berbew | c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe
Size

352KB
MD5

b35cffa288d3f24fecf5592f03a4e5a0
SHA1

5deb31b60544e6b3f97989a0d86f4e0b5d332f89
SHA256

c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200
SHA512

9ff5ff774db2d1ca0f0874e91ceb3f4c7ba29f2d0b2016430157569742c38cd7e1023b7d63712aa7c37ef010f32bc81e0d0ca4b90b86aaf1b547006f698ac153
SSDEEP

6144:ycGyHN5chtG2pr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFfX:yF6N58rCZYE6YYBHpd0uD319ZvSntnhV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ippggbck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fchddejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhjfhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iefioj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbdbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4700	Fojlngce.exe
3232	Flnlhk32.exe
4316	Fchddejl.exe
396	Flqimk32.exe
2492	Fdlnbm32.exe
868	Fcmnpe32.exe
4356	Fhjfhl32.exe
2996	Gdqgmmjb.exe
3112	Gbdgfa32.exe
2508	Gkmlofol.exe
5000	Gfbploob.exe
4104	Gokdeeec.exe
3940	Gdhmnlcj.exe
2284	Gkaejf32.exe
776	Hiefcj32.exe
1768	Hbnjmp32.exe
4892	Hihbijhn.exe
2264	Hobkfd32.exe
1880	Heocnk32.exe
4568	Hmfkoh32.exe
1032	Himldi32.exe
4168	Hfqlnm32.exe
5040	Hmjdjgjo.exe
3368	Iefioj32.exe
3596	Ifefimom.exe
4536	Ikbnacmd.exe
5080	Iejcji32.exe
860	Ippggbck.exe
3732	Iihkpg32.exe
5048	Icnpmp32.exe
4364	Imfdff32.exe
1008	Jimekgff.exe
2740	Jbeidl32.exe
736	Jioaqfcc.exe
1688	Jpijnqkp.exe
4400	Jmmjgejj.exe
4036	Jcgbco32.exe
4240	Jfeopj32.exe
2300	Jidklf32.exe
4272	Jlbgha32.exe
3696	Jfhlejnh.exe
2592	Jmbdbd32.exe
1452	Kfjhkjle.exe
2168	Kmdqgd32.exe
3628	Kbaipkbi.exe
2796	Kmfmmcbo.exe
1956	Kbceejpf.exe
716	Kebbafoj.exe
3000	Klljnp32.exe
4204	Kbfbkj32.exe
4396	Kpjcdn32.exe
4380	Kfckahdj.exe
2580	Klqcioba.exe
1592	Lbjlfi32.exe
1356	Liddbc32.exe
3400	Ldjhpl32.exe
1360	Ligqhc32.exe
4520	Ldleel32.exe
2288	Lenamdem.exe
2940	Lpcfkm32.exe
3140	Lbabgh32.exe
1212	Lepncd32.exe
764	Lpebpm32.exe
1208	Lebkhc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbeidl32.exe	Jimekgff.exe
File created	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Icnpmp32.exe	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pkbbae32.dll	Himldi32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Gkmlofol.exe	Gbdgfa32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jfhlejnh.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Lcjnop32.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Hobkfd32.exe	Hihbijhn.exe
File opened for modification	C:\Windows\SysWOW64\Jmbdbd32.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Gfbploob.exe	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Flqimk32.exe	Fchddejl.exe
File created	C:\Windows\SysWOW64\Kbceejpf.exe	Kmfmmcbo.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Iihkpg32.exe	Ippggbck.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7096	6940	WerFault.exe	277

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefioj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhjfhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdqgmmjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfbploob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmfkoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iejcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcmnpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnlhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkmlofol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll"	Iihkpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjahg32.dll"	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfckahdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgdbi32.dll"	Gdqgmmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkaejf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmipecpd.dll"	c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4700	3972	c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe	82
PID 3972 wrote to memory of 4700	3972	c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe	82
PID 3972 wrote to memory of 4700	3972	c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe	82
PID 4700 wrote to memory of 3232	4700	Fojlngce.exe	83
PID 4700 wrote to memory of 3232	4700	Fojlngce.exe	83
PID 4700 wrote to memory of 3232	4700	Fojlngce.exe	83
PID 3232 wrote to memory of 4316	3232	Flnlhk32.exe	84
PID 3232 wrote to memory of 4316	3232	Flnlhk32.exe	84
PID 3232 wrote to memory of 4316	3232	Flnlhk32.exe	84
PID 4316 wrote to memory of 396	4316	Fchddejl.exe	85
PID 4316 wrote to memory of 396	4316	Fchddejl.exe	85
PID 4316 wrote to memory of 396	4316	Fchddejl.exe	85
PID 396 wrote to memory of 2492	396	Flqimk32.exe	86
PID 396 wrote to memory of 2492	396	Flqimk32.exe	86
PID 396 wrote to memory of 2492	396	Flqimk32.exe	86
PID 2492 wrote to memory of 868	2492	Fdlnbm32.exe	87
PID 2492 wrote to memory of 868	2492	Fdlnbm32.exe	87
PID 2492 wrote to memory of 868	2492	Fdlnbm32.exe	87
PID 868 wrote to memory of 4356	868	Fcmnpe32.exe	88
PID 868 wrote to memory of 4356	868	Fcmnpe32.exe	88
PID 868 wrote to memory of 4356	868	Fcmnpe32.exe	88
PID 4356 wrote to memory of 2996	4356	Fhjfhl32.exe	89
PID 4356 wrote to memory of 2996	4356	Fhjfhl32.exe	89
PID 4356 wrote to memory of 2996	4356	Fhjfhl32.exe	89
PID 2996 wrote to memory of 3112	2996	Gdqgmmjb.exe	90
PID 2996 wrote to memory of 3112	2996	Gdqgmmjb.exe	90
PID 2996 wrote to memory of 3112	2996	Gdqgmmjb.exe	90
PID 3112 wrote to memory of 2508	3112	Gbdgfa32.exe	91
PID 3112 wrote to memory of 2508	3112	Gbdgfa32.exe	91
PID 3112 wrote to memory of 2508	3112	Gbdgfa32.exe	91
PID 2508 wrote to memory of 5000	2508	Gkmlofol.exe	92
PID 2508 wrote to memory of 5000	2508	Gkmlofol.exe	92
PID 2508 wrote to memory of 5000	2508	Gkmlofol.exe	92
PID 5000 wrote to memory of 4104	5000	Gfbploob.exe	93
PID 5000 wrote to memory of 4104	5000	Gfbploob.exe	93
PID 5000 wrote to memory of 4104	5000	Gfbploob.exe	93
PID 4104 wrote to memory of 3940	4104	Gokdeeec.exe	94
PID 4104 wrote to memory of 3940	4104	Gokdeeec.exe	94
PID 4104 wrote to memory of 3940	4104	Gokdeeec.exe	94
PID 3940 wrote to memory of 2284	3940	Gdhmnlcj.exe	95
PID 3940 wrote to memory of 2284	3940	Gdhmnlcj.exe	95
PID 3940 wrote to memory of 2284	3940	Gdhmnlcj.exe	95
PID 2284 wrote to memory of 776	2284	Gkaejf32.exe	96
PID 2284 wrote to memory of 776	2284	Gkaejf32.exe	96
PID 2284 wrote to memory of 776	2284	Gkaejf32.exe	96
PID 776 wrote to memory of 1768	776	Hiefcj32.exe	97
PID 776 wrote to memory of 1768	776	Hiefcj32.exe	97
PID 776 wrote to memory of 1768	776	Hiefcj32.exe	97
PID 1768 wrote to memory of 4892	1768	Hbnjmp32.exe	98
PID 1768 wrote to memory of 4892	1768	Hbnjmp32.exe	98
PID 1768 wrote to memory of 4892	1768	Hbnjmp32.exe	98
PID 4892 wrote to memory of 2264	4892	Hihbijhn.exe	99
PID 4892 wrote to memory of 2264	4892	Hihbijhn.exe	99
PID 4892 wrote to memory of 2264	4892	Hihbijhn.exe	99
PID 2264 wrote to memory of 1880	2264	Hobkfd32.exe	100
PID 2264 wrote to memory of 1880	2264	Hobkfd32.exe	100
PID 2264 wrote to memory of 1880	2264	Hobkfd32.exe	100
PID 1880 wrote to memory of 4568	1880	Heocnk32.exe	101
PID 1880 wrote to memory of 4568	1880	Heocnk32.exe	101
PID 1880 wrote to memory of 4568	1880	Heocnk32.exe	101
PID 4568 wrote to memory of 1032	4568	Hmfkoh32.exe	102
PID 4568 wrote to memory of 1032	4568	Hmfkoh32.exe	102
PID 4568 wrote to memory of 1032	4568	Hmfkoh32.exe	102
PID 1032 wrote to memory of 4168	1032	Himldi32.exe	103

C:\Users\Admin\AppData\Local\Temp\c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe
"C:\Users\Admin\AppData\Local\Temp\c52891ecc2db4cfcced394d00c6206a03ccd64b3488f3572573f082e44a9e200N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\Fojlngce.exe
  C:\Windows\system32\Fojlngce.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\Flnlhk32.exe
    C:\Windows\system32\Flnlhk32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\SysWOW64\Fchddejl.exe
      C:\Windows\system32\Fchddejl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\Fdlnbm32.exe
        
        C:\Windows\system32\Fdlnbm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Fcmnpe32.exe
        
        C:\Windows\system32\Fcmnpe32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        24⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        27⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        31⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        36⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        37⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        39⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        50⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        60⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        61⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        67⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        73⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        74⤵
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        76⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        79⤵
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        81⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        84⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        86⤵
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        87⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        88⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        89⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        91⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        92⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        94⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        95⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        96⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        97⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        98⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        103⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        104⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        105⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        109⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        110⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        111⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        113⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        114⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        116⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        118⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5064
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        122⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        126⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        127⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        133⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        134⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        135⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        137⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        139⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        140⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        142⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        143⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        144⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        149⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        150⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        153⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        156⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        160⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        162⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6400
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        169⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        171⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        172⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        174⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        177⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7152
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        181⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        184⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        185⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        186⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        191⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        192⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6940 -s 424
        193⤵
        Program crash
        
        PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6940 -ip 6940
1⤵
PID:7044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
352KB

MD5
e16e37d4051f3a24877e5cdf36a7a935

SHA1
44ac33f499e34a5c0ad51353250120233c9dd8ce

SHA256
48ffd7e4940841f6900ea0db4632037bf213dc21614b7141af65e1ef860dde4d

SHA512
d654fad849ffe9ca13635648a2f6369e72aef617a8981f041db82dfbc0c7e8d2c52fb01cd94df858d2845d476857df8ff53f0164fc5078dbb2750e6ab25dde3a

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
352KB

MD5
9fab3896b8cfff0264c1cf53eff7889a

SHA1
1116e5f48dd47382fa8bd155e9cf0a1a553147cc

SHA256
504b54a3c4dcbc7af2ef169ff9118639324b7a1c1575de6f6a271b4a480818d3

SHA512
0c1cb2d1606e8d4bffd5f5d055f5a88893cc69cdb68b03e5e092ff8d7b4409537aa2ea9ac074b7e635eb97319413cbe779115d7d267310029f97de48522c4773

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
352KB

MD5
59af4bafc4d475e38324f6da2d0c5d0e

SHA1
9a73cc1a56a9aaa18e331ba7c2c2e104224db6f6

SHA256
1ec5eea58a29a9ee5445679f302c491f20fe51a78d41e06a1dc1c9142a774e63

SHA512
7236790f8ff1cb93a1ff4670be069df7938acfbfbcba49f58240bf8a2290518dfb4bae18ec9b14af08b8ee9a35fde5ab2079a17403c7dd98fdbf7f37c3d5b448

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
352KB

MD5
b205eca9fb10c5f486ea1bc3c39ecd8c

SHA1
dbc6996a329b01bb2080333648eaf7a45b599fa7

SHA256
45e8bba3eacede82274d95b3ca17703f8bc76950016895d2cd7e77d79802bc90

SHA512
8870ae03d0c21a3d7e5676011e11731906bbaf504bc261c133668f6ba33031bb547a2afedd825ced26fd00274a600456a1de0e6b648cbaaaff4d213fce944d17

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
352KB

MD5
f39cb5234d6e244e31b5bf2ae5d2f472

SHA1
90c57b5211398fa77a8d35cdf633dd6dc245cb22

SHA256
76466084874fd5307affb26e87b10f0cc88acf849e1ea35de7c710c024ea5cf7

SHA512
576d3f720849c5a431de92999db0d87d58e56f2b44bf2c7d264394fc6a8c7baf5be09a8cd61b53856248a232ef11b997d814f90b87be72b4ac6073cd67a9a5d5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
352KB

MD5
c1e961921df3a6726fea833fb9a10f0e

SHA1
5b4c5168df0d03794cfed7e35fb72ffd61d57050

SHA256
fde83abaccc97c6298e5fd3344143e379c4052a902529a5992bcaf420aa6d86a

SHA512
de8e082c04f5830ee1bdee234acbfde54b55aac6a49e1e2935888b4f1b7e89a853cb8c1f106712692836e9d52abf1527996556522285cc784ea3f7552b210b94

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
352KB

MD5
dfd55852752d51c594debdc0e02910a9

SHA1
3ebc4fe5fa49c46dc31c23ca8344460ebd520ad3

SHA256
f3adf8bcfc7b7c2b430b656cafd45093710cd3157bcc4092d59f891b975edcea

SHA512
6fe148fd4f96df32aa06e56a0c9264342e69575da3cf2cc1ad634e1d06c0395943588b15b1e63eb797e6a5a6be7680b577b387671ac8384c208d9026d1af0c02

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
352KB

MD5
695926b0fc22630f9a7bbd5b7e3cbc6d

SHA1
c429766fb8b162517deedea4554b653259add810

SHA256
1fe275befbf80a719733a83005adef32fc26ff6406591751a11a54d0fc2aff1e

SHA512
1de91ca456c7f5b5c273a82f9bf7d9938fb00fe01951ed7512f216256e1501fc6c1308f63b211429f6984c6594d3d36fd85fd1803ef85a2941ecea894a7673f4

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
352KB

MD5
b6a924d9a5771ef4c1379489df0ed03c

SHA1
156459689b802f59fe07c987980d1bc5eef9fdaa

SHA256
11600e3ff8f393a8aff61fb449dc1209bf3328d072f46d1f9d0dd16739b3a272

SHA512
11efbcca0554be09ad4f71ab3a56371c308f39b2636c934073b095a3200b72becac95213b13729009c44779e3e051d6d168ef0b9bc90a04a260f3f76724edbb9

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
352KB

MD5
16675bf5e80dfdacba0cac6fae091568

SHA1
9144831256cf4fb10a8ce7b2e2a4c8309ee9faf4

SHA256
808ede3aca16106c22e32aed527aecde1a200014780d6e2bc7407eb886653e2c

SHA512
bc50e97aa272873bc5aa52fefbb38ec191adeb04314737f55e429ee9755389af21d470223e1a7a8f9b7f63e88b91bd0151253ca361ceae97db652a348e9b9d86

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
352KB

MD5
a989dec30320e27d0a9a424f10c2a37d

SHA1
05117b542a65ca4b2f7bed2be035d59e9f112a9b

SHA256
74c6c7cbb635fa30aef6875d616e8de2b312375dda8ce041e77df6e0b1eec74d

SHA512
e4e4a760f4543d4529593df947e56d940623317c01bf8bf4fb65171a65822c32ae1b7e86657203d4e48f1518e8f5effb40f91ad054a0b112067a238e16c4c0fa

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
352KB

MD5
59b2755a923f4624170694c6b66debd6

SHA1
c2266a0b1c4976dd32a3380d9ebb1536290989a4

SHA256
840bf2dab449c8c2c0195632b48bc4b93d66209a56ae8239b74f5b04c07129a4

SHA512
94b79e35a9de1ca4fd27deaee7c4b997219e8dd89bf50372e82550377ec1a155d2373066e5ade5bfc67acbd95b2d863baaa64b3c3262e92ff09db098f534a98c

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
352KB

MD5
62bc50e44e217c74b06970634ffbac61

SHA1
a17bc0a9d14ec6a9a06caf37b878d7c18f0dc7c9

SHA256
67e1970d25f055ac3b8160963fab73fb11cd4474e92fb00df8b2db32d13ddab3

SHA512
38c57bab5fc42b95b8ed70dee9dc7f57abccffe91570d2f88db6fdfbeec9c98e9a4cade01b9c72a74e460a7e4a28089d2f774cc9b948971d4675697763977d64

Download Submit
C:\Windows\SysWOW64\Fcmnpe32.exe

Filesize
352KB

MD5
4e292fac9387d4fed1480cb40206a60f

SHA1
5794de12046621527548faa5251fdd2d32c506e3

SHA256
89c12f76690b67723048e10553585112c12b70b61263c7512b59eec14e29c5e1

SHA512
02e9eddc26cc17e41c0a4db63090082167e3ba363586b1559bd0b3a2bdd5caf9ac2ad27a40a3813708cfbde11e18ae127ede09023e38540f5cc5106bf2c0d35e

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
352KB

MD5
0dfabe9ee127c0fdefe283b58d11f0af

SHA1
688e16e82526a8400e5fccbede57989703b00a6e

SHA256
06cec12e8d91cc4dc124e14a0d1d279624b200f8afb0018cd6d9b5a6a6d5b421

SHA512
7c1d0bf20dc52d31a9f41d1db7e003dcdfa854c727b5ef47311562ab3e31d01657bc5290225dfc20f6a26af60eb5598176369b9d47fa3e587088482a60f67095

Download Submit
C:\Windows\SysWOW64\Fdlnbm32.exe

Filesize
352KB

MD5
78308705473c1c09afb2869ea39f294e

SHA1
5a8a3410889982b4baf999883afbb9ae6b1d2fe3

SHA256
5cc481afb7e72285cf06d02da91c149dd9354e676fe6626ef04a49a3bd889473

SHA512
c8ed819808d96dd24b88f6b5c1f3bd3320f25a05d3a63804c819d7f598b7dd803c33b250098223d6e302551f92262bb50a2caaef71f5cf95bcdaa8c23578ccab

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
352KB

MD5
b1ea83d1fdafe5fe1598e5b5cb589f8e

SHA1
04ebdc4129b6c57abfce16217919749d70c0e852

SHA256
e07059536ec6f118e6152707ff35b4516b6f0c9fa7b29af5841581828a0a10d0

SHA512
c0cb1fd689682aff2d6bbd50745d078f4dc0f5d201515c61826163a75b543c0ab60fcb8f896434681a36d619ec2ee5e362725f194e0f174766d9bafb17aedbe5

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
352KB

MD5
5f8154ca1c3983f06e3a3d36504a322b

SHA1
4f8c2b2d5afba8a4d0ead0bac3ec3840f53a294f

SHA256
f574f784aea54c78a7a6e3835462cc90f5c8aa853f0fd932cdd1c4c083cd0358

SHA512
bdf18fed4762f50bd75eddaacb055b0102fa6193d8676a310a83204f19088fdd0a8cab84ccbf9ca5ee65cc931cad9fa544328521630f5063319ce267d3e3f616

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
352KB

MD5
fcb2f595056c635b5a553ff90fa6b28a

SHA1
f038cd6bb49e57bac2192426c6c88aae359c46be

SHA256
24803207ba19e739b610a07bb9370c26a42b6f506e52bdde92a66943a6cc57a1

SHA512
3db6ec080c867e834fcb8391f161304fb66b79e6806a79bd4321540fdbeb1d39a22e2a983f4c8740d8d0e5377cfde5fa454a7b529cea64f45439dfef54852758

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
352KB

MD5
9498ea800746702c558cfa989b6806a5

SHA1
e56af9a23af838a32f784141a73191513b609719

SHA256
f31b6f90740486de0bb53bc7c6e03b610eaf5603c71e46385c3761b5caadfa25

SHA512
4c95e2dd6fc34aa694d4f232b1f24b22bf0e107b6509a7fe8ba0c28fd5cb298df1ad7c669b657ca17bc5469b9c5cdbf552ae53b5d7842dd0b0efea189cc89797

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
352KB

MD5
f1f28d47c67198a42cff409713433842

SHA1
fa6cbdcbf986f02cd06d317cc0341e8953101128

SHA256
238a039d72eebbfdce7d2e5143d3209063aa3d979599adad54de54112a899e1c

SHA512
4e08f4f93e42a3da5bc248bc6b361527e1a6f12e387bdc9c4a404f55f8bf8a42ef3f0a5a0a8c71a21bc5252d4b7920ea7ef66d72b6643ef2d2aeb457daf31781

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
352KB

MD5
c75f08abbeb96e1ebf6c2d026e2d80d0

SHA1
bd2f1ab017bd600c93268511e2717c6deec86711

SHA256
1d9f0e1bd471ea4f102c5c265714ed572190928ac9a16638a5dd3edc8478eefd

SHA512
7c4c194d478dad71abf3f940e312f82def3d8de79324b0226de09d65ce340e8bf370bab055c89d0e9481289615b747e1398c1847e54154f675ae6a243837fd99

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
352KB

MD5
950ef6146c597aa6cb24eec8fb3d486e

SHA1
67984005a589ceae43458a7983e856543af4ead9

SHA256
131c78fb8c3d38a770a56acfb9ab2d90f952d8cdd48895686a53a97d06cff02f

SHA512
6becd03107031f22098769cc7c3e02b3d3cbfefeaf224546d8ded1f76e37dea25c3be232058d8f62ee7a0c0cd469979173bf7b06701075b2ddaacf1665ca4380

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
352KB

MD5
a903d6b7978121113fdae1966d612887

SHA1
baf3ae982b79dc9cba4ca881ffae8c0b78f31184

SHA256
0093d47309e25ab387be31186a17bfa5c8efcb6ff6997f02cc8af9f06d8ef33c

SHA512
cfed29aec4dccf9c441e6c6a67128283a664f15286040a6f08d6b6fd87d92b91c7a0d2ec95f29fc9d4922e6288fc9a19c2e7e217bb3b7ff9d7a810b26ad7eb8e

Download Submit
C:\Windows\SysWOW64\Gfbploob.exe

Filesize
352KB

MD5
ea93f8cef2950c049b230cc766129fcf

SHA1
106a7fecf40b92198138167caaf16d8a19570461

SHA256
a8bb950c6b4207cf4cf4958265651f3274a7f8176c48a4c9234a3d3c2d242ea1

SHA512
3e50f3db49129579d8bc3b9735ec33594bad449c019fe60f8f40c4b0c645ebc885edfe835d7d896ac7c6ec56f4cd941e4cd36333052a1a6a07817bd6b9ddcb40

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
352KB

MD5
5da6c224b114ccda1ba658ba72398ec6

SHA1
3c4dbcddf7be21adb56629c8beb00e42ea0bcc59

SHA256
f8cd634fa79656951ea87b1f89d04fb3254c5663e4fc4dc7796b5499122b1785

SHA512
40fe2795f39a1faabe6f5fd023d53f1af4925a041102719015c3bd85641b5a5aa6b822e5c9cd60b97e69e6ce224702d4baecc6b171a43a0e732d6bda4782d04b

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
352KB

MD5
9d75d599d5ff8381c3103d36bf1cf8e0

SHA1
3796619d94d28dff54175bafc18bad5f227928a0

SHA256
a391aa61a116f160ff1fa89179ce081fc385be9f5e0ab43e770c7840bcfa93dd

SHA512
47108f7a16f34494a8354f5d889d5d9e200e363c1ed15edac47005b2a7507dfc67d2d54062389b0bacef33db3fd15d360ded129bc506827718cfe13d9b76ac1f

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
352KB

MD5
cbb28de7b546c1db90c2f6f10ca3d03b

SHA1
ac48cce663a3b6186ad0ace6963771729040267b

SHA256
e720f2c8078daa47e20054266f3d3369aa3be94a1d65d91e6733d604f6478de7

SHA512
269fd798ca53670da8b490d43a2376cd9a871a01a35da7447a028eade0f1f3db61e438dae2c74244470e69bbfdfe451115a54c5e8cb98b110b571508f1f652eb

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
352KB

MD5
d3f766da52c98fb44506284976861bc4

SHA1
d73f8d819a4746fa227071935d098a87ed199b8e

SHA256
1cca4c94281ca3ce42561256705d2f3efa623191c52de6312bc1be181772f196

SHA512
f45bc717693434472028e5b31bb6079da2ae8e4578f756bff95612eb626f5e06c3cfc37cc5d7329ec2a056ac72c2f9a050e6fae8e3324163d7f2d894921907cb

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
352KB

MD5
6482749773e2fc89f6e1a4446753bc5c

SHA1
ee67e7b6d6de4d1306c996cd86391adb69746a40

SHA256
61f04b84e1ca4788ad84a852d61f5f3b4058433056529d2caf7a5c4c1e5b0276

SHA512
2e62e1f557efb9b8846b4b361d5b84f977c796a05d8afd13ff5971ee9d211541ff48ce22ff52b55519f632e4100542e409b32941f8f51340b2fce900252af11a

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
352KB

MD5
9af5285f09275b9bbee9cda2f2c49a75

SHA1
264043674e1af18e970be714814648affe5b6408

SHA256
9908c3164439ea81495930e4d08fe9679a0d44165ef81393274f82f9b9b0a049

SHA512
1a71e0d63a84acad1f892715cf69d388ad07493f3c61d55ebee42141da0290c62061622aaa701000fd66462e5066d29f54e27542ccafe927bb963b91f1a85485

Download Submit
C:\Windows\SysWOW64\Hiefcj32.exe

Filesize
352KB

MD5
47f1f8cb6d69b6326d26ce6f5ce29b6f

SHA1
b27f1add45269ce239520c88e6584c25fb70a4fe

SHA256
2d93909036fba3df1f63d5376d043142a8a8e4dca5012ad97dec44b2645cad7a

SHA512
c264a903d7879e9948f47415e57a888d161db8a44db1393d63002d37053d6c4a33cc08bc4ba87fd48ad48c7b6aa60b0ce4c65e525e1f5a411d2816211e5846bb

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
352KB

MD5
6417ccbe45322d611d4c5bced75bb58c

SHA1
5d1e8c354d5d10e4596020a9e8e07acc9b9630d4

SHA256
8944221750065e6d0ef1a9fc4e9f3698bbf36c93754789346b88ebb60a530855

SHA512
e20c9690156d82ce45c9905f9ead004522b7862546f9c856cbec5559957a200e278411ce539e0e9738ce720a69cc4ddc893b7d7daf3c386ccfc46e14199d25e0

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
352KB

MD5
90cfe313664b2c8d39e5419e150f665e

SHA1
a59ac7be56eb2a496c33142d44c326d680005d54

SHA256
7035b6515763b0a53968eb8abd69d1735c857cf42c4f3d7996e9e6db3097c79d

SHA512
f1d13a61c10a8c7d4795defc95024cf5f15cb77b5af318c02a095fe21b184931b4d6de339316219ee90304b5ef682ebd4ae80b842a4b0b7c031dbc94b584f3cd

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
352KB

MD5
74e04afb3afb08eeeff10b0020abeaac

SHA1
103b069761108754b0e5685139b9d3eab983b07a

SHA256
db83a280a8910edc33085050ff173df4e20f23c5df91dab07ecc5498210d648b

SHA512
ca6274b8c51bf3d06c3925524a5b2b19b71fc93c6319c0b0be75289cff135af045913230988a9048e863ea2096a9adc97997176a0ff5d5dc4baba67c17949a50

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
352KB

MD5
79b0a2311bebfc0b1bf0b384f38f057a

SHA1
d7addfac8ee055fc4a4d9c383e40f631a173bb97

SHA256
b019cd3dbab2bb1d9620d9a6828b55cbc61fc0dcea986e8d758e626a34890fc9

SHA512
a43e84f7ec1f9d1c7e826f5fc3f3bf258017902eb5b027521cd4211a807106f8d79e260e69c33967569aa92aa3e656f2f6aed989f2c4d5d12f47dbe254659955

Download Submit
C:\Windows\SysWOW64\Hobkfd32.exe

Filesize
352KB

MD5
d96022371fdfecf8348cf6976deb890d

SHA1
d2290609d7ae52ae93438d19da4b131c2b96f1f1

SHA256
ff87026b6a29f782a2768e5725a4f1e0acf5ed927975a5efa3735cff6d3f464d

SHA512
937739844b33ba5a9e491041ca0ec864e6c5486e2da4468372cfa08bb492c9e6782d9e169caf6d8630241560f1d12d56378fd50864f10896071d82672eabef42

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
352KB

MD5
ef22b1782a7d136096e18f1b61fe4bfd

SHA1
3c79f800d4f9a6e0b557d4d4aacfad11b877da3b

SHA256
c200fe9294d6762e94032d1c8cc8d81cdec2d1d95ef9ff5a8a5f4e7c4fbd1e77

SHA512
99a61af2b3f5fd3146698859f01a146b861a01931c5c67ea72b5e295224f3f509012b9f553dbb41434a0d6c6af52c5cd27c3c7fd82e896e78ea120bf381e0b5a

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
352KB

MD5
d3dd9107deb576084a99e2fcfec2a6c6

SHA1
5ab2951283e46f4bdd9d8879dc257e82ce9ca8e4

SHA256
7a3516465239b058fa5434f199d0c7bc98cd8ac9dbcb7541bf2471bc408da848

SHA512
9f186597e259a7863c742aa6fe1d088acdf14821a8f81c444514d6acb285ea6aa8e6e8baa87dbdd367261b0e9879a2b2bb039b1e4df38bc8261468b541c8fd9b

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
352KB

MD5
055b7270a43e6fbc3f88066d90ea340b

SHA1
bbf98de4dd745d1b1b619c496e806dc37c940c8d

SHA256
068b45ef48d44c61a2b0c7739576168b8935354802010e520a865f7fb17bec99

SHA512
b19b6e55e5870881d50214dbad7c84ba8949ca46c9136aef2672d849c9485afee993b88b6ec5176e656e56e877edb9d8c0a5171db7493623cde43b0cb06a9e70

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
352KB

MD5
25b19e091beb0c02358644af38664816

SHA1
aafc2e87f3b288c8ac5aa8357edcfc0ccbe70055

SHA256
b71e7b112c3e3929904a0462615189b1ae27173ecf3ad49013b396851e5169f5

SHA512
4ca88e23cb0183c7ae4ff22d86b2337a34b7efd1d2604b2ac16666fa6bbdce3ab9f92254a7f9318787ef57694147e04d9c278a7a41fa052edc5f51d0b292adbf

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
352KB

MD5
d699f52a2ab28cf41243943b239f39a3

SHA1
8c8ba914f02e4a2ea9688fe7dcd343384bc798e5

SHA256
06c2ae1d9b280a9ed69366eebc0074767d20e6e3f79d7800000bbb21541ae265

SHA512
a0625a1e9429b45880f03fd480b9f0ef8142dd27b7b46c046164decac4217250c9076787f0d3d0633edd0451a7a81dd5ddb8bf4d0ecf48bce986cfb38b361d82

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
352KB

MD5
d4d5142e481e862e1e4c96aaa221f42b

SHA1
2dbb43abfd3cf87d13da9a7f41da324c6b43531e

SHA256
db5865361d4013ccb54667e8a1fe5acf09023078bf958446520212bd48d7f1e5

SHA512
94e71d742d51ca78cfdb7bb9215602d2f7950713421d073c741805df3d6382bac2c5d0fabfd5986e39d5d2a94bc2296c729793229c9d4b348c08859310f9f9c6

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
352KB

MD5
bb050011e57ddcf1f8f4d1b7aeef5c2d

SHA1
4c7c4e2488863691622088512a9bc72305afaa16

SHA256
ffeef4ce937dc8260d7dc57db49b4760a3aa68b3aaa3b11fdbb53f80b692138b

SHA512
40bf3f26d0bd909bc8f36bf8e1d980861b8133234f7d2b730538d799111294a54be24befcf878695bb84bca96736e5c93ac37b5d8f2877f86bc673754416e4ad

Download Submit
C:\Windows\SysWOW64\Ipeomnnj.dll

Filesize
7KB

MD5
81ef2ec957379a7bdc940f753c47313e

SHA1
b95ab3d17c2067d9ff6e869323f12120f67927b2

SHA256
3ecb95851037e6d60c3304bb79f222af88543159fc763a573cf4726a59f97242

SHA512
5d411d66909fd7fe69c14319ecab42b4dd07e21d1bdbf360bd832e595881c953e4fec99c80140177607e71dd7270fd5df55b1af49d460a9de2533256d463a26c

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
352KB

MD5
d7472f746b4c5ae934926717a6feee1b

SHA1
52c43c487a8f8f1d416d32ef2aae397156d33da7

SHA256
3be93a72c4bcada8a9499f8e8716328d40f463701433630607cb418326a06d11

SHA512
e0d58b9f64643b0ee6842c43d7ecd9768ca905d5d77773a4f1497874db4b41679232e63a446ead0eb5c5a11d82b5ee7ec5d1d02180770c3e3fa2145aca65193b

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
352KB

MD5
b11f200e3d16af6f31e62e92eff68e95

SHA1
e7a7ff3c588a25f9359703fb95aae8fb82731cfb

SHA256
1ac70084eaa063eee2c87b8b35bb995d0f46aa206d2f282099f65c2d25b25bcd

SHA512
0ad93d7348cc962ae61d96a55e198f1877d9490fd6763305739249d7a8f238e781229b275844773962078e7cfdf2cb535f2cfc56accb061de3c4c2d3e4be55c1

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
352KB

MD5
be2d0b0f71aa0b3cccf8cc125abfdb91

SHA1
2f938b86d67b79270fdfed147582814e0fade83c

SHA256
e3ab67b576f3dd677a85e65ea4069d24acbb075371f66910d17a9cc8033ca017

SHA512
fa45d9066a72953b0d98d9a86ba97868a9774d6b61a068680b543948890ba265c14ed65cfda2a3c8914b40fc23955d0c2221e3071293171ed84fb2e0e1f8a70d

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
352KB

MD5
e0d8da6de45046c38169f45821b73103

SHA1
d955d972a27452d7a939853fd7c24630b6d2808d

SHA256
a1b9341c8a7a88520ea9a418bf34e758755cf05873546bff57736cdcf1fdfe0d

SHA512
7c02df8cf57f840ddd7c9678cfbd29037ba61934bd254e55d64ea42d834be5c352b7f8f109d0bd9f9e0b0d7a6ba94789d90daa5af81be8f451eaae189058e762

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
352KB

MD5
b7bcb8a2f37a32c92866afed1ee83670

SHA1
ef5fc9fd8403673d8eb01ac57b4695789f2a0e7f

SHA256
ebd6413726f2b37a69117169dd0bda138b9382c54f64df0724319fb639b13a7c

SHA512
0c471389b178fcc66f706ff0784dd8fd2648f64a91491e448c2b615483e3d59e8b23fb0e5969deca70bcc27d7b1926603f31087cd04bb021cbae03117ba9d057

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
352KB

MD5
6313bf5b53a55c0c028ce8d892f2a3f8

SHA1
32524bf54e6b6dc3dd53e8893e399a9f7a821f0e

SHA256
68fac623367579b8f92ef6b74db16d6ab1375c2ee19b8184b3d0896e2e032256

SHA512
dcef0fa257018ad75b2eff51df366fb012006319fea3e3a8586681226f2cd5e1540db73a021fef078b3a288d6ece4c387b101deba451c3530b2a5524909097b5

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
352KB

MD5
bdcb56f165e7b06d0f9cecd582a157c7

SHA1
2a0b2f6e34867389e6f8e5424e6b886507a3b57f

SHA256
6bb0ad3943ac1bf09878ba46c9296a2881f723a6e62366b8ad51afca6db4cfc1

SHA512
ecbf44263cffd15e5b6c782443d2109788b09c79e450922737f812c0a3cfd349ad581f78c3731e62d0164fc40b5953c7ecf8913d26ef41fba33236261581d307

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
352KB

MD5
0a5cd0cd33ee3c50882385a7efcd9a10

SHA1
4d9052f4c2765730b5790a313090e7aa5a044b39

SHA256
c429941cdb58eac985e5038b0c7ebf81c396d3b2147cb65c1c0c49b119db9ce9

SHA512
7ce95316a8241287c8bc6500b49d91b28ca1efa01ae734fbc177433c531dd0e186094589ef6d750e4db48c2046f18ca3c7d146aaa342245c920ee0d97fe17d2c

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
352KB

MD5
7afaab176c599d8869cc581230ca2ed9

SHA1
541a7a126ac07430b6ffbc08c4ed559ea1735e28

SHA256
e63a99111be81b42a91841ee521a3eb896552d688fd2a2eed12a68094ca5c7ee

SHA512
5c4ecf98a7be5a583449d4497c511ac988a870cd46d3c7e15b295f3885d313536dece7242ad3cf336a9206d30ea3a4ccc2ebe6666e9230e9f7c340417b1ded6d

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
352KB

MD5
dc8308ef8fb36b7bffb216a439edf0c0

SHA1
4f2b1e2b8bb615a55331c86ee7a48f0425009aaa

SHA256
576aafdd29345bb60ba09de8b21d445a8cc0840cddcc3ff9963f68eb6953232e

SHA512
d6e8a9349fb5293be3d56c7ce1d8f224d111e6e5f616cd84b3dabebd7d0b9dba3f593274deca23d7ed5d6094d8a9f596313cc40d117dfb2451eda0a90e647a52

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
352KB

MD5
b35031a9db160e582bbcc3e73752aef5

SHA1
615de8d649c09da1dc8c910482d5eee543db37a2

SHA256
6472d69e7c647e29064a1119a355b5fa38247c2aaa7c29d6ed6a16919a602145

SHA512
42606c77530865d4fc0c5bfd095f0d0b45a0fb794b6f6e4c1924e03f4e9ea490ecd7e1611d74b053b85d38fff09094aca154a3412837f9ec45c83bc719e35c8f

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
352KB

MD5
a82f59a6766eb8901e5f12ff7bf3b923

SHA1
f7b277118e1612e1cd42ab16ef3a59cb813ed7c8

SHA256
1e404e669d626f63007789f4a2a2c6530b15a04a0efb01a523a5db38a38220fc

SHA512
79a7990dcb2d540d10ed6a0003c7d6fbed8b0c90575bd032a8bc9ce8b6dee8ba5f0af3125a0cc13fbdca85abf339f2bbec0da455447de16e70a05b328eaa092a

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
352KB

MD5
c415636a46b28e19d5dd286a35191346

SHA1
21cd1674e4bc10014dff997ed20bf6811232c144

SHA256
55e8914211113eca9262115a075e05af78339ff5ceff60a8c86908b73a022829

SHA512
4a92bff55630a8d5b71e38356ffc891b2515a2829b6b569eb056cd33c4290cacb937d64607280e50cae2a04529d487da76a6a0733db9cde338cb3bcb5724537a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
352KB

MD5
7dbf9945169e24868f4958c74639c631

SHA1
3e9c0520b28999c5c68d5a479e411ad3a743f418

SHA256
3e7dbfa91434d017ec35d36362e1e9f4f60fb3acb0215aee81e0469a0c0ede17

SHA512
9069b87a3524ccfc66f1bc451f99ce6c35b680398b780d62f0d95b482bcebc4989547e59c7fa1d6a4cd48c386fc4aedf545c90b809284f1f83ccccd706431008

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
352KB

MD5
6e388bb26dd6de6ceb9a0759ee88779d

SHA1
f87719de236648c2a3f07bb363d37d1ac9a5c008

SHA256
29b993cbcb7b66f37144847f9cdd5a979a38c3698da7ed6868f03ba5ff0bbcba

SHA512
da5a186d599c9b10a3daae0cf6cba89711882684b06646b1d33af7a2759600c2eb0831f7e5f79a21c7a6c19ef1935514e0e4c8eee065346c53ce1519b7c10bb6

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
352KB

MD5
1342b8948a4a21517eca1ee047843d84

SHA1
bf3e8184c9a48550ca99647ae18caab77cece6ba

SHA256
434410c68ec3b762f443e741990583310df02027ca21b102ea3187b49132ef8f

SHA512
5e360050a038ac4972e1bac645d058fe989080b4d07b0b7860aef1a9fa7bdd61897a388f635eda2c788bc23ddf03344cba6f213237fae23f30b982c6c3d86ae2

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
352KB

MD5
2d7ee6cb0fc09937fdcfa33e99c79c71

SHA1
23f35437526aa1fdf06213770a7ceb703ee6b32e

SHA256
324ab83536bd9e57ce823ab535d408a5dea5740edd646833491d3201923b00a2

SHA512
405e067c2833bbd17fdc5a8ccffa849950397164aa32d1bd3a492a25be86a0433def24ce7b3090971072e44815e6e98dc96a2b5cc28365678140330e4daec624

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
352KB

MD5
db0c12145f919e1d7f354c0c69631fc1

SHA1
5e3440098d9a3992f32b96ac76cc4379a8a9a03b

SHA256
9a8cdf544df3f237a1eace7036c59eb5e5c9262213215236e883d85d416eadc4

SHA512
6ad6b96c71d4e8144f13864a9f5b570615f274650062dcbeb090535f8d496d5c2f593e5a30d7334d523e866c4ee97893898fcca99b7b3f42d6266a532e04657b

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
352KB

MD5
e5c780f62af25d330d98b94db625a88e

SHA1
19420017f552701a806bd93e55880abf1631599c

SHA256
9e06e146a2c2959751eb364422cc50ed3674e6539c4d896b15624437b237c42c

SHA512
90c03ac319abdc4d6b0aeab7e7d56112402d4ee529e926f415ebb3f437cc80061aa169de5d955060c400a8ad760a4475a8b05b6862aa2db5092e22e1b8c47da2

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
352KB

MD5
9d8fdd896b5496f2d1de5c8f0bc862d7

SHA1
b437ed94e7d4ab9dbcb6109be99562bed55ad697

SHA256
44b4bcdab1b6c95fdb143de827fd3e44cf26814de1de39567be0dc3fa991f26c

SHA512
0b138cc2d0913be01e23d76dc491a62d4da152e821ad72074b20727643706056c56a3a157f724c64870dfcb69829013f3a805aec3f2dfa9db48b52bcb4fb59a8

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
352KB

MD5
61e0d6e0f8536358f915cc2d879b178b

SHA1
7f5c1c9454a81a219e2498a6a76a97d70bddc1c8

SHA256
9fa625fcf2e5418586024602152575491903557c5f85d9afa7fe6a778f584cd3

SHA512
3965f53c88c657791690f681d56a84476525dffb535f8509d25e8eef9c7d00e520e5c026ba8ec3745f68a1484805ba426f32fe32202d69547d0548a550afa486

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
352KB

MD5
f82febd22889cc943fe910971fbf9ffe

SHA1
6f99372a119ea9c0987ffa49667aadc60c20e670

SHA256
767f370155496f7bd1a4aa9ee2c057c2b20f35fd8076a605ad14e052e4d103f4

SHA512
58f90929a081c67a86cc32eda8466dcf57690747c9708a606ece7f83f7d5b1bd881da3e197228873c6f6c01b440a46772527060790773d806ca2fbd3b1a72d22

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
352KB

MD5
a771b12bcee55beb7df7089e9d1dcbfb

SHA1
ec3faaa69fbb186d3b377f9436fc41e1a3c76808

SHA256
77b9a57f2e2aba65deee485eb27c57b56bf404965e0f890d716cdf115e334634

SHA512
2b2753f24ce97b95083d8919a1256ef9cc87cfb1bd2419cc6466630dfea9e6d53b3af01c5038b6985baabdd5722f09b0de826b38a5c93c617d8e6485b80bfb59

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
352KB

MD5
265eab77b198c1a49b8789d046013963

SHA1
c0238090059129a7a9a72da1f8b847706c87f3e2

SHA256
b60f712296ff3dd6d67d70c516e124e9100770ca47b72915f20e0ee8fd887dac

SHA512
0f5a7411c3e5d8fd411b8f7adc8658717b3c642403df8c297d352675f718fb1e204381ca6dac1e90f0d9f300a673e9dc20b05a8433a761693b180b398f869617

Download Submit
memory/396-567-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/716-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/776-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/860-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-581-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1356-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1360-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1452-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-582-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-527-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1592-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1768-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-449-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1852-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1880-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2168-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2492-574-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2500-515-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2548-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2740-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2796-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2996-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3028-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-491-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3232-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3232-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3316-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3368-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3628-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3696-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3732-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3940-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3972-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3972-539-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-561-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4168-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4204-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4240-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4272-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-560-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4336-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4344-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4356-588-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4356-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4380-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4536-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4568-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-533-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4700-546-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4700-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4788-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4992-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5072-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads