:GmZVFkGR2rGD8m4siNQWGQ7Q2KDNCyVso:bIqD8vQ2reso

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgdkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkhmoap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qamago32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddfbgelh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejojljqa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfjjpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edihdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgomnai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qikbaaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbhhieao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4404	Ocgkan32.exe
1136	Objkmkjj.exe
1248	Ojqcnhkl.exe
3180	Oqklkbbi.exe
728	Ocihgnam.exe
3728	Oblhcj32.exe
3200	Ojcpdg32.exe
3616	Oqmhqapg.exe
4624	Obnehj32.exe
4120	Ofjqihnn.exe
2340	Oihmedma.exe
1388	Oqoefand.exe
4640	Obqanjdb.exe
4868	Oflmnh32.exe
4580	Oikjkc32.exe
220	Pqbala32.exe
512	Pcpnhl32.exe
980	Pjjfdfbb.exe
4072	Pimfpc32.exe
1680	Ppgomnai.exe
4224	Pcbkml32.exe
3176	Pfagighf.exe
2688	Piocecgj.exe
3756	Pmkofa32.exe
1704	Ppikbm32.exe
2028	Pbhgoh32.exe
2332	Pjoppf32.exe
4240	Pplhhm32.exe
4172	Pbjddh32.exe
2312	Pjaleemj.exe
4332	Pakdbp32.exe
1364	Pjcikejg.exe
3596	Pmbegqjk.exe
1936	Qamago32.exe
832	Qbonoghb.exe
3948	Qfjjpf32.exe
2188	Qmdblp32.exe
2824	Qpbnhl32.exe
1132	Qfmfefni.exe
976	Qikbaaml.exe
4620	Aabkbono.exe
652	Acqgojmb.exe
1604	Afockelf.exe
2712	Ajjokd32.exe
1756	Amikgpcc.exe
3160	Apggckbf.exe
3144	Abfdpfaj.exe
1644	Ajmladbl.exe
3324	Amkhmoap.exe
4612	Apjdikqd.exe
1840	Adepji32.exe
3372	Ajohfcpj.exe
2440	Aaiqcnhg.exe
4548	Affikdfn.exe
2968	Aidehpea.exe
3304	Adjjeieh.exe
5100	Ajdbac32.exe
2684	Bmbnnn32.exe
3268	Bpqjjjjl.exe
2892	Bfkbfd32.exe
1784	Biiobo32.exe
3116	Bpcgpihi.exe
3208	Bbaclegm.exe
3932	Bmggingc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pqbala32.exe	Oikjkc32.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Affikdfn.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Gjaphgpl.exe	Ggccllai.exe
File created	C:\Windows\SysWOW64\Nneilmna.dll	Gnohnffc.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Ojqcnhkl.exe
File opened for modification	C:\Windows\SysWOW64\Bbfmgd32.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Obnehj32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Pjoppf32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Apjdikqd.exe	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Gkbilm32.dll	Cienon32.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Eafbmgad.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Dgihop32.exe
File created	C:\Windows\SysWOW64\Jfqqddpi.dll	Fqbeoc32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Enopghee.exe
File created	C:\Windows\SysWOW64\Pqgpcnpb.dll	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Eaaiahei.exe
File opened for modification	C:\Windows\SysWOW64\Ejojljqa.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	Gdgdeppb.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Kojkgebl.dll	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Pfagighf.exe	Pcbkml32.exe
File opened for modification	C:\Windows\SysWOW64\Cpogkhnl.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Acqgojmb.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Djegekil.exe
File opened for modification	C:\Windows\SysWOW64\Djegekil.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Lgidjfjk.dll	Qfjjpf32.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Kkcghg32.dll	Eahobg32.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fqbeoc32.exe
File opened for modification	C:\Windows\SysWOW64\Ggccllai.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Leeigm32.dll	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Ecbeip32.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Aidehpea.exe	Affikdfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmggingc.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Eaaiahei.exe	Enemaimp.exe
File created	C:\Windows\SysWOW64\Nffaen32.dll	Pcbkml32.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Bmbnnn32.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6776	6656	WerFault.exe	262

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbhhieao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflmnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apggckbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmladbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqoefand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmggingc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqklkbbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjddh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmbegqjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjdikqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnaecedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbkml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qikbaaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afockelf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbala32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbilm32.dll"	Cienon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnkibcle.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkgillpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajjokd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icembg32.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfakpfj.dll"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnoeb32.dll"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajmladbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfciej.dll"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qamago32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgqep32.dll"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcghkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pimfpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofjljj32.dll"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdebqbi.dll"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjjpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlpen32.dll"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfedfi32.dll"	Gkcigjel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4404	4256	f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe	88
PID 4256 wrote to memory of 4404	4256	f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe	88
PID 4256 wrote to memory of 4404	4256	f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe	88
PID 4404 wrote to memory of 1136	4404	Ocgkan32.exe	89
PID 4404 wrote to memory of 1136	4404	Ocgkan32.exe	89
PID 4404 wrote to memory of 1136	4404	Ocgkan32.exe	89
PID 1136 wrote to memory of 1248	1136	Objkmkjj.exe	90
PID 1136 wrote to memory of 1248	1136	Objkmkjj.exe	90
PID 1136 wrote to memory of 1248	1136	Objkmkjj.exe	90
PID 1248 wrote to memory of 3180	1248	Ojqcnhkl.exe	91
PID 1248 wrote to memory of 3180	1248	Ojqcnhkl.exe	91
PID 1248 wrote to memory of 3180	1248	Ojqcnhkl.exe	91
PID 3180 wrote to memory of 728	3180	Oqklkbbi.exe	92
PID 3180 wrote to memory of 728	3180	Oqklkbbi.exe	92
PID 3180 wrote to memory of 728	3180	Oqklkbbi.exe	92
PID 728 wrote to memory of 3728	728	Ocihgnam.exe	93
PID 728 wrote to memory of 3728	728	Ocihgnam.exe	93
PID 728 wrote to memory of 3728	728	Ocihgnam.exe	93
PID 3728 wrote to memory of 3200	3728	Oblhcj32.exe	94
PID 3728 wrote to memory of 3200	3728	Oblhcj32.exe	94
PID 3728 wrote to memory of 3200	3728	Oblhcj32.exe	94
PID 3200 wrote to memory of 3616	3200	Ojcpdg32.exe	95
PID 3200 wrote to memory of 3616	3200	Ojcpdg32.exe	95
PID 3200 wrote to memory of 3616	3200	Ojcpdg32.exe	95
PID 3616 wrote to memory of 4624	3616	Oqmhqapg.exe	96
PID 3616 wrote to memory of 4624	3616	Oqmhqapg.exe	96
PID 3616 wrote to memory of 4624	3616	Oqmhqapg.exe	96
PID 4624 wrote to memory of 4120	4624	Obnehj32.exe	97
PID 4624 wrote to memory of 4120	4624	Obnehj32.exe	97
PID 4624 wrote to memory of 4120	4624	Obnehj32.exe	97
PID 4120 wrote to memory of 2340	4120	Ofjqihnn.exe	99
PID 4120 wrote to memory of 2340	4120	Ofjqihnn.exe	99
PID 4120 wrote to memory of 2340	4120	Ofjqihnn.exe	99
PID 2340 wrote to memory of 1388	2340	Oihmedma.exe	100
PID 2340 wrote to memory of 1388	2340	Oihmedma.exe	100
PID 2340 wrote to memory of 1388	2340	Oihmedma.exe	100
PID 1388 wrote to memory of 4640	1388	Oqoefand.exe	101
PID 1388 wrote to memory of 4640	1388	Oqoefand.exe	101
PID 1388 wrote to memory of 4640	1388	Oqoefand.exe	101
PID 4640 wrote to memory of 4868	4640	Obqanjdb.exe	102
PID 4640 wrote to memory of 4868	4640	Obqanjdb.exe	102
PID 4640 wrote to memory of 4868	4640	Obqanjdb.exe	102
PID 4868 wrote to memory of 4580	4868	Oflmnh32.exe	103
PID 4868 wrote to memory of 4580	4868	Oflmnh32.exe	103
PID 4868 wrote to memory of 4580	4868	Oflmnh32.exe	103
PID 4580 wrote to memory of 220	4580	Oikjkc32.exe	104
PID 4580 wrote to memory of 220	4580	Oikjkc32.exe	104
PID 4580 wrote to memory of 220	4580	Oikjkc32.exe	104
PID 220 wrote to memory of 512	220	Pqbala32.exe	105
PID 220 wrote to memory of 512	220	Pqbala32.exe	105
PID 220 wrote to memory of 512	220	Pqbala32.exe	105
PID 512 wrote to memory of 980	512	Pcpnhl32.exe	106
PID 512 wrote to memory of 980	512	Pcpnhl32.exe	106
PID 512 wrote to memory of 980	512	Pcpnhl32.exe	106
PID 980 wrote to memory of 4072	980	Pjjfdfbb.exe	107
PID 980 wrote to memory of 4072	980	Pjjfdfbb.exe	107
PID 980 wrote to memory of 4072	980	Pjjfdfbb.exe	107
PID 4072 wrote to memory of 1680	4072	Pimfpc32.exe	108
PID 4072 wrote to memory of 1680	4072	Pimfpc32.exe	108
PID 4072 wrote to memory of 1680	4072	Pimfpc32.exe	108
PID 1680 wrote to memory of 4224	1680	Ppgomnai.exe	109
PID 1680 wrote to memory of 4224	1680	Ppgomnai.exe	109
PID 1680 wrote to memory of 4224	1680	Ppgomnai.exe	109
PID 4224 wrote to memory of 3176	4224	Pcbkml32.exe	110

C:\Users\Admin\AppData\Local\Temp\f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe
"C:\Users\Admin\AppData\Local\Temp\f1ff416812afa3b0dfa538a5f3c0a50d7c8820887a6fc533fc59edd2127adbe4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\Ocgkan32.exe
  C:\Windows\system32\Ocgkan32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\Objkmkjj.exe
    C:\Windows\system32\Objkmkjj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\SysWOW64\Ojqcnhkl.exe
      C:\Windows\system32\Ojqcnhkl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Oblhcj32.exe
        
        C:\Windows\system32\Oblhcj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        23⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        25⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        29⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Qpbnhl32.exe
        
        C:\Windows\system32\Qpbnhl32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Qikbaaml.exe
        
        C:\Windows\system32\Qikbaaml.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Ajjokd32.exe
        
        C:\Windows\system32\Ajjokd32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        46⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Ajmladbl.exe
        
        C:\Windows\system32\Ajmladbl.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        52⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        54⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        57⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        58⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Bpqjjjjl.exe
        
        C:\Windows\system32\Bpqjjjjl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4848
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        69⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        71⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        72⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        83⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        84⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        86⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        88⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        89⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        99⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        100⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        103⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        107⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        108⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        114⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        116⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        117⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        119⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        121⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        122⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        123⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        127⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        130⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Edihdb32.exe
        
        C:\Windows\system32\Edihdb32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        134⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        135⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        137⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        138⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6416
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        147⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6640
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6688
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Gbhhieao.exe
        
        C:\Windows\system32\Gbhhieao.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7080
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        159⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        161⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        162⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        163⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        165⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        166⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        168⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 408
        169⤵
        Program crash
        
        PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6656 -ip 6656
1⤵
PID:6744

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
59KB

MD5
9734fda0d02893c4e7545a0302aa622b

SHA1
4c7e7482fd8a625c79014daada43b1cd75d82ca8

SHA256
c5aa80fda72095cceb94212de4dde57d60bd497316e0b34c6155d631422608a7

SHA512
acf01c5d648a958b21cdfb11cfb1c2bf5bcdd70d29fc34a8d41645b54db6ae9b7d71774b63546e57a7ac63114abdd0fb510200319518d7c483aa989f95756f82

Download Submit
C:\Windows\SysWOW64\Ajjokd32.exe

Filesize
59KB

MD5
8c1f6d652ddbf74464c6f101db025639

SHA1
c3b654edc4ec72ff6c41f8c3a5848ea7f2c06854

SHA256
16cc3f2930aa47700c9b299e88406013b7e3a97e31769092d6f401ecd23bbede

SHA512
860daef67b9d360b6ca2c14ef7b6144b570cc62522e5fd299350c22205c10e49652293758c46c02e137ab1ab5b678b30bfd3f4f433a928f5bdc0841b0295e24b

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
59KB

MD5
6e7899838693f8ab22502f3589f4e7d7

SHA1
d69e1be9a6b93b4d781d83f2b0617dd4fca7f5cb

SHA256
99feb4e26c0435c40e073d20fdb89d82d20368b78ad675c8c501cab2b4eea4c7

SHA512
23dd72f985c6760d48009f1848e1b3805975eafbde648a208e89ca89be7d2487a16730a02448fd64cd48711c89b297316380ac22d1d34e124dd2e56c6c47244e

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
59KB

MD5
5b83d716d6d7f9da48bfb379db3db023

SHA1
4a5d45cca947c64f8c9d32e6330ee90564c421e0

SHA256
4ae5c3dc756a765c9e72a50113d789d99ec7c2cf91f11ea158869b001f2dc5d1

SHA512
9e4385979d31d9ea74d616cdddd1f8b2fb258f3acc29f36c3b3ceb4543f40c9877ea18518af7f8c63d450d8dc825455e3a0264ffc24aacc4c8a45bab2f7a0bff

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
59KB

MD5
3f105cedcfa42efdf7b6efccf57dfe08

SHA1
ba58085d501ed6e17489dbd1047e07222da80e09

SHA256
b5682fcfd79de8f7e25cec521502a5affbdd4c79ac02d5c7df873edfc3ed446f

SHA512
9edf5fb85640d2cea4320b4514a76a7aaab2004a4eaa002e2d505c98e9f4b925b3c741635c3d79f2d0327bb56a4bc3bec5df36bf8b74700494f389ecde24e1ed

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
59KB

MD5
d71d147d2e6a3462e94da6ab5ad843d9

SHA1
19bdf1c3434aee5af7ca05c8bd846dd11d5a3fa5

SHA256
3c4d73113ddfa1da6871758f802b130a193989860898e586523a0abb8ad1b0f7

SHA512
a06bd7771520bbcb2814bfdb0a3191a26c21a3b1a2e9f67aaa960d0296e3037c715ed301fea7e5c197a720a5cdd2bf3759d88e2e583c5f982f3199c1ed6e1f37

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
59KB

MD5
ec139637f8418a5d6421c0498dc2bc56

SHA1
1bdb026f555f8e22e687477a62d3dbf7c178ec06

SHA256
16e055443ccba5decde2c4013addbbfee803dc3689becf20ad85aa5baa10912b

SHA512
e47fca971437c293e1e618306c2ad84af70dc740a4232afbbcee5560d0ceeb0c74cc3a99ed96dc1e2fc40c83db43c03fbe6668c936f8a0c9392a4467a847d8a2

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
59KB

MD5
3108530260a38fd9b9678aebac2001be

SHA1
4937a627d5346a62d2a2c1cf2d1d700339c1f7e0

SHA256
b69f054c09d083dbdc2a76ce523b4193888bc61207797cdcb396af31865b1a81

SHA512
d40957dafe8754bb53ed0425fd19f0847ba7c6c74f7faa65d82e2e9bfcb79a9cbc3b50602815e558f8dd6955f5fc3999a3bc4020add49d801ab13e7126049e68

Download Submit
C:\Windows\SysWOW64\Oblhcj32.exe

Filesize
59KB

MD5
7c4757c90b55274f5bb39f0cfec3364d

SHA1
cf01a810d7ab5d62e9e15b31265612c695914b93

SHA256
f74e4e777c6e92c4b27008d071f3c08e3af0a81d887a1fe3999adf1427220f18

SHA512
ff8e6b8facd10e7ba8f559c16e007f7e3cee7d8856e0af752867d3d45f9b8b59b199b97506f798037f86a5e50a6a11aab7064367ec5877d9f9f6b4f4261d5940

Download Submit
C:\Windows\SysWOW64\Obnehj32.exe

Filesize
59KB

MD5
5252d0c118af458fa11e30e7d53a393c

SHA1
9c4f298c781f7884307542bfd45b7aefe6c75361

SHA256
0da9454a88dbd0244ab0890703c10d9c60ce73e9080de4a140e5bb9406058c1c

SHA512
49b4b8ce03456e66b4cb48dd9768de940401b64b4f23ac0e05ae1dea2661b9794acdaa591b969e23e2719c9dace3989fd542202840403262c277ca8dd31bd6f4

Download Submit
C:\Windows\SysWOW64\Obqanjdb.exe

Filesize
59KB

MD5
8660f7d6e34b1948686569de6b71b096

SHA1
36359740ff508d4ec2768d360f4cccfc4fe0137a

SHA256
ab0d9b538fb8799696a250c420f9c5e12c974ffc2c504e52a2d29ce307d836b2

SHA512
57b996af4671638bfd284cfb4898d206e2f825f6f2eb6ebe3458e4fee57b1b356eadd2370d90df6f544ec79a605e7132687de7a1c55ed49a0a7ef021380c0aaf

Download Submit
C:\Windows\SysWOW64\Ocgkan32.exe

Filesize
59KB

MD5
6e17afffba6f4770b12cf36dbffd6cab

SHA1
20109dd8d17df56200057022166c02d5ed49667b

SHA256
c7803e2372eac221185a4cd3a76dbf11d7af0f1d5e61a5a0062d3a61512bc033

SHA512
6f49a1b94152e2656fc0be2f1867637e307a6eb7a26ef47adf38a38ae674b0e449fd7b664277c8914710963ced5d2938c972308a7fc4b2eb03e4b200fb973761

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
59KB

MD5
ab5a8053400ebe4b0440170d0118d93b

SHA1
dd7ce5469021f27650492331cd0ca7f69c9d748d

SHA256
90684caeb7a862ec9bd16326e68909e0eda4b6468466d1f03f46dc0756b93ccb

SHA512
91a764cffade18cb9b26fc32a7a22031383844b8b2fd8c07087474337c3ad8b7e3de46528b7d4847bd2d69ccd88307ce96b8109effac7ac99123ad46347a3376

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
59KB

MD5
05ee99d48d2df498d3a8e26e30d132a5

SHA1
2359163f8a656e58e46f5795668c733ec0b11fdc

SHA256
4fb38dbe459bbdfb1c37754cb991834e16a21c81bc8dd0e0ee87b32b835633b8

SHA512
e8c9d7a3fd057312bbd97d846bcc6b53efb5f36ccca9d0f1b84f57e5c33af2ba310c63c1b49387bb279c19dbc7e500a7261d6655511d95ff570291c95172201b

Download Submit
C:\Windows\SysWOW64\Oflmnh32.exe

Filesize
59KB

MD5
371a20e6190724a06bcf2a4f351ac2af

SHA1
89fa841ed5e88271aaea7f93733fd4f38dd00410

SHA256
148d9830c25dbdfad82c64f4020160bfaa68fc2d1ed156d575d90bc8643db2fc

SHA512
8213e91df4bbfa4e82c9dd3c0e52c1ed85c33292cbb1b529d84279c227e002561765868653b6c3df36cb99e42dd64ae3f8efe87be6bc6c9757e50bce5db6a872

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
59KB

MD5
9bc4afe8abd32fc76cd065d2b1a32707

SHA1
8a6a744bea2b6e2a634bbbcaec27dd7a748b6fbb

SHA256
00844819d1df7ba0d1a990f584d3d9602dacfbdd4858c75732766b89e9f17fd4

SHA512
4612d6f6bb80ee0b3b01337936b79ae2787efe7b007791cf3bdf9bae8fc7af633cebfe83b325635feea9402d320fa70292be32b89f1a06d6fb30b69659b8036b

Download Submit
C:\Windows\SysWOW64\Oikjkc32.exe

Filesize
59KB

MD5
e4ad44b9cf6cdb69f05b234e90ab5594

SHA1
4d11a40de39ffd1b548ac168d324519da02150f0

SHA256
de299677743d86ed1a301fef99632b4a42f00615b671bb3bc60ac8da0833bf7f

SHA512
2e55676b75a6eca2d79bb4868410db66cfb75c593ad3a9839181091e22cbe9787b90ea7a5e61a85cf320ac609401e3bba2b73db6a08ca64306fda6adde469b8f

Download Submit
C:\Windows\SysWOW64\Ojcpdg32.exe

Filesize
59KB

MD5
6e9699e14fce488b0e636aafd79a7e99

SHA1
fd653706f805375191c41150fe82850927fd32de

SHA256
1313237b1b397923bcd8f0047bd2aff5eb030c69bce7fe50cbcd5bce2954cc4f

SHA512
ae8e48f12996ae8a015fd4a64f0c7ab6415ce471cb9c280a837b761f143fe302d5a548155aaa86f2ad345705a5a1aa7d0687c8d3765d41c37cf4fd57fe5f0207

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
59KB

MD5
273b63d466268923efcf1129edcb21a7

SHA1
f6f19ae47991ec86110b0b9708824084c601c21d

SHA256
ecdcf8479c7f9a65b7b6807c85b1d978463782f9679c1c1d60b2cec773209c24

SHA512
8e5b4a8918c52641e8b2bba558f6a90e59d0bf01540abbd8965c1a51f16469f4fe295068521266a931051d86deec197b169ca278eea1ae724578f41d20d7ab48

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
59KB

MD5
3e3f7d7eba27fb2dada92bb809de2656

SHA1
cc0f77eae81905596c9d32ae405b40bb9968bdc4

SHA256
5870e323b56b9d146cfea4c5d5e076c147616268fa2e26311f14a5a5fc238a59

SHA512
a82bb5a1e24df1b7fb1da73d34e71ebbaac2f7ec024eaf9fb9679c104b8c69822dc7ceec519eab24a43dcab1e78d24bb528bdc937b3f7ab243368fff5bc5116e

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
59KB

MD5
f0f0211031d624433c55f94d56e2abaa

SHA1
36fb1ab77398a116159b1dfe39e188f950afd2b0

SHA256
95f11979433b157d30a40c7ce632bf092a9fc4a7179804e1641cfb9a250379a1

SHA512
0c0ccded027776e190d9a7b2dea795fafc89c1834ded203da1399cddf76cdad2e7942f36940e3105a13031ea7f31b750b8dec9751f35a9577762d0da7454476b

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
59KB

MD5
309d8dfe6bcef480f9467478b5e026fd

SHA1
915f862c9c7ddd60ac04ccf7de50ea8c136c5a3c

SHA256
1b21be0306a75a581a280916e041c9a3d0209e765ec8ae1bb114003b0bdcccf9

SHA512
8b90c122b0ba609d6504d5bfe7054275993d37c7f2555e5823cc19fd41d07213f4c0abe7f8112d73ba855d4a2674fe9558afe03bccd2810b1c9a60ee4af5bcc2

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
59KB

MD5
bf554bcbffc2cb6171ab3c0c0ae147af

SHA1
3274f97e2bce592bc200bae618268a46dcadc98c

SHA256
e41be676e720ebbdeaffe650a3c8e359cb8a93de601a50eb6a35dc943030a786

SHA512
741759b694293f018550f6b70d5fc49c4fae4541e85190c359a0d9c0019ece6980302d08839d66540ba47f1fbb1c5f22938d0e2f1f1b7f7f59b51d89531679d8

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
59KB

MD5
e472497ba2bc36efd087b25d94200449

SHA1
49a6e90a5136116d63e36ee2aa926f6121c1c8b4

SHA256
2151cbaa4d7a869607700a7724406c0bf41aedb05d75267502a2ac373cd3119f

SHA512
ac8cb8418b7b75ba40c2e8b1d77fe449e3956239ceb9ed8cc4881cde9eeb78e6404bc6af3fadbbf035c87f666ff0c216f1267d67fa898cdcc981a0c709db92fa

Download Submit
C:\Windows\SysWOW64\Pbjddh32.exe

Filesize
59KB

MD5
861e6fcc4e311b4bd20452ff48d8ff59

SHA1
78872c72e648758f9f4f64cb69d0697add2203f8

SHA256
391b52937afbf8b6a31eac1ed53ab1cd9cb0d917e1d09c7a868a12432f8cf9dd

SHA512
c9ab54f8d920a2269d9ddf703b18daa8d094531d4578039af706a24839c4a7eaa9e3c1d5585b8019e124157b8695393f8f2af2c1e70a6f8443faffb6ffc2e88c

Download Submit
C:\Windows\SysWOW64\Pcbkml32.exe

Filesize
59KB

MD5
989feff9e87e178c3611de21d95706db

SHA1
4e6ec04616559e29707d3039ed2635e5a31addc0

SHA256
5f0ccdb6bf13af553ccf3c1aef4206006acb2529266b76ad90ace621b67d65a0

SHA512
d1ee3fef6d14aef281d75e0c61e224c5af485d286f3ac1b5cb7b8e4a3afa45eb3c5b465fb61414364954e01910248a3c66ba3861fbf155b0f92d6b2e68cd2fdb

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
59KB

MD5
a650ef1c8b963c4d661c6bbe2f4eae1a

SHA1
d01c4b66645e3d2d57bf7473494718418100eb62

SHA256
12b31cc30530ed9f74d0e91165cbad2702d10bbf00fcfe0a899a3260d49aa2a2

SHA512
151b018931a09b96d88db2b30f156677fbb9c13c7989f8e017d497aaec518de411fcf04ae06e7a54cb1db808306f2c946795e998764b7269d86b3d3c9ff3a62b

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
59KB

MD5
4f21d47521e0c93358a3bfe598bf6afd

SHA1
ff7ed3f895bddc5f23ed178f6b62514613914902

SHA256
633687e367d354ce06dd5ad5b3f03fda0516bb3783ad162b32bef3fec54ddfa8

SHA512
1b448fdf1d87c17018ec649c4e37d2573e575cf3535a0e2407f6a445d57d7a6deb3ffa6eeb1282add545e9fd22487497ef1d0a72470a7c95181c16a63a139b0c

Download Submit
C:\Windows\SysWOW64\Pimfpc32.exe

Filesize
59KB

MD5
1acc64e6bf7902d30423b679a272806c

SHA1
e1adfba1ccf4686b66363b26ebdffb91462c3362

SHA256
e0f5287ea1465c81f09110b1d8fffb95d5611fd2347cc6e39da883523432f220

SHA512
022ca8b4851b10a6e8afc49e055716bf596a0d15945ef1b23202cddc68fa39a0516f835539cfd59aa06a8b1948899d6aec08d63e430e2617db571f9c29d38f99

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
59KB

MD5
38afa17966025902bbfb7ca7374c2dd0

SHA1
d8934fc451726d2c6eec5251fe51ebb6a90a9a9f

SHA256
5db09c41b68898de74ef61c2d3393f6f428d2e8090a3f3b825148d364552aa53

SHA512
e22e7530e1176e974c8d91441cbbaeccc8d35de91c04c3e9e3139ce0a8a103fa799565fb4a76c60c1a98b9c3ef4ba528fb41d9946420e16f280808947b52e4ff

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
59KB

MD5
9d296ad561d80723c041c188dfa4956d

SHA1
4e03cae5babb895d4500e6a81096ba821cd0cabb

SHA256
21bb0ccdc86df023e3d72f7b865ce32824e1ac419b7c533387075a588a72fcdb

SHA512
cbcb717c9e8d5cf164df5c1ebb441a3cbbfc532beff4d98f98f7e83cdedb08456fc46d07d6f8e88becb9d2075b5bd8da832202326201e5c2ac2f6e12280e8b6c

Download Submit
C:\Windows\SysWOW64\Pjcikejg.exe

Filesize
59KB

MD5
0d0916a1f413fac55c351066ff37f165

SHA1
40408965871394a64697052fb89785ea00f90378

SHA256
2096ab3b6e0fcc673526186cc193a0ee5cfe24c7cdf02d30e4507514ef77d967

SHA512
fdcd88634cd997e2a9d06f92a307ca29005ee5eb13ddeeb3e2de5dddec613182e8fef7744aa4af8b0889c400b6a5461a8efefd00a9dd8c92ae2ec73c734ffc17

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
59KB

MD5
6c1e4c7511fc62560b138e9e142de39f

SHA1
dffc41d184f05224fd5eff7e9b8f97b231dafcb7

SHA256
a6a2b1d9c45ef29cdbf270cf320fb7815d459ce3f65d7432d94e5aeac9817019

SHA512
6aff36d44468fcd96b8bf2a947661b1045dd48f3f587702d3f1bceecace6d3fffd1ef5dced08ae299dba5deb2b9d650250c1dfacd8e6aa20ecd70c7486242741

Download Submit
C:\Windows\SysWOW64\Pjoppf32.exe

Filesize
59KB

MD5
bbf37cead70f407f567293489113fce8

SHA1
fe2231b431e75ec822950377bb25b979a00926a8

SHA256
7cc8632078f10afd9a770dc8fa77eab229c3e2dbbfc1ae51a7ef75a425c5cb82

SHA512
9b351bfc21749f4a3bfa3c6376332ecfbb537e43d20ea4497abb111b50951342745ff8fd378d562d947bb75ae63afb1fd767c2cc79333155f8cb19fa66054628

Download Submit
C:\Windows\SysWOW64\Pmkofa32.exe

Filesize
59KB

MD5
e330250b0b7bd018e3f6cebf8865151b

SHA1
f2ecbb2c6fd5e5d67378c30dd5c3e92ffd5cc2e3

SHA256
64fe4d4fb88229339cd07d42402db5dd7858930b8ae35c51251b30e5ecdbecb2

SHA512
2274ec265c97d94764bc07f2734cc8fb811ad7df705231109338a0988440d85c4370317f2c6753a5c6386500642e3d59a93ca4274b8cf6c936cdf0d208ad8e16

Download Submit
C:\Windows\SysWOW64\Ppgomnai.exe

Filesize
59KB

MD5
84749d67d1a7d607ddf5c1e1fd8b4a66

SHA1
bb19e701478cb307d4a43893226662208888f98f

SHA256
c319c8660c6434b1d28c635d2432c97bc8b1ecc22baa48d993228dcd6b1e3527

SHA512
68b651b0b7d0519d10213563406ee79e2be12c88e0c7abf50811cb66fe628416c22816550cc4b98f63b75b128ae2c07552c66cf0aaf8030e8f14ad48cced628f

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
59KB

MD5
da7a91d2f092ad128bda0948914d9fde

SHA1
b8960ad05dd2d83b5cad50f9643d9706d23fcf28

SHA256
343ff68c879982d7fac7ffa1cea21af5a9ac5278bcef1221c8acadd33ed31cb6

SHA512
2bbcdcd6ea4154949cd39b343df8573950079ca7a1fbcd4340577154e8b58c5126829454c71839f00006a9b65c5893d20a4ee0b6a800e4bcff739df42b069c33

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
59KB

MD5
0cb96878ad033aeaa563d63b7842c276

SHA1
086dcf21c06a0b346fbf316fe52dea744e1a2c29

SHA256
4da67271c9135eb8cc167ab3fa5432fd194b6be91cc402aabde34ac5fe625d40

SHA512
465e9b0e279da18b28db5f14f190100e869be8470cbfe134454f8c6b862adaa843d1bd8df1f4795443b34a63ba453244b4d443062e05812976798d592bc8121c

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
59KB

MD5
935f0ee95a81a6ca9e952a2f46b2575f

SHA1
82b2082084d957f56bc4ef78c82d6cc63ef5bdd1

SHA256
08f4cbb6afa1c94c1f2608b5099a44f7c979837234ee4edb638ce31f60b9011a

SHA512
fb4dd6820abd0dba95037ac568f038165c0bb7c731fd4df139e1e934218303f21425157d42bc0541f5c9748f2a99ab2e9a1b0238799c96fc16de5274b7211cf5

Download Submit
memory/8-565-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/212-483-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/220-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/464-551-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/512-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/652-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/728-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/728-578-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/832-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/976-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/980-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1132-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-557-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1212-507-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-564-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1252-541-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1604-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1704-198-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1756-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1784-429-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1840-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-471-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2028-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2088-558-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2188-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-489-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2312-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2328-465-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2332-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2340-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-544-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2416-531-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2440-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2684-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2864-495-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2892-423-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2968-393-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3116-435-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3144-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3160-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3176-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3180-571-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3200-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3200-596-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-441-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3268-417-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3304-399-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3324-357-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3344-525-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3372-375-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3596-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3616-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3616-598-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-585-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3756-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3932-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3948-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3984-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4072-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4120-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4172-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4224-166-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4240-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4256-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4256-543-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4332-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4404-550-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4404-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4580-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4612-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4620-309-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4624-604-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4640-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4848-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4880-519-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4888-513-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5096-501-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5100-405-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5108-477-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5136-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5180-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5228-586-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads