berbew | 5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc

Analysis

max time kernel
102s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe
Size

245KB
MD5

2593345162a1f758a6ac7e46ca7b4976
SHA1

f2059465c20f586384101e443a0feb298565e560
SHA256

5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc
SHA512

295ead99baf2e82887469789888dcc9c71d5131f4ed096980a4dab5c95018e2dc1baf2ad7195d233e3c7ce045590539daa1cd98078bece86bbdc14450e8e11b3
SSDEEP

1536:EWh3w4kGEjp9M8vMmPa1+W/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvubKr0:ECw4kGA9NvMkwBwago+bAr+Qka9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2584	Jmmjgejj.exe
5536	Jplfcpin.exe
4992	Jlbgha32.exe
1704	Jeklag32.exe
4388	Jlednamo.exe
4092	Kboljk32.exe
4512	Kmdqgd32.exe
5360	Kdnidn32.exe
4928	Kepelfam.exe
4696	Kmfmmcbo.exe
4804	Klimip32.exe
4912	Kpeiioac.exe
4840	Kbceejpf.exe
4464	Kebbafoj.exe
2016	Kmijbcpl.exe
468	Kpgfooop.exe
1864	Leihbeib.exe
1564	Lmppcbjd.exe
3648	Lfhdlh32.exe
3604	Lmbmibhb.exe
3732	Llemdo32.exe
456	Ldleel32.exe
2896	Lfkaag32.exe
4396	Lenamdem.exe
1636	Lljfpnjg.exe
3576	Ldanqkki.exe
2772	Lgokmgjm.exe
2244	Lphoelqn.exe
1300	Mgagbf32.exe
6112	Mmlpoqpg.exe
4472	Mdehlk32.exe
5188	Mlampmdo.exe
3884	Mdhdajea.exe
2856	Mgfqmfde.exe
792	Mpoefk32.exe
3908	Mgimcebb.exe
2816	Migjoaaf.exe
3364	Mmbfpp32.exe
5092	Mdmnlj32.exe
4016	Mgkjhe32.exe
4308	Mlhbal32.exe
3016	Ndokbi32.exe
5552	Ngmgne32.exe
5720	Nilcjp32.exe
1804	Npfkgjdn.exe
5096	Ncdgcf32.exe
2096	Nebdoa32.exe
5324	Nnjlpo32.exe
5328	Njqmepik.exe
2228	Nloiakho.exe
956	Ncianepl.exe
5064	Njciko32.exe
5076	Npmagine.exe
1692	Nckndeni.exe
4648	Oponmilc.exe
3276	Ojgbfocc.exe
5772	Opakbi32.exe
5888	Pgefeajb.exe
4796	Pjcbbmif.exe
4904	Pmannhhj.exe
4672	Pclgkb32.exe
4764	Pggbkagp.exe
1044	Pmdkch32.exe
5892	Pdkcde32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Kpgfooop.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kepelfam.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Jlednamo.exe	Jeklag32.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6368	6276	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmamoe32.dll"	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpafo32.dll"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2584	4612	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe	86
PID 4612 wrote to memory of 2584	4612	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe	86
PID 4612 wrote to memory of 2584	4612	5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe	86
PID 2584 wrote to memory of 5536	2584	Jmmjgejj.exe	87
PID 2584 wrote to memory of 5536	2584	Jmmjgejj.exe	87
PID 2584 wrote to memory of 5536	2584	Jmmjgejj.exe	87
PID 5536 wrote to memory of 4992	5536	Jplfcpin.exe	88
PID 5536 wrote to memory of 4992	5536	Jplfcpin.exe	88
PID 5536 wrote to memory of 4992	5536	Jplfcpin.exe	88
PID 4992 wrote to memory of 1704	4992	Jlbgha32.exe	89
PID 4992 wrote to memory of 1704	4992	Jlbgha32.exe	89
PID 4992 wrote to memory of 1704	4992	Jlbgha32.exe	89
PID 1704 wrote to memory of 4388	1704	Jeklag32.exe	90
PID 1704 wrote to memory of 4388	1704	Jeklag32.exe	90
PID 1704 wrote to memory of 4388	1704	Jeklag32.exe	90
PID 4388 wrote to memory of 4092	4388	Jlednamo.exe	91
PID 4388 wrote to memory of 4092	4388	Jlednamo.exe	91
PID 4388 wrote to memory of 4092	4388	Jlednamo.exe	91
PID 4092 wrote to memory of 4512	4092	Kboljk32.exe	93
PID 4092 wrote to memory of 4512	4092	Kboljk32.exe	93
PID 4092 wrote to memory of 4512	4092	Kboljk32.exe	93
PID 4512 wrote to memory of 5360	4512	Kmdqgd32.exe	94
PID 4512 wrote to memory of 5360	4512	Kmdqgd32.exe	94
PID 4512 wrote to memory of 5360	4512	Kmdqgd32.exe	94
PID 5360 wrote to memory of 4928	5360	Kdnidn32.exe	95
PID 5360 wrote to memory of 4928	5360	Kdnidn32.exe	95
PID 5360 wrote to memory of 4928	5360	Kdnidn32.exe	95
PID 4928 wrote to memory of 4696	4928	Kepelfam.exe	96
PID 4928 wrote to memory of 4696	4928	Kepelfam.exe	96
PID 4928 wrote to memory of 4696	4928	Kepelfam.exe	96
PID 4696 wrote to memory of 4804	4696	Kmfmmcbo.exe	97
PID 4696 wrote to memory of 4804	4696	Kmfmmcbo.exe	97
PID 4696 wrote to memory of 4804	4696	Kmfmmcbo.exe	97
PID 4804 wrote to memory of 4912	4804	Klimip32.exe	98
PID 4804 wrote to memory of 4912	4804	Klimip32.exe	98
PID 4804 wrote to memory of 4912	4804	Klimip32.exe	98
PID 4912 wrote to memory of 4840	4912	Kpeiioac.exe	99
PID 4912 wrote to memory of 4840	4912	Kpeiioac.exe	99
PID 4912 wrote to memory of 4840	4912	Kpeiioac.exe	99
PID 4840 wrote to memory of 4464	4840	Kbceejpf.exe	100
PID 4840 wrote to memory of 4464	4840	Kbceejpf.exe	100
PID 4840 wrote to memory of 4464	4840	Kbceejpf.exe	100
PID 4464 wrote to memory of 2016	4464	Kebbafoj.exe	101
PID 4464 wrote to memory of 2016	4464	Kebbafoj.exe	101
PID 4464 wrote to memory of 2016	4464	Kebbafoj.exe	101
PID 2016 wrote to memory of 468	2016	Kmijbcpl.exe	103
PID 2016 wrote to memory of 468	2016	Kmijbcpl.exe	103
PID 2016 wrote to memory of 468	2016	Kmijbcpl.exe	103
PID 468 wrote to memory of 1864	468	Kpgfooop.exe	105
PID 468 wrote to memory of 1864	468	Kpgfooop.exe	105
PID 468 wrote to memory of 1864	468	Kpgfooop.exe	105
PID 1864 wrote to memory of 1564	1864	Leihbeib.exe	106
PID 1864 wrote to memory of 1564	1864	Leihbeib.exe	106
PID 1864 wrote to memory of 1564	1864	Leihbeib.exe	106
PID 1564 wrote to memory of 3648	1564	Lmppcbjd.exe	107
PID 1564 wrote to memory of 3648	1564	Lmppcbjd.exe	107
PID 1564 wrote to memory of 3648	1564	Lmppcbjd.exe	107
PID 3648 wrote to memory of 3604	3648	Lfhdlh32.exe	108
PID 3648 wrote to memory of 3604	3648	Lfhdlh32.exe	108
PID 3648 wrote to memory of 3604	3648	Lfhdlh32.exe	108
PID 3604 wrote to memory of 3732	3604	Lmbmibhb.exe	109
PID 3604 wrote to memory of 3732	3604	Lmbmibhb.exe	109
PID 3604 wrote to memory of 3732	3604	Lmbmibhb.exe	109
PID 3732 wrote to memory of 456	3732	Llemdo32.exe	110

C:\Users\Admin\AppData\Local\Temp\5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe
"C:\Users\Admin\AppData\Local\Temp\5bbfa9d6d4eecbce2478630fab1bb9cbacc02e929754b7cf21ca3211f26c53cc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\Jmmjgejj.exe
  C:\Windows\system32\Jmmjgejj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\Jplfcpin.exe
    C:\Windows\system32\Jplfcpin.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5536
  - - C:\Windows\SysWOW64\Jlbgha32.exe
      C:\Windows\system32\Jlbgha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5360
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        32⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        33⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        37⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        53⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        54⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        59⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        62⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        65⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        67⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        74⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        78⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        79⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        80⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1596
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        84⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        86⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        88⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        90⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        93⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3116
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        101⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3760
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        115⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        119⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        121⤵
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        125⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        127⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2140
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        136⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        137⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        138⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 404
        139⤵
        Program crash
        
        PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6276 -ip 6276
1⤵
PID:6340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
245KB

MD5
4d9632b70bed814243a5e0f7482e2f06

SHA1
6be6acc8d4623f2f5a0a192f27aa48f31a6130ad

SHA256
97abcd2c11f7f4014c00323830e9d2210b49d11aae891127e4140581ca74695f

SHA512
ce1aca199b24474f2d41612cc91ccb85d6e2bf6121e992386a4736f0f01f0742df1667e0dbdf52f545092ac0a1bdc9b6530d6b2151f03176d176c0c520efe278

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
245KB

MD5
2aa05f022872325727bf7a5579e96d9b

SHA1
ad7fa718a16af00f84dd4155509290414ff0a010

SHA256
02684097d35da1d5cd019107ac96f936fa50e3822be81bd67c4c6e2e3a83fb66

SHA512
514f1b75fb643578b90e1c75192a0bc801f3c78ef9dca0bdac24b96954e62c340a04da3c74e350bf46a874946771603c3a4b91c74aaf53d1cb618783e5058c85

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
245KB

MD5
9c55146bdffb8e05873a5db4e17324cf

SHA1
63f615ab0e4b207e9cd869c830eaf0c64ec8d238

SHA256
323f937c0f5f9a556f3c03de9d844dcc1818b01fd2208dc211a1a9eb6f491228

SHA512
5dcdda6aa6f30b806a07c1b8d7b09ac595aa0b377391c18a9fd6e132ef55679abcda4233bbc0a543102bf5390f845d369809562e1a57fd97cbd721813be1a1ba

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
245KB

MD5
733cc3a1f1c2f287087bdf5800a96f4f

SHA1
680dd54720a61bdd6424d4f89672b69dc062fe2f

SHA256
06d58ffed009d9cdca0f97809fa86504f0e2d8925534f85acc740216932cdf60

SHA512
3361d4b17f0971e63f214a41dcf7aa24ea61a5dfa06adaab18fe97a49b5c1c5f85ec59e5dd660f7dac62d11980180c0e2df0a45284f1fe7293fac06f3c323e10

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
245KB

MD5
67714c64f02b9e9c72440c5e1235e495

SHA1
602c9162593c65c85c1accab26ece76e4c64b583

SHA256
5dc7c22239c558ca4a05f13b94e357635a8455ec0dc4740400ec32a6926926f6

SHA512
6729c6530749fc298567163e8a9c7754940ce5e62b97a9b8be5d020f59c30f3ce3f84bca2cbfd5c5bc0097ac66aa3e61d396c16764d9d7cd9788e70c4d5c15a4

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
245KB

MD5
9d0b60379bbfe2c940658b828ddfaaaf

SHA1
79de38da2a67e176db9bc84e354a03e13c1f2d72

SHA256
b5b7ce16b2bf8e1ad706c7d5539aa80caaf48b8dcee44401b42ed3bef8afeed5

SHA512
0c6728428d498785814caca306f188793193312b9e96c2655b950685f69485823e70fbc18045dce8cd4d7c6a8f7f986b2514fb4394434c86723168db8fbb8766

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
245KB

MD5
d7a703bfee7b21ec5273424ab6dc0c8f

SHA1
9e1507dc2ea77a35aa22ee84526292de9990d6d8

SHA256
84694fe302696bc2f6481055631d0e61900248b825c75f34ec5fb76099f50c7f

SHA512
20341312a5dce8219240de673b02696329ade151f6c38626c4767bec4bad529c64eb7828ed6669d44e5e78b106c1becb9311d52d30e5d47dca9d416687fedc3e

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
245KB

MD5
71db79d6953b85fee3e0045991bc619f

SHA1
7d527962db628f4bb67622a809dae7708fc70688

SHA256
b0d44f557c9fc4c6a7b5fc2509750b1309b8360c9c225ff8d57462f635a5b0b3

SHA512
aaae93fd2d20ad89fcbeb46cb655fd8901c02abce2753f4fb3284bef3801e5001c14cf1c9d22feb97bb6db5d80320927de37b65c7d40d867d5cdc0388135ffc8

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
245KB

MD5
508c3128722fa6cb45c9f576470304ef

SHA1
33bebfd5ea2a189ef327d88fad0407971cf58794

SHA256
d0d569c2c3f0d9d330a71cd6c97e22bfa163170501efbb182b032116a22d1c95

SHA512
3f31a4579b395c16740d707b6aff4c5c75d0d1c3c083b294864b47499b6ac15bdd339ea366f9cab2c8142607968c90eb345f18530bc899c3d4bd9c5c792c2145

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
245KB

MD5
6144b187be5c23836632c0d92bd7006c

SHA1
3f4f8966ae3ad342c0c624b97534488bbeea724a

SHA256
f3c78dfb7138a803776e445e5ca5b8d778ee1256f1644f915cf94a05ef8c1bd0

SHA512
d45770e2f34871ad32c6a81dd11f51b817f4e050cdb2760c96f987e1694a008e59a6f4c10e7b175cd289c426564168766f6586e4853c27307b8b794582be517f

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
245KB

MD5
095fa236a2a0d484496e0b2c44dc50d6

SHA1
532870babe595037a4b1b71832706e262dfe6ba1

SHA256
85c1ee2339e62ebc09f2f684862f4b96c723d45dcd70fc05c944aa53ff2fc700

SHA512
1c31946bcf6c7a9c5b92f11e03830bca87d297e33451c7a4db149af794181c40a24da1ba529d2909a680cd7604bed602ec75662102afaf8152b8288f15f5f14e

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
245KB

MD5
84d846315e9a1f5e5671d2ebfef43ccd

SHA1
0cc00b6052e1f16a15f2d0aa10bcfa43b209bbd9

SHA256
dd69ebf8399b2ebd6a22d14a04346280ec1a9ff7e9c8f2d84c5573a51e714154

SHA512
ad61320defe54626e6a4e53f1da0bed0b91b03e676f5fa4ff9abfa478ea8be480be1140bb079874aad28ee5d2471d032a416352e52a8fcef3f1f820d39bb3d5a

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
245KB

MD5
159092215420e889e9f0cd4bfeb05abc

SHA1
eb065ca12a9a8c650f99f01d96d6973a29a9f638

SHA256
eb7bbb96647fda8859e91328cb7e58afc6d90dd04823f2b272492fce1de83641

SHA512
25cd1e175e9a4d908088c06d3a7a2d58022b0e25c57e7051e14717e0074774d3b07d7d50c7a8dff1d01e46005c5578af13d3ead5aa486590250092ba772c5114

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
245KB

MD5
29f91612922af61154a58e322446d690

SHA1
483d3486553ace34807cb9120288f3d3a6ebde2f

SHA256
636c942c888fb64bbad59a3bf50ca42acd2492edcafb663aaece3ae9c6f6bf32

SHA512
36ec90ccf9f98d8aac1c6a2f826ce16352cb514143b356f1c951a03de20ad456e9291c2fda253d2dbab6340f5930ada7bef42922a639662e2ac71aad38416997

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
245KB

MD5
78225e15314999610c1241d5780f406d

SHA1
f00b9b644c56f181baa6ada343b8d744b9d5d7e1

SHA256
91ae4d47dbfb1a4fc8c1e19808d5619ac53a40cfc2a196a47ab1b5e0ffa376d4

SHA512
9425858a6034fc98e34da52257a857328bea3c66d8a51d33a005dff6649feb9f0c94e2802f31cdc1e6a54148a81ca096a928db57157ace5a7f7601add139923a

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
245KB

MD5
4c0804ca47ef987657d1edf1eadc1333

SHA1
64580c24dd56242f2840804f9e42358713587dba

SHA256
859be10c3f5ea8803d6e6d10a99527fdf91aa292e25e4186d12eca009baaeabb

SHA512
45a2625814ef1d94cc77b55bf7007a09e2311d36881123f7a843897e04e74f97b308a50fc5fd0fee2cc04ab9b968711eac1ac57ad5507f0280ef0f42a9d4b9bd

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
245KB

MD5
c2839f28a13ab1f38f0eec1ea05b33dd

SHA1
3ea7331c0cdf7919ab0a17b3d15332238eee08d6

SHA256
c238b0cdb252b817669bd569e6eeacf482700af9ea4cd5628e0364dbff4439fe

SHA512
adb6edbfd757fa22801196eb5c99a43d5a472e359768a6a27626db314a8fe167ef53fd93c26b5a4c46caf368e32e3c48236803dbe469fda4dded50a5fa18f07a

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
245KB

MD5
6ca2e853201d42ccd3e31ea1bf45c6c2

SHA1
b82cd274dc8832a265d20b32466a64d260b15f3e

SHA256
890ecea77fff9e95aa99856c3750a04d4c808234d99124b05fe6e3a070c94f16

SHA512
0f12a2b9fafb8c96dd9a2013c6964dcaa2db6de0cbb9b093cd123fde92b256b68aeae891478eb77b331a403dfb528a8d30d2e3fcadc5268468f1f232377179c7

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
245KB

MD5
4a115043a802d63ad5167983d53efa7b

SHA1
c187c87cfc4e98f899faa1fed8fb1f59725b24d4

SHA256
a095748b04c2faca26c5ce063b23753157fe7718128b413dc5d75682f9d34c23

SHA512
197ffb69b0bc23209f10d8ad32dd17b5ac4eff19fcd3ba3d93fd60432db5d8a7b0715d7367a493173609323491eeffc566226049b8d00b51502b2d51bddaff3e

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
245KB

MD5
f3733c51c6077e7d40c238a7627eae4a

SHA1
3a7662ca29c393b87946bd692169e2b1b5bf51c7

SHA256
71b0f7ec39076d5411d91ec597a825a93543cdc79c2669cfd9f9b1d941ac506f

SHA512
82be0b60380b87a10b99a09e8637b60f8e87c3b28ec8191f3a5e23ffdc52565f03c03333a86787752f834638bdf8b3d02af1b65c8dd4e67fbdacb1a81fd31a02

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
245KB

MD5
9d644f430143ccf961512937844efb68

SHA1
c26269e9b9e10df649dabccb7a10afd24d1f7271

SHA256
f8b18748506b63d6093eccab44aff3924aea54736f0ea912cfce66b6c15920b9

SHA512
2ee816788ee443344eabb35b2ec58cc6c761e51a87c12f0a2980c71f14f773c759b44465682479590e1d8bddfbfdd330f413f1bbfc8732b72970e9a52baae63a

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
245KB

MD5
ebeb76578993d7c2c32c61070c27b9f2

SHA1
830fe6d5ffee3cfd27a2e84370a46055fd0ab369

SHA256
4e77c6695d015a61fda723ffe9960c154a3ff974cf01542dde298a44b8427b23

SHA512
1ce5fb21eeed377292a17ca36688dd8c5957438f7b4ae4615fae62dd399afc86cec198ff2cd99bc218e72374f8e705b90a517511bf98cbb746f54bcf8dc0503a

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
245KB

MD5
8b16632a5dabb88097670ddd0c84feb0

SHA1
605c75b62251a9bdaf428e21c66ec9b7587c53ef

SHA256
793fac27828517c8efd5445bd9c2a241d99249ad6b1fb6e5bfabc67bc6297683

SHA512
3ad52f16612344b5d3f8d4c5c60fe928f9e0f628c4caf5349ed7bd34f7ae41157073f4e10bd912b5ae29417b534057aeeb17e9d5332d22eb460fc4ca48b6b213

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
245KB

MD5
b73035e180af50b7881504d9dee7877a

SHA1
e15f56958ac908cd521f3c8aa89f070d26efe1e2

SHA256
6a146bd43d442dae26500cfa472635c7dfca739c5b6aec774ab327d023eede98

SHA512
ef7d5421b328953b84fc21eeb6fd960ffb380aca7a0423b82ec0e99953d97666b473e494ff1bc9d8483fca738432b179eed259bc0ad4ae92bcfc38a8eaea0bdd

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
245KB

MD5
2feaae873f6b2ec2073229e329a70b7d

SHA1
79cd8e679cb56478d8954af86ab9377b263598ec

SHA256
c492f5606f0df3dd5956ea51ae5ee22c8aefd109c7de46963c1e7dea8b7ce15d

SHA512
7a0ccb43d0d073760bee5d4606ff3b553aacd73887a2b2947f100b0a24106b1a02148ae22aa2f8580c6805c82142d6f8e05646786f9bc2ecbee61415b392eae0

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
245KB

MD5
cb1265e9d85e81d66f5122ad68d195e1

SHA1
0c65433151c04496124be6c2119837926e06076c

SHA256
31279f43bb3603bd90790dfeb545f4860412301194e4f3f113db55e733f9b8e1

SHA512
2ca1f39a50d0fedd90a52163288d89cce0750b936130e2f6fa8d86882617ff617da0dc5ba10c0726fa55825efda15aa112ac4c522a536027d1239a56c216fd77

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
245KB

MD5
73c419c4052d7be8bcb5e0463dfe7bbd

SHA1
488ca4bca94872de77bc4fbbb9612f93193b82e9

SHA256
82a73b6a4907eebec9b5fdcbf8a0c214728c2113347c852ac05107db82f8b743

SHA512
4ae4a663a97e3ad7a98a7d3d9e4f7b5563806777b9e7481d08ce64947d4fc235c9f84b6685fb046cb8a099902899340d421aa9e0ea3c904cab92ca7643b1848d

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
245KB

MD5
cd3049c2d0cb98abdde5484432ec8d5f

SHA1
e829ef364622347fe0cb201658b35e5f3471bab8

SHA256
2615fb3720531c67e89b6afedc7234f083d619b1acfba4f6d6f9aa73a09bd566

SHA512
5894f0738c2ea6d8c855a6b8e2f83b4ebe8c6cf917cc36f87a5ec369447a61bb3a5b94b8bf8eb64f755a266dec7eeb224d82722cb10f5d4023714fa01669890e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
245KB

MD5
070cb7b033a6c40007d8f6e9aad6702c

SHA1
a35da5822e34800a8978f6e20b19b216c96cfd78

SHA256
aca9c85fcec2df9538708cb3a6b4e12070583587352326661440df98880ad9e6

SHA512
29c39c3b24dbbd668c78a895a528e0432f707534617fb9feee3f80b1bd29c7e33c49df82df9d91d237ae928898e270f1473bb397a910564fc0e3f3359daaa400

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
245KB

MD5
8c39b97a439159595dcd5c5e7300f311

SHA1
c2c2682896adba4747b9b9b94c7f29f2e9a0c832

SHA256
516cb4131f64984a06653cd8d32e52c657e55829b79dc6dd7aa2716f0af55ed3

SHA512
f8c576a2fa3a85fb60ff17a48b3a1d3b715d750e7f15ebe149112f55dd3f3456314c0dec9bbef269143dd89eb043467fed3b20aed2b800f69ff794afde4e1b2a

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
245KB

MD5
0d64f1062cb41da2b2a35c13f303ca97

SHA1
b3076b39df188ba586bd93a9b12e51797ec77d3e

SHA256
72aa33852b63cce3c37cfb6d992780ebfc80d00e6aa17646a2efb64981c8684f

SHA512
eebc5780160d8ef4fd66c6fd75e60cae192f29e7e6e0cf6a278dc7528e24e1e182c1fa03dbf17d7ad0e6d05e26dd1b56e64da493573faca0b7cdebd88b8a6766

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
245KB

MD5
5ab995c040332ecfa6da535a2d90df3d

SHA1
c7c8a3bd6e8965e5945317c9119d6d01890cd7dd

SHA256
5852e8d059441d92417bf482b02a716be9ad2509c66bf7c001d2aa7c197ac19b

SHA512
352d688fda306d791b5a4c22e6e18045f2bd07bd605ffb3748a21301397670e2dbd925bd6e28bd1b78f0142b52b29c17a75dddfa26cfbdcfc61d92719fa8589f

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
245KB

MD5
7a1397441d79859c6ce716eba52c6f8a

SHA1
97067ad958d3aa0eb3db1e0248f621776b213bfd

SHA256
a61ecddd1ea7c6c2823ee7ec3399b20bf34dfca61d3f87244159e00c00577320

SHA512
2454e68ba046a874f9690c3a12f4ea39075dd37b486915bf754df7b02666b2992d383b19b40ca2f86b6d351f5861dc39d52ccf2dc3a19aadf5cbd406b186b3db

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
245KB

MD5
ebf755f4b8d16763356f79a1da24b183

SHA1
9113cfe8244a2c322daea00cc3f27ad650b5111a

SHA256
79391331cb653b49b62443c787f9480b88eaedebe20678e33e040c7e6c84f076

SHA512
083f5ec0f98a465e07a8537a7bc76f6b1b75e1e73fa4e0d515aa1175cbb14e638dc1c6bd51d2cc4fd34f5dbea15bd32da311d6cb98e6c846e58843700aa61e48

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
245KB

MD5
348f1ffcf97ce187b1239b44a5864570

SHA1
3ba3b86e6e43b427e535b1d1d360619f9ade9639

SHA256
93243bc4d60afd3ef52bae233e8c073320daee4d154dc20a21525216e0af0498

SHA512
c85b74736575f768b5ceea3dc15070ef067c00945d2acd2179699fce56daf7a7f59f38c13b15f8580ac4d81bfd47e6db90e2da916540f3f994ca115bc613987a

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
245KB

MD5
31abfea6e601939d32d8833e68631451

SHA1
35e3c274a20fec2dab827f65c91ed7076012019e

SHA256
c1b562a8f4e9d86434cc635d8ec801eb6fa8c591fd8aa2bb5c1a7dc1e9d7a8a7

SHA512
2f4e4f00ebcd6ec4bc9444bb07efeedfd4934f4668b0378648952c95e3c6858c494b5d2f1c1f3c46030c1129964351cdaec2314b7acbbf2e0b8c28c24338ef22

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
245KB

MD5
d328474b2e97740b6d91086dee8a189b

SHA1
9ba2380a9335677327779e02582e5c1a94fed3e0

SHA256
e0d175128fd5eecf920cc780fb8ed25abdf5c8540ce7def0167a2dac09449186

SHA512
eeb647904e301f28af224e4e52192d6244b31378e80d0c07810b85e8da0108db3ba6139d4bc73c0af1791ace21bf2ab2c40814f4004d52f7960aa3ca2574d4df

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
245KB

MD5
595fc74d51c58b69c275cbc73e0c785a

SHA1
a88f1ef79ba1faeee0c1e5b15599cda7276a04c9

SHA256
8533da666bd3b4b960331423f1a0de1860fe6e554689c7e8083d19796f5fa3ec

SHA512
5197bd421b621dcd7d9783e782b4e68a8efb9e02a7fd64e75b166930d5df63ef479ba14451b5ac1f77209acc19f81505731f4e6b6990bb7662d9ca26ea6893e2

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
245KB

MD5
849ecf12032702288bd91f96e59154c4

SHA1
733785b9614c59677be58d6c5901b648d740dc38

SHA256
05de84e54bb85f075e5bb9e8434e630820fa92e5d8fa7e8a7983053362101aa9

SHA512
0a679f9290f11e42b101fddeed40fe9448b7e8bd13eb8250d27dbc971fa4e76d07d7eb38443cec7b1a459b53c52b9c7e9d2a649647f9ca28a1fe498a278af97e

Download Submit
memory/456-181-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/468-128-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/792-274-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/920-470-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/956-369-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1044-440-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1300-232-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1564-145-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1636-201-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1692-387-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1704-1196-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1704-32-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1704-568-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1804-339-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1864-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1972-476-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2016-125-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2096-347-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2180-506-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2184-488-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2228-363-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2316-1072-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2316-458-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2584-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2584-547-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2684-500-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2772-222-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2816-286-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2856-268-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2896-189-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2896-1158-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3016-316-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3188-536-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3276-399-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3304-518-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3364-292-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3452-1020-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3576-213-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3604-165-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3648-153-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3720-464-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3732-169-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3752-588-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3884-266-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3888-602-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3908-280-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4016-304-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4052-516-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4092-48-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4092-582-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4124-548-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4232-609-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4272-576-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4308-310-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-575-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4388-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4396-193-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4464-117-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4472-248-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4512-589-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4512-57-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4576-482-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-535-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4612-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4648-393-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4672-428-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4696-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4696-608-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4764-434-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4796-422-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4804-93-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4840-109-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4912-101-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4928-73-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4928-601-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4992-561-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4992-24-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5040-452-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5064-375-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5064-1100-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5076-381-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5092-302-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5096-341-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5172-562-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5188-255-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5324-352-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5360-595-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5360-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5476-569-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5536-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5536-554-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5552-322-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5568-555-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5708-494-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5720-328-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5772-405-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5888-411-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5892-446-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6036-529-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6112-244-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads