berbew | 9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe
Size

94KB
MD5

9ae6c8cc3d7d7490808530e903f431e0
SHA1

cff4e3b77f91e7e098846da1f1b42479a2eab371
SHA256

9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98
SHA512

c7c6c1c443750b9ec4b8fce05df2721453fc4d1a1ed6c8dbd11ba402fc23d565ada6194de92149cbaec8a3a2d4e0ed9c50f5c1a465036c43cc6bf7e2902c61eb
SSDEEP

1536:/7r8EB1irR5dkanA6kx8F+Yr3QK9UpKt7zTWhRQDzVRfRa9HprmRfRZ:/7YlbnA6+49US7zTceDZ5wkpv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpfbjlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jleijb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmfimga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmmqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cogddd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4956	Ipoheakj.exe
2440	Jcmdaljn.exe
2836	Jekqmhia.exe
4768	Jleijb32.exe
1320	Jgkmgk32.exe
3644	Jiiicf32.exe
3196	Jgmjmjnb.exe
4240	Jilfifme.exe
1540	Johnamkm.exe
3956	Jgpfbjlo.exe
4244	Jinboekc.exe
1724	Jphkkpbp.exe
1404	Jgbchj32.exe
2908	Jjpode32.exe
1832	Jlolpq32.exe
4716	Kgdpni32.exe
1652	Kegpifod.exe
4560	Kcbfcigf.exe
3700	Lljklo32.exe
1128	Loighj32.exe
3520	Ljnlecmp.exe
3996	Llmhaold.exe
1412	Lgbloglj.exe
4852	Lfeljd32.exe
4792	Lomqcjie.exe
4488	Lgdidgjg.exe
2020	Lnoaaaad.exe
2180	Lckiihok.exe
1684	Lfjfecno.exe
3108	Ljeafb32.exe
1656	Lcnfohmi.exe
1032	Lflbkcll.exe
2824	Lncjlq32.exe
388	Modgdicm.exe
2372	Mfnoqc32.exe
4040	Mnegbp32.exe
2488	Mogcihaj.exe
4604	Mfqlfb32.exe
4340	Mqfpckhm.exe
2996	Mcelpggq.exe
1332	Mmmqhl32.exe
1408	Mgbefe32.exe
3424	Mnmmboed.exe
4124	Mqkiok32.exe
2176	Mgeakekd.exe
540	Mjcngpjh.exe
3240	Nmbjcljl.exe
4392	Nclbpf32.exe
4972	Nfjola32.exe
3916	Nmdgikhi.exe
640	Ncnofeof.exe
3516	Njhgbp32.exe
2296	Nqbpojnp.exe
4548	Ncqlkemc.exe
5092	Njjdho32.exe
4428	Ngndaccj.exe
3876	Nnhmnn32.exe
2216	Npiiffqe.exe
4628	Ojomcopk.exe
2720	Ocgbld32.exe
944	Ojajin32.exe
3952	Onmfimga.exe
4728	Ogekbb32.exe
3492	Onocomdo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bpdnjple.exe
File opened for modification	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Jphkkpbp.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Ojajin32.exe	Ocgbld32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Dnbjkgmg.dll	Jgmjmjnb.exe
File created	C:\Windows\SysWOW64\Ignlbcmf.dll	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qjiipk32.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Migmpjdh.dll	Jcmdaljn.exe
File created	C:\Windows\SysWOW64\Lckiihok.exe	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Akfiji32.dll	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Conanfli.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Jphkkpbp.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Jcknij32.dll	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Kghfphob.dll	Ipoheakj.exe
File created	C:\Windows\SysWOW64\Jgmjmjnb.exe	Jiiicf32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Johnamkm.exe	Jilfifme.exe
File created	C:\Windows\SysWOW64\Eanmnefk.dll	Lomqcjie.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Pmcckk32.dll	Jleijb32.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Ipoheakj.exe	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe
File created	C:\Windows\SysWOW64\Famkjfqd.dll	Lnoaaaad.exe
File created	C:\Windows\SysWOW64\Ebcmfjll.dll	Modgdicm.exe
File created	C:\Windows\SysWOW64\Gpkpbaea.dll	Mqfpckhm.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Njjdho32.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Nnhmnn32.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Onmfimga.exe
File created	C:\Windows\SysWOW64\Adhdjpjf.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Jlolpq32.exe	Jjpode32.exe
File opened for modification	C:\Windows\SysWOW64\Paiogf32.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Gemdebha.dll	Kcbfcigf.exe
File opened for modification	C:\Windows\SysWOW64\Ljeafb32.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Keiifian.dll	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Njhgbp32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qobhkjdi.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Cncnob32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6168	7104	WerFault.exe	266

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johnamkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcbfcigf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jphkkpbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckiihok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llmhaold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnoaaaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipoheakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbloglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jekqmhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgpfbjlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgkmgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgmjmjnb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll"	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Lckiihok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll"	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll"	Johnamkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonnoglh.dll"	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjpda32.dll"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jilfifme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcelpggq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkakfla.dll"	Loighj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Chnlgjlb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4956	3012	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe	88
PID 3012 wrote to memory of 4956	3012	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe	88
PID 3012 wrote to memory of 4956	3012	9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe	88
PID 4956 wrote to memory of 2440	4956	Ipoheakj.exe	89
PID 4956 wrote to memory of 2440	4956	Ipoheakj.exe	89
PID 4956 wrote to memory of 2440	4956	Ipoheakj.exe	89
PID 2440 wrote to memory of 2836	2440	Jcmdaljn.exe	90
PID 2440 wrote to memory of 2836	2440	Jcmdaljn.exe	90
PID 2440 wrote to memory of 2836	2440	Jcmdaljn.exe	90
PID 2836 wrote to memory of 4768	2836	Jekqmhia.exe	91
PID 2836 wrote to memory of 4768	2836	Jekqmhia.exe	91
PID 2836 wrote to memory of 4768	2836	Jekqmhia.exe	91
PID 4768 wrote to memory of 1320	4768	Jleijb32.exe	92
PID 4768 wrote to memory of 1320	4768	Jleijb32.exe	92
PID 4768 wrote to memory of 1320	4768	Jleijb32.exe	92
PID 1320 wrote to memory of 3644	1320	Jgkmgk32.exe	93
PID 1320 wrote to memory of 3644	1320	Jgkmgk32.exe	93
PID 1320 wrote to memory of 3644	1320	Jgkmgk32.exe	93
PID 3644 wrote to memory of 3196	3644	Jiiicf32.exe	94
PID 3644 wrote to memory of 3196	3644	Jiiicf32.exe	94
PID 3644 wrote to memory of 3196	3644	Jiiicf32.exe	94
PID 3196 wrote to memory of 4240	3196	Jgmjmjnb.exe	95
PID 3196 wrote to memory of 4240	3196	Jgmjmjnb.exe	95
PID 3196 wrote to memory of 4240	3196	Jgmjmjnb.exe	95
PID 4240 wrote to memory of 1540	4240	Jilfifme.exe	96
PID 4240 wrote to memory of 1540	4240	Jilfifme.exe	96
PID 4240 wrote to memory of 1540	4240	Jilfifme.exe	96
PID 1540 wrote to memory of 3956	1540	Johnamkm.exe	97
PID 1540 wrote to memory of 3956	1540	Johnamkm.exe	97
PID 1540 wrote to memory of 3956	1540	Johnamkm.exe	97
PID 3956 wrote to memory of 4244	3956	Jgpfbjlo.exe	100
PID 3956 wrote to memory of 4244	3956	Jgpfbjlo.exe	100
PID 3956 wrote to memory of 4244	3956	Jgpfbjlo.exe	100
PID 4244 wrote to memory of 1724	4244	Jinboekc.exe	101
PID 4244 wrote to memory of 1724	4244	Jinboekc.exe	101
PID 4244 wrote to memory of 1724	4244	Jinboekc.exe	101
PID 1724 wrote to memory of 1404	1724	Jphkkpbp.exe	102
PID 1724 wrote to memory of 1404	1724	Jphkkpbp.exe	102
PID 1724 wrote to memory of 1404	1724	Jphkkpbp.exe	102
PID 1404 wrote to memory of 2908	1404	Jgbchj32.exe	103
PID 1404 wrote to memory of 2908	1404	Jgbchj32.exe	103
PID 1404 wrote to memory of 2908	1404	Jgbchj32.exe	103
PID 2908 wrote to memory of 1832	2908	Jjpode32.exe	104
PID 2908 wrote to memory of 1832	2908	Jjpode32.exe	104
PID 2908 wrote to memory of 1832	2908	Jjpode32.exe	104
PID 1832 wrote to memory of 4716	1832	Jlolpq32.exe	106
PID 1832 wrote to memory of 4716	1832	Jlolpq32.exe	106
PID 1832 wrote to memory of 4716	1832	Jlolpq32.exe	106
PID 4716 wrote to memory of 1652	4716	Kgdpni32.exe	107
PID 4716 wrote to memory of 1652	4716	Kgdpni32.exe	107
PID 4716 wrote to memory of 1652	4716	Kgdpni32.exe	107
PID 1652 wrote to memory of 4560	1652	Kegpifod.exe	108
PID 1652 wrote to memory of 4560	1652	Kegpifod.exe	108
PID 1652 wrote to memory of 4560	1652	Kegpifod.exe	108
PID 4560 wrote to memory of 3700	4560	Kcbfcigf.exe	109
PID 4560 wrote to memory of 3700	4560	Kcbfcigf.exe	109
PID 4560 wrote to memory of 3700	4560	Kcbfcigf.exe	109
PID 3700 wrote to memory of 1128	3700	Lljklo32.exe	110
PID 3700 wrote to memory of 1128	3700	Lljklo32.exe	110
PID 3700 wrote to memory of 1128	3700	Lljklo32.exe	110
PID 1128 wrote to memory of 3520	1128	Loighj32.exe	111
PID 1128 wrote to memory of 3520	1128	Loighj32.exe	111
PID 1128 wrote to memory of 3520	1128	Loighj32.exe	111
PID 3520 wrote to memory of 3996	3520	Ljnlecmp.exe	112

C:\Users\Admin\AppData\Local\Temp\9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe
"C:\Users\Admin\AppData\Local\Temp\9e0aa91ec787012f25cf11fa5538fb4ea9022eeebc24a70a206670d07f224f98.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Ipoheakj.exe
  C:\Windows\system32\Ipoheakj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Jcmdaljn.exe
    C:\Windows\system32\Jcmdaljn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\Jekqmhia.exe
      C:\Windows\system32\Jekqmhia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4768
      - C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Loighj32.exe
        
        C:\Windows\system32\Loighj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        27⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        36⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        39⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        46⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        47⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        48⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        50⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        51⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        59⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        60⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        66⤵
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        67⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1176
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        69⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        74⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        75⤵
        
        PID:224
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        76⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        77⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        78⤵
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        79⤵
        
        PID:396
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        80⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        82⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        84⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        85⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        92⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        95⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        100⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        102⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        107⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        108⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        109⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        113⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        117⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        118⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        121⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        123⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        131⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        137⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        139⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6560
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        148⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        150⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6860
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6904
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        155⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        157⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        159⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        160⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        162⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        165⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        168⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        169⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 412
        173⤵
        Program crash
        
        PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7104 -ip 7104
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
94KB

MD5
2f31fce45d7adf4fba94231a1e9b3dae

SHA1
b3c211caa7704d1ed99ee87d5568ef8a8d86d5a8

SHA256
f018895dc819c24549c0289f569d94b45e1dab7cc3b72ebc6e80dfc8a0b36c15

SHA512
1eda99d1b2709dcf132d8c353155d0637a4d4feb8864d983cbd7c4030c01095436f61af8f46f6c15c7f91906a5edd12388992f39fec078475f824607e74486c7

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
94KB

MD5
ace81cde14a3c5e7cd65c052a0300380

SHA1
0a13872d26ab10420e941de0f11d1cee144b2706

SHA256
010e1060ad76e315f5bf54205f705b3cb6e48254cab9baa191f3e560eae0756b

SHA512
5d558b9cd866fcc5974d45a9f301e2f6ab7a0a19bc91a231b00d68ae87b550799e79c97ca5db490ce31bd0ffb23d85f34760e3dd6e1764e20ebdd0c9afd42c76

Download Submit
C:\Windows\SysWOW64\Ipoheakj.exe

Filesize
94KB

MD5
13d08745e42ddec9f36e72a13c109f80

SHA1
0378e227f1ffd76bf80e8099af3a8f56923364cc

SHA256
ba5858caa48989b103906f92ce1c2b5ff0b7a9c353ef4fa28870c1f6ae833c20

SHA512
c7bc20b9eec116dea70bcf9f6b1dcc9b873b49193b6e3b85dd74aca2207cd4761b667553f11f57e4a8e26f463343d10cffad673e281fc13bde4d1d234cc7e32c

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
94KB

MD5
6b9d67c01eaae27619f32111644ce501

SHA1
679b0cae4dd23062acac18c8673c77280d4aa90b

SHA256
63d5b6dee375cb42821987715f05ad7425d3cf9a5bdc825d391d120b9126f05f

SHA512
b66e2b515754a4b7aa6eb8021234a08b12bf1347ce8b204b725b9bf998475757e48d6ed8c317877889f27cf744cb58defd1fa46b7523469a5701d59c5a582205

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
94KB

MD5
65bb45b103ebe973f64e6f23dd72a64b

SHA1
1bfa7483a42daf9dbd42e98a0ced72ccba7207c6

SHA256
68fa129cf6c68780bf78ef7fff73d7eaef233118c1c19daad7ba46554cc58ab8

SHA512
e69454264c740ca970ba8debd82b1e9e8ff7b261fc1ef814832fb620918484dce8b4e3c682f232b7d029ee75dd024fd784f021fa7639b9eba8160b4186e45b09

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
94KB

MD5
ee52935bb7e926b1d77f15a1ae4e6c10

SHA1
5ab71394900672ae41b218d1e5bbfab1a91e45a8

SHA256
cfbab75572af007ed9179454e4d73176b5aac4d338a843f4b67240d51e145ae4

SHA512
3329398bebe5e238b0ce24f86ad4c7055c92f695c261a3e4e9e0cf28d6dae0d1ff17a8f9f773ad5cd01efdd86c0ce31dca013552145093ddc35ff4ab4ed79b8f

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
94KB

MD5
4d79b1d6ca7f6d66ce96015049cb17d4

SHA1
f1dcd364203945dfdb5bb341b88766e1bb0b0998

SHA256
13d2f0b6e077629bf9544d559bf67b9975d09b4529d4e7752181d77a8f157463

SHA512
9524d2c52ad505fd37e0acae7287557fafda80afe08277c9d0b535718a6615784b236f234a8eecbc433341a13a694b2c0ccefad5603b0f166028851a4e23509f

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
94KB

MD5
a0600a567d959b8d4177066721bf7eff

SHA1
56d676edd6da2af211666756d9c4c0ea568db75a

SHA256
b36341245f0268181d58568e8718d50d239ca03d1428d30df51a965c10613ced

SHA512
057fda33abf7b51ee3b5bdd31480b94fe4d6229544cce5a2eb55c45de8f4d6760c9d02a34c83880ce86e118a30c318040b4996c670f21e9bedaeadd09a7ff57c

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
94KB

MD5
f28280df6af4c373f22fcdf76da95c09

SHA1
2d957a54a1117fb75067a6cc85b49e02158b94f7

SHA256
3051c9b5d206c5b504ae391424aac7187cd16ff0424df49f3036cb0c489f2189

SHA512
d4826970d722a5ea4076cf40e693ee66ed11e1c5cbafaa10e3cba538670bc198d3b0a85301fdcd6dd97aab35df445ab06a6c74e66b115015440e477d83ec58a1

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
94KB

MD5
bd4ac5c2c85c997daea9bcb3002197bd

SHA1
5ea116ced53bc01f52740183599432d2e7a1d3b8

SHA256
0f611e33e871ea36a0929295151663470d20a4ef85a5a29e7b659bc02e9dc98b

SHA512
4b4c6fdfabf654356f6f9c1686d9ee231abc5d54ce031db64083d291be95ae8c2e4d10d9412c293a7174bf66128a3e4962883d6ea9fed5197104a98c6b4bcce5

Download Submit
C:\Windows\SysWOW64\Jilfifme.exe

Filesize
94KB

MD5
95b5b3925ec744f64b35146072de75ee

SHA1
f292cb4968b4325b0b108d3865769e3c7ea25561

SHA256
99b661d7e6a5b469b5f7bd9a7e801b7e11a96ad316cb757d3ea95b229c519918

SHA512
851c76722e23fd29c9b409c4479d624abeb510b7322ae2892c1242d4afc52bdbe36f07a2d312bfafd175608094bd2dca45ff0081fbe87a0f6186a02f52096675

Download Submit
C:\Windows\SysWOW64\Jinboekc.exe

Filesize
94KB

MD5
7d2b847e336395b53ccbd8b112aa10a4

SHA1
e4b260170c37352893bdd95a65eb07af85322a6f

SHA256
050166f50a5ccbd93b8fe44b94bc23edadded05162fc9955a6588d8af92a51e2

SHA512
5e303747717d145efaa349af86617fbf6aa4d1973c850aa6bda903da8ee2b10210db798e650b99077f0cd6c622291f528461a70d090bb1fe796f6929ab180208

Download Submit
C:\Windows\SysWOW64\Jjpode32.exe

Filesize
94KB

MD5
29fa9922896aa972c8196e420caf6552

SHA1
c33c2bd5ac65a61cd5da11ef96cd7065389b3f76

SHA256
55fc9284248425ce3cf0b34976ac74f2916644cb48011c3b14890aec0789854b

SHA512
5dde1287b7acfe1b1a69078b856cc9c663415f59c3353321715f1ca1b7845c9ccf63bef7025c3b32c5d88175df4e0d8b4844d92d76818aa011301d6cdddb3dc8

Download Submit
C:\Windows\SysWOW64\Jleijb32.exe

Filesize
94KB

MD5
98bf7436d6c623b30baff2cc8ba8642e

SHA1
9d79fd2d7b22b5cb127445315fdfd0332a93e55f

SHA256
7611cd84c83d702707dfbb7f3924375a2d470bc055e5011912abf98abb4adf26

SHA512
b986af3ebf6eb4e0e8f34577b2feb7e81e0b299e398ad05d1d5b024fd0a8795e0e393d0a10de0ac4aac1a8ff832cd2d7a5f9dcb54da6ff10282626bd106b1870

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
94KB

MD5
de84f2c7f6066f4b3e036123ae16e2a5

SHA1
0c68a6fb0d4b1d37336e06d73ad763bb3b4d3eab

SHA256
5ad7613c84596071793153331114cedad4be6302fd259db4d113ccd6d6b4559b

SHA512
d7168cc5181be7e023be6ff34853ea211b5674ffe18d601820f478b65f8931e1c0bd90d029239feb959f30627d2ca372f5579820e15587d5f40be0f43021969e

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
94KB

MD5
43f8440eb4e1fee19f81f3f85ce8ac33

SHA1
b7193c2a9b30f5575dc5aaef2b82c5efa2be7e38

SHA256
643b2313aa7873a831ef38ccc79813f3313945a3ee757734e79d2f7d7ca6a2fb

SHA512
b4e9bdbf84a5a0d3b2d7990bb3feacd996d75dcf6534bf4be5fcad2184272ac0218dc3288a0c5c419fc4f74dcdc15d7808f2e22442abac74c9a73aaa9d8a40c8

Download Submit
C:\Windows\SysWOW64\Jphkkpbp.exe

Filesize
94KB

MD5
a65c8d7402c77f9698259fec31375b87

SHA1
6091367893cd8b2fd11d36e05208c5ca70217fea

SHA256
b71ad5646104f99101b6e7e5011344d9d1a0d31f256d607382d8e004b848f3d0

SHA512
7d46f3a597e0602d08b40eb1bac6d31b8ad04972d44f2f60f1e8a7c59168441e9a76c4a94b668511ea5538da48e0927be5ed893bae2ca7015047ad98e2ee6705

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
94KB

MD5
767fb5de6a1cf6a272d834f36799c552

SHA1
0cc4ed1efe63dd37602b8c2369612119e376eb3d

SHA256
edf9747af754a74f35186126c3eb7e8d3c277e6d3e621dea81979b3c43a761a1

SHA512
d67f1cf1111f8f936b7db6ad9fe9258803a7a89a459b49d55fa1c1da074b1e6bd7d61556461007fbc10c2a0eb35a96c8bf3cc5c74c8d8135eb9711a212836b9c

Download Submit
C:\Windows\SysWOW64\Kegpifod.exe

Filesize
94KB

MD5
8493381ecb442a2e42a0d00d5ac2987d

SHA1
9275dd9b9134156711a25707357b46844e8b6cef

SHA256
0a3f49c0928e6c8752b2220681ae6ea1d8a69ea8e1fc0affe31ed3c0526e8d45

SHA512
1d325a3c8a16affb1439d1232861546b2ee7c7df5fb9f81dcf630d15b9afbb113c67c930335e10987a2671c16879ce92c32b94735e45eb5065674344cf1db699

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
94KB

MD5
78db3990a5b80b3216cda2dc7499bc40

SHA1
53b917107755553ce4b72f8f829375e7084fcd15

SHA256
3fa6e6cd5227231c86a6843aa57b63f1374c477b33ad0ed3396a95e78429f990

SHA512
6c313380b727111deab12f7207b7bf86afe807721a034fc88a656745d189fbea7c0dee3b341c135e69fec639ed88cac07d0a9012ce6ed02787d357bf02e8362d

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
94KB

MD5
6831a6676f9a3a000bb989c7d1a06767

SHA1
5d3b95ebe35968b772d60e4c8ff64a9a4a8a7415

SHA256
175ee86cdaf73477c57c557c941101ed96a0158993461b2bc92cf0c45ec90fc9

SHA512
30881d199b0300a10d0586a6fbb43d49960401e4325876e40e0739ce11c0abf284bd738630f21c372a059df06db33aa73055362d6f8fc1be24487335bb6f453e

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
94KB

MD5
7be17ed0cab86ef46d093da1b6c7345d

SHA1
c0263bb44dc658b6d38b66cd48ab3b75b771748c

SHA256
265612bc17494e2afd4d5df75df34a1585d74220bf7bf31c4e761d14e5835be0

SHA512
506a05bd1238588b48ba25518033e9185d3ab6398402c7efccc4f8b4348392a0f40bc53c2ffbc641e4bbf3e40947a3c9dc2db9322e6b9428208665c611f0d6a3

Download Submit
C:\Windows\SysWOW64\Lfeljd32.exe

Filesize
94KB

MD5
8723c40b20ebbcf1fc4deb5478c2ec98

SHA1
2685afc5938598e4cf9fafdb6d3e3422d9fc7481

SHA256
871dca12e0294ae5a3aba2c633be9a7d8e6369000e7fb8dd860c3dd4e4bf4204

SHA512
baf89554ae7a023adc1959939731db96bd1759b2030f3651bb7cadf08c574abd9845e9fc19c825a71abcf621ce237fb800ab9674d919f3c4b6f323e77d236ce3

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
94KB

MD5
50a599ddc268a2aaf663964cc025ae96

SHA1
f4a4bae969c8adad31fc11a8b88b6a60b2b54008

SHA256
0dafabb7c6134da29d80a297c61704e92fa0a823bc66c818a205546c8ac3fbaa

SHA512
1ae2aaf9a5168af621e0edbc6ccedaa38f2ea366a46251f5cd40bd01b77fd1ee8f996736b88157ecacbd7f1df77ba0e4dc7e2566260fac9332137708d1d85bab

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
94KB

MD5
c4e98d24f32f3ce6a6261df2a4131139

SHA1
dc0f9ac6e242dfe2494125c8dfce024887f7f0a2

SHA256
d0dc583234adcf6ed400913712f8356c8d8e64cff6ef4534a1e2f43174aefa66

SHA512
deb3da0389ecd9f73496a8d50837c8ee61f6822e15b4debf442a521b368bdf6f75ee9c3c52d30db739169ef37305dade0e40874bce186b0ef0a05c16c97c7f48

Download Submit
C:\Windows\SysWOW64\Lgbloglj.exe

Filesize
94KB

MD5
0064ef513156433dfd74deaf39e6ed0e

SHA1
9314ee9dd0efd71939f4c07370c6bf6adebcaacb

SHA256
2416132cf2e88e2d6513dbf3fb8c7ec14eb0c900b50e98f42492fa6ed525fab5

SHA512
c81a5ff0b86fbbdd8581e21a228686e265590f593779cc7af8cd8c4029ee791bcda9ca61c654c224fb59f3a4dd4e9bea09dbb3e6d24c5a82623a5fd96ec7689b

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe

Filesize
94KB

MD5
c69bc8607bb26b0720d70c9543954fe6

SHA1
95323254ff1fa7cfaf9b272ab7aed5ed752a9662

SHA256
a4edfe67298b37976ea6a20ef327b099eebc9831a1dd593940e28b5064a0f854

SHA512
fe917985a42eb0e9d7b240f8ad9ff886b871690a38141cad69d9f4da9f64ce7f3aa1aa34c30647496db78e3826f2d9e0e4b20fc8d2a50831ca94936a5feb5f65

Download Submit
C:\Windows\SysWOW64\Ljeafb32.exe

Filesize
94KB

MD5
998e6af3f457d3098e4a5cf7575ea93f

SHA1
6debca50d28b50ad54892bad67baeb81f6d0091d

SHA256
fa000f194d92ac1147a3c2d514f61405b15ea89bf5462220f354231398370d0f

SHA512
bdb4e1c521c32d4016cc3d2040c5d41df0255272b33fb73abfb8a95623a6315fef5fa0d6d633d2b39330e758c200576d9089f7ac6fe36e8a791753c1e423e561

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
94KB

MD5
662096036feb8618692ef5a3283f9ace

SHA1
4996dbfb586900f9ed325211530bfdd57d894ee5

SHA256
d188d94d0c01c9a3d4663a69c7dd72a4a5c564f8148661e238f12ba7fe7f45b0

SHA512
ff602f9df2dbf87e8525cd627889f55447a28d17cd8eaa0e9e9a4040390fc006c3efcecf573780f4e9b0909fd5e591a12c6abc39e5525446ab071148137182ef

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
94KB

MD5
1576a8f213012b2e5f3f1852c985aad8

SHA1
d2f00fb1d505bbf92664b74c6542f9d92fd8f081

SHA256
450dd7eb870a51490bb719d92069ba4be14ee8d20c3ba8c8334624b0f99a3f0c

SHA512
0a936157fd81f4b4657340a6ea3a8b839749866bfb0ae3791847bd3928b32e3d06d2843173c366d843ec10ef4e437463a2c8f7044c172b1b6dc65173ed3d29ab

Download Submit
C:\Windows\SysWOW64\Llmhaold.exe

Filesize
94KB

MD5
c317e37839749c729e4d1641b5eee99d

SHA1
68aca8d1ccd04caf4c6202aeb6bba850a131cbfd

SHA256
5393ae3e5c180e2f6939dcd72052b569b4696d39ab5764db23ab053837f34aec

SHA512
f619ce462f945a11d2809c803130c1d63ab0ce9bfd833bc04aeb012664dac3a806c952cbf7c618a755b76e14b43a3b42556c1ec65da6a7f37cfef0d41497178a

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
94KB

MD5
17d07d19653a52cfd829f90014a70b09

SHA1
8e6c4d9e056c31026c87dc784ee8e64a1f1636c7

SHA256
a5bf0f90583f6c96354a7518ba9d6d17bdcff7d7d942eb0c047b0b27a87293aa

SHA512
3e5d696f8794f5890b04724befcd750c95a9b80567f501a064169e82bf2310ccc87ea1a21c712eadb14406c7859089dab7e7670061ed568f6afdb67c0cbf34c8

Download Submit
C:\Windows\SysWOW64\Loighj32.exe

Filesize
94KB

MD5
28be702aefd4a771eb3e690f2b08bc21

SHA1
5f0ff165c4494df4af1253a544b981245665f4f2

SHA256
b3f919deb56a74bd25d80e5167ab8de1b30609d4157f84eb3af6380c39df16c6

SHA512
cc557230de2419919d918da0e3c11c0135493176a562aaacbcde7aeb3bc88b43411aac198bca314083bcd88641df2593d02420ebf774d16af3214d81c856c31e

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
94KB

MD5
5d2016e91a6c5df398fd33bb3d274da2

SHA1
88646d1b99b78d2611ced2ccea88bde13321ec4e

SHA256
f1528e7378c567693f1d1642e230773dc498a7fed918fc1b7e5e03a6ad3d9410

SHA512
30c27d48cff0eef89e00ab7b5a0952334024fff237ad10091936823fb12f9e6eff4ecfba66b992b14dec7cf0bba68f0520b9bfe80143dbc8ed6d580d3da95f74

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
94KB

MD5
d69e36b5b74131a141814d0d0b19be24

SHA1
121a09c85f8274c4b8f91b8022d6ac8c902a8411

SHA256
32469d4629622db26606320e0d92f76acc5a0529037742131b0d764b3e6d2185

SHA512
a72060e8f6d5a4c84e5faf2edabf3be30b1be92bc5c6466d12e2dcc42768dda4e98a02d2498c8ebd8b8b2945b947a798c49664f9303443fd4dee8f48793eb223

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
94KB

MD5
17dc2bb60433e16a8eafce6e0cfbe683

SHA1
37d73ce38822a41613df28803ec0ceff7d0329ff

SHA256
c82fe04121280db033c19d85c59acc9a61ed3ea1d5d30802b2efe3727a863b2a

SHA512
650f96b755f36ada51164e1402afccb087d6b6ae41e69336bf29ae2e827c9d9ac6f379c2542e91884e05f7a63edc0146c2aac1bfdd195829842054fdc6379710

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
94KB

MD5
c6a8de09638375b218259d29816d45a9

SHA1
467822a9586b3fa69b41d033a557a794afc42da6

SHA256
3a4c6195b97dede751dab525fd04faa7cd452959583959636fcf020aab916249

SHA512
2f68884b0142be4eaa302ec176ccabed977a02609d8778b6e7ab223cf230c944856f6800ccb9f113f010bc0f93d212848d0cffbda58efafe79ee5e8dd007ff8e

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
94KB

MD5
64173dce249689e2d999f812721afc0a

SHA1
0539a57baedaca84d337b492a9871ee4e4820e0f

SHA256
a1770ccf2544de3248203ef9ca666e08af5a8da6653bc130015f51beacd869a9

SHA512
747c554ab17c78ae648ae37cff087a00b9f0fe08f62c4304034eae7fbe233c1e1f9bb8ee273d9e2a0b50b105af891f2fcf546380ad8a682db1336ec3f070095c

Download Submit
C:\Windows\SysWOW64\Pmcckk32.dll

Filesize
7KB

MD5
9007d7a7ecba132ac09601ffd9b1bb29

SHA1
78ec136786777e097b44be6018ec0514f6b8bc6d

SHA256
985bc1918df7c2c261fdbe1162eb0905ed115163ca1b74059ab3ad316ea91b42

SHA512
c6b95764955af11a31a338822e5d8f750db8dba2d40a34e4f9e9981727201c3bf3a602b1149bc0064c69ee611ec37af829a650b4e62ea75fac1338e7a1152910

Download Submit
memory/224-512-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-532-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/928-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/944-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1032-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1408-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1540-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1652-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-549-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2488-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3240-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3424-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3516-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3520-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3636-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3644-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3996-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4112-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4604-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4640-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4852-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5132-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5180-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5224-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5296-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5368-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads