berbew | 85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe
Size

128KB
MD5

fa58d9374bee1c7d9431bdf4aa1053a0
SHA1

29f98fcf8a19589f173acdda84bbc1de454b0c0b
SHA256

85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65
SHA512

c9f17c15ee47e2bf03b72603a95cf2f6454089e1104c41e24fc98dc719d5825599e584b9cf16a9d3a6df27ea9e183678080ad136d68bbb976d48c3ba178c8330
SSDEEP

3072:iTzzvNq5SM1SZmnhPUqCmUj9mL3FQo7fnEBctcp:iVzDjEL3FF7fPtc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
640	Lljfpnjg.exe
1912	Ldanqkki.exe
916	Lgokmgjm.exe
3044	Lingibiq.exe
3192	Mdckfk32.exe
8	Mgagbf32.exe
2184	Mmlpoqpg.exe
2720	Mdehlk32.exe
2860	Megdccmb.exe
4400	Mibpda32.exe
2496	Mdhdajea.exe
3748	Mckemg32.exe
3020	Mmpijp32.exe
3808	Mdjagjco.exe
1948	Melnob32.exe
3968	Mmbfpp32.exe
4868	Mpablkhc.exe
3024	Mcpnhfhf.exe
588	Mlhbal32.exe
2568	Npcoakfp.exe
2228	Nepgjaeg.exe
1920	Npfkgjdn.exe
2320	Njnpppkn.exe
3416	Ndcdmikd.exe
2832	Nloiakho.exe
4568	Nfgmjqop.exe
3312	Nckndeni.exe
2400	Njefqo32.exe
4424	Oflgep32.exe
5020	Opakbi32.exe
4748	Ogkcpbam.exe
4072	Ojjolnaq.exe
4172	Opdghh32.exe
1064	Ognpebpj.exe
4220	Olkhmi32.exe
2440	Odapnf32.exe
1852	Ogpmjb32.exe
2956	Ofcmfodb.exe
1404	Onjegled.exe
1716	Ocgmpccl.exe
2072	Pmoahijl.exe
3124	Pgefeajb.exe
4752	Pnonbk32.exe
3304	Pdifoehl.exe
4872	Pfjcgn32.exe
368	Pnakhkol.exe
1780	Pdkcde32.exe
4092	Pflplnlg.exe
1384	Pncgmkmj.exe
1316	Pcppfaka.exe
772	Pjjhbl32.exe
936	Pqdqof32.exe
2592	Pdpmpdbd.exe
4708	Pjmehkqk.exe
3248	Qqfmde32.exe
2280	Qceiaa32.exe
1960	Qjoankoi.exe
3892	Qmmnjfnl.exe
1772	Qgcbgo32.exe
2304	Qffbbldm.exe
1836	Anmjcieo.exe
2172	Ampkof32.exe
2588	Adgbpc32.exe
4040	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5556	5416	WerFault.exe	205

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 640	2612	85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe	82
PID 2612 wrote to memory of 640	2612	85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe	82
PID 2612 wrote to memory of 640	2612	85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe	82
PID 640 wrote to memory of 1912	640	Lljfpnjg.exe	83
PID 640 wrote to memory of 1912	640	Lljfpnjg.exe	83
PID 640 wrote to memory of 1912	640	Lljfpnjg.exe	83
PID 1912 wrote to memory of 916	1912	Ldanqkki.exe	84
PID 1912 wrote to memory of 916	1912	Ldanqkki.exe	84
PID 1912 wrote to memory of 916	1912	Ldanqkki.exe	84
PID 916 wrote to memory of 3044	916	Lgokmgjm.exe	85
PID 916 wrote to memory of 3044	916	Lgokmgjm.exe	85
PID 916 wrote to memory of 3044	916	Lgokmgjm.exe	85
PID 3044 wrote to memory of 3192	3044	Lingibiq.exe	86
PID 3044 wrote to memory of 3192	3044	Lingibiq.exe	86
PID 3044 wrote to memory of 3192	3044	Lingibiq.exe	86
PID 3192 wrote to memory of 8	3192	Mdckfk32.exe	87
PID 3192 wrote to memory of 8	3192	Mdckfk32.exe	87
PID 3192 wrote to memory of 8	3192	Mdckfk32.exe	87
PID 8 wrote to memory of 2184	8	Mgagbf32.exe	88
PID 8 wrote to memory of 2184	8	Mgagbf32.exe	88
PID 8 wrote to memory of 2184	8	Mgagbf32.exe	88
PID 2184 wrote to memory of 2720	2184	Mmlpoqpg.exe	89
PID 2184 wrote to memory of 2720	2184	Mmlpoqpg.exe	89
PID 2184 wrote to memory of 2720	2184	Mmlpoqpg.exe	89
PID 2720 wrote to memory of 2860	2720	Mdehlk32.exe	90
PID 2720 wrote to memory of 2860	2720	Mdehlk32.exe	90
PID 2720 wrote to memory of 2860	2720	Mdehlk32.exe	90
PID 2860 wrote to memory of 4400	2860	Megdccmb.exe	91
PID 2860 wrote to memory of 4400	2860	Megdccmb.exe	91
PID 2860 wrote to memory of 4400	2860	Megdccmb.exe	91
PID 4400 wrote to memory of 2496	4400	Mibpda32.exe	92
PID 4400 wrote to memory of 2496	4400	Mibpda32.exe	92
PID 4400 wrote to memory of 2496	4400	Mibpda32.exe	92
PID 2496 wrote to memory of 3748	2496	Mdhdajea.exe	93
PID 2496 wrote to memory of 3748	2496	Mdhdajea.exe	93
PID 2496 wrote to memory of 3748	2496	Mdhdajea.exe	93
PID 3748 wrote to memory of 3020	3748	Mckemg32.exe	94
PID 3748 wrote to memory of 3020	3748	Mckemg32.exe	94
PID 3748 wrote to memory of 3020	3748	Mckemg32.exe	94
PID 3020 wrote to memory of 3808	3020	Mmpijp32.exe	95
PID 3020 wrote to memory of 3808	3020	Mmpijp32.exe	95
PID 3020 wrote to memory of 3808	3020	Mmpijp32.exe	95
PID 3808 wrote to memory of 1948	3808	Mdjagjco.exe	96
PID 3808 wrote to memory of 1948	3808	Mdjagjco.exe	96
PID 3808 wrote to memory of 1948	3808	Mdjagjco.exe	96
PID 1948 wrote to memory of 3968	1948	Melnob32.exe	97
PID 1948 wrote to memory of 3968	1948	Melnob32.exe	97
PID 1948 wrote to memory of 3968	1948	Melnob32.exe	97
PID 3968 wrote to memory of 4868	3968	Mmbfpp32.exe	98
PID 3968 wrote to memory of 4868	3968	Mmbfpp32.exe	98
PID 3968 wrote to memory of 4868	3968	Mmbfpp32.exe	98
PID 4868 wrote to memory of 3024	4868	Mpablkhc.exe	99
PID 4868 wrote to memory of 3024	4868	Mpablkhc.exe	99
PID 4868 wrote to memory of 3024	4868	Mpablkhc.exe	99
PID 3024 wrote to memory of 588	3024	Mcpnhfhf.exe	100
PID 3024 wrote to memory of 588	3024	Mcpnhfhf.exe	100
PID 3024 wrote to memory of 588	3024	Mcpnhfhf.exe	100
PID 588 wrote to memory of 2568	588	Mlhbal32.exe	101
PID 588 wrote to memory of 2568	588	Mlhbal32.exe	101
PID 588 wrote to memory of 2568	588	Mlhbal32.exe	101
PID 2568 wrote to memory of 2228	2568	Npcoakfp.exe	102
PID 2568 wrote to memory of 2228	2568	Npcoakfp.exe	102
PID 2568 wrote to memory of 2228	2568	Npcoakfp.exe	102
PID 2228 wrote to memory of 1920	2228	Nepgjaeg.exe	103

C:\Users\Admin\AppData\Local\Temp\85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe
"C:\Users\Admin\AppData\Local\Temp\85d6b29bc5dff6ac937faacaeb36f111b0122310ea07ca2e7c54fef141d1bc65N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\Lljfpnjg.exe
  C:\Windows\system32\Lljfpnjg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\Ldanqkki.exe
    C:\Windows\system32\Ldanqkki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Lgokmgjm.exe
      C:\Windows\system32\Lgokmgjm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        28⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        33⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        39⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        52⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        62⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        71⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        72⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        73⤵
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3116
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        81⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        86⤵
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        87⤵
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        92⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1204
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        99⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        117⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        119⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 216
        122⤵
        Program crash
        
        PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5416 -ip 5416
1⤵
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
128KB

MD5
0faa8a19c10134a233f63f574cd46c1d

SHA1
a1ec406611d428f0cad665df8c3bd4228eecc102

SHA256
1e9c0a864931d3158a39252bb25bc1746e0b3d15ce30537b6f54ca77bae85ce1

SHA512
cb0cb5b3068e0856aea309bac8d9106b47723e469839b20915e419cccbc547c32fa9c6bb04ba76a447760d1b24611362bc863e0df5ec5d5eaa115f175f7688dc

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
128KB

MD5
f7767b0a7bab1dbbb85ea97139d96bcd

SHA1
15ed8a2805b00952896f022fbfb66577dc48b57b

SHA256
7f27f14cc06bec1af924ae5a237d5d6263c4daae5abb46c32929b4ef45a87a7e

SHA512
e144924c081b0154a2892e26afee60f1c4bd562fefa513be87f3d543e5736fede91a17db93b6a949a873c0724a3e3501527645f4ac34fce5dcf672c405df8774

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
128KB

MD5
535620d090cfced28696e3cf28cd4575

SHA1
fb6277001346ae36e717a3438e1443a6c4c752db

SHA256
65d436f703ea9d6c71d1fbdbaada5561f72f719321ca5f3230319bac036bf22e

SHA512
c50c4bf53b3bdacb6122faa8a69fb985c3b686f7ba586b19f6b60468bdb02dda165afd30420d3a42503c36c1a289ee97c13a3c60811e0769711010a385ebd0bc

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
128KB

MD5
0191d6977ec7ae68bbbfbc55f42cae8a

SHA1
971a0664e35b510fe5cbf46729b2d7bc065f40e9

SHA256
97cf593a0003b3bf395ac087251a3a976e3294835a666f12606e808af2a1decf

SHA512
5024b32b3172eecab44c4adb051a50e0121975ae1f3775598dddf2576c6eed4ea9b42bfd6a58e25365bc89f17a9430ada0513fbe5d4142bd28956a1a82816da8

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
128KB

MD5
dd33daea9f141c71cce1ce4c8257b1be

SHA1
d4e8b3968a0b6ae6011daf7cc8ddaa0c3f8f9e99

SHA256
20393968c2fd013f13855667c6164c05bcde93e7eaf970032fddd2ea7e1d678a

SHA512
88820b683c8495ba113c5e538a74e9f9c0b6d868d66624b7b16b67b863bfe2e039f4d81ef2aae79ed4829e0ce756853086a9b07ba5f98408b55a98ef4cefb4f8

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
128KB

MD5
9b202c1d4c517b8f4bf316e11e38a2b5

SHA1
4ddc6c101e0d6d7af30b99628f993ed472e6668b

SHA256
bfab3e6c6be042f281fe309f466afd922f92857746894c2ac63b4a7d040a7e7e

SHA512
ca8d9f8fdf0926d91704f3cbba556e93e39f72793b473500f7843c69f879cba0aeb1f40d44afafda5608b6ffb97a3e7f1a05e85f2b957860016b909c905d326d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
64KB

MD5
317c97127ace9ea228e14f15dfa230ee

SHA1
d85507b8c387f78153992beac00bad5553d87302

SHA256
0a8ed5b518fc76961a079e2c72ffdbfcd9a2f538d0dcfaf0f66acfb359137206

SHA512
cdc9d200eeffea8fe132eacbd5f4f1c0f934555ddddb92f843c7562e38cfd11b3a80ae146996b92de62c9ae4a3e29bce12f9aeaaf2ff4c04b351a1bae311955c

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
64KB

MD5
ca20b55c79d4a745f0733feeac1d1b07

SHA1
07d1fc9472c3713569b56a94af4dbd086171f141

SHA256
96566928c9f5c845e185080b46dcae2e3fcb207de9e1cd399a4ca8eb9ef5d87a

SHA512
887ee7c7e90b422644d54241ff7235f8372a47ea1d069bae3920acffc0c3562db32dd8d740dc0563f4c16f0c25151f49c6ea325f5a8891c730a49f5890bd332d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
128KB

MD5
80b1724a672b2b1455f1adfe8ee74291

SHA1
72778855bfd84fe83977e4053e08e013f466a6d2

SHA256
a569c2896768da17a6cd0c52e7fe721784a3a084e868f27fde86a079253b6e0b

SHA512
f7f96080e09386d29814bf4edff0cb096150e39a7eace6e74ce6224ccc9b7c040f6369b5a6fb6e61db805f99226d6c911ee0030966acd077b8ec2d38fe38ce94

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
128KB

MD5
e319f0e5c3cd32e4caceef7edccc6735

SHA1
95cc68b7338af3ef58dd4bfcedd9dee860b247b4

SHA256
162aad64c65aeab78057961086d99bb9bb03e794dbaadc142b0dd51ba73b80be

SHA512
0c1d04341ba8ddd4516c24860abe9ddb92b2b8aaad7b805cee54eb9d0a512bff33e9d47fc8d41617cb5f17fe537ad7b2b46821e1173270561f80e303966cef1d

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
128KB

MD5
a287984aae310a0739d3a8dc0861d2b7

SHA1
028b5590b6b76a50b987e9f506241d98284df95b

SHA256
9c898f59b2386f8a30f46413ada9999188690039131858e47632e003e27d90c8

SHA512
02bd339a5b920a78864263b9ce50d4b0662607ec8af02a0ae38e36cb27b326392c228f66dcb86ac33abdb3722b6da387477995da035d462fe367f2f7f85d33a4

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
128KB

MD5
482cd4ee36091c092f860423562c5e37

SHA1
16ade19c9cfea87561bbc0005c2c0f4212ba9dd8

SHA256
f4ab1db625345e2ffdf776bc4ab3b7e6d87050c338173e803ba3da2c08218493

SHA512
5c7a4704b3261a9261dd08533f37f6f72559a28690c105475f2fb6f5f8ee3959f7ea8374936bcf3f2b5803a716196c54960d6282810c78082fd615133f9f5f69

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
128KB

MD5
7ec433cb7ee660a44c85dab29e1b4007

SHA1
f550ccc9f0fbdfead1354bce940cffb37f6fa5f3

SHA256
9c36becd48b869053a890851cb83a44333124e599b635ffb66103c889ecfd2fa

SHA512
848b09b5e8536076b3d478498ca0c5f6ebdf539f774e715c5ac200ec922e9af91ff62255e5c6f0c14afb6c134ac38c761a982d737eb254f4b631aa760525fb33

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
128KB

MD5
4323633da42a365398362b61134a5a0a

SHA1
27857142dd197678a2f3278e1066ba06e92945a0

SHA256
8dfee7efd2977abe0b5674981b74e44da4614c8269c9644ab4e3557df456d42e

SHA512
3364a464ad166da44bca2c818d4526f9ce2ec0515f2d50ba7fda8a5381a9dd10ba713c50bad5449bb24de3c550b6f5a646d61ea5dfb9063b52953e0b977b2285

Download Submit
C:\Windows\SysWOW64\Ikkokgea.dll

Filesize
7KB

MD5
b7e009e6ac5cf683ddaf2a1346304342

SHA1
5d9fa07afcfeb97d89794430ae3869867fa09130

SHA256
c0c3be90c9184ca6dad35765054ce2e3e2e0008d6d608e8a8c9f29bb58bb9d5a

SHA512
1afb7a0909f7002081f23a653bd7d9bd8764fe59f5a5b8467f0c16943cab50bad2942a4333b60444ab07b54d27604a2705de5f5574c9d669187aaba12b4b6f47

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
128KB

MD5
fde854b7b3ffdd8ddfad440999aaff54

SHA1
9e1dbdb09e776c72c59dacd8496700fedc79d719

SHA256
fe3899ffe59adb879c54de91844c653ffedb4a29e21f335d667c0e75adde1b5d

SHA512
4db06547a4b001b2ed5d36677fa36c81fcdf72730ac1f688262b94c1160c7fb95313cc0008ee11449aee4f38cd0753fc2325c5da3c134378cab40a615aa0ef29

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
128KB

MD5
72b9e437efc997b5f82c268d76e8a3db

SHA1
a5ae7b73db0c481dd2fcef64e87df47ba9a51ba1

SHA256
240821f2c8508f370928e76c8b617a3d3258b9eeb0c6af5017e68c6a4591272a

SHA512
96d70535c4ea8d8e3a3e3a04f1057ac2dd400f8d130fa96d6de15c6599fbe7f8ae636d56d50d94689e8c7c87285673a82811a291d3ce10c9919000ff56e11421

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
128KB

MD5
ed75b3c9069bb1058d4e489bea358faf

SHA1
b1b617306798cdc1bd512da7ed198d701e999256

SHA256
cd63ae9bba528f3368251e64f8f02a3cfd9828cf7b8a0893d47df5303f5b055d

SHA512
38316d849acf141d30ab98f7632b069c5f26981a38fbdc9b4ddf7c7efb1d684192f1c345029725f82090301a307e208402491f92be57d0f5a54b196df56d89be

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
128KB

MD5
c4c60fdf779b9c9d5ce58f11561ba02a

SHA1
edb6b35a77cb8ff23ad03b95fd1f0f4eaf479882

SHA256
f95fa66010cb881d73d7bcc9ce63f8313295454be892656c82cb8c098d39b308

SHA512
1ae872328589b7dd9cf4fe9f10e2e6ae2558dfd05a859e243e7048993a87d83912d5915278e9aae7c45fbd9db9f8e9f2536bc1bc0ac965bcc48933c49374a6ca

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
128KB

MD5
15244d25d0c573ff784d11340c061353

SHA1
87227764f00a9214e2bcbd31e666fa224f95eff2

SHA256
d0620cf608193ee72370df637649b179e5412f6ecc6d50a9aed22deaebefa25b

SHA512
0caa3148f90a5925be78e0eb5fee96743fea30b8fccd393a3ce79799ab2f1adfe75638383032b3e3e74097793aa417bccb6b14aeb1654f00a49158cbc773ff38

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
128KB

MD5
98881dd650ac9eff4905f76d842bdb72

SHA1
f762e97afddcedebdfa95ac5ac8d462c4018deb6

SHA256
84884ab8810ead82e75a51128d40fb3961f42e18a7d717e4b4246131eb1fc4a1

SHA512
cf8a3f36c4e354c2388640009435a6b15094f62b74eb01096a9c3f6be93a00b261100ecf1155eae577870a20b2fe760da9e3c6d1849c79966bbd8ab415a2becc

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
128KB

MD5
f3fe2facb7eeffd0c10b49ae540d899c

SHA1
7a4baf1786b3c237f305ebcfb11d5b3ea279d335

SHA256
efcebf235d9a77788259430d61f57aced7b5a3a92fddfd7ca625c489f03845da

SHA512
d817224c5cd24fb09093f3bc294fd7951b449654fda3a8d2db313a0f94829c03ff38babe554a368f3ea7520b495b0c2a0bd63fe2bcda60315e8b5d9cf9c87813

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
128KB

MD5
84cb560ee625e83837b68e75278a889a

SHA1
c43d8b873e504f59077329684197844cbf723853

SHA256
dbb851e45fa5e18e9c3ae037fd6d557fc2941d63e07ffd9f3e375aca3cc0a266

SHA512
1592a19eab565a4a8b5e776637c6ce1b764dd59bd3888c4fd79d8aafff972fd7ad3ef61c99f7ae95e3847f684933cbc784dd9ab4b6e996ca240e7e3c1d501045

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
128KB

MD5
8dff0c37451c60b0ea570c0a611b2429

SHA1
a10d3e81199248c9ad064b2c2de95c87de2be311

SHA256
0de406db83c46b401425d163937332d5c4b2ec847285391ce27788f8afd2f230

SHA512
4a73e33c5d840c44a8c2c10cc459ea36f925bf0fbc21e7b881c46d02c71e115701976ec3205692f8b455baf97b3a9c2122e8ca7eece4c2b55e5dd0d8ebead616

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
128KB

MD5
da7f31a6450dbe0ef5958cd65d67d1a3

SHA1
dee86dfb0e4568b3b38ce8295e842b0bf7799048

SHA256
182d8973e661ccc8c0846b6d9dfc400f67227fab99aa85a94fd69a0675032911

SHA512
dbd9935ac74a2c68128306724b45773ca31149f69b78dce61c0bf9b898c4553e32fabad35094d0147411c773dc25d06b77e67e1711b3f238f1f6d8c863998f0d

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
128KB

MD5
a3da7222e8ef2d94374dc6cfec93afc2

SHA1
7a1158f6f83c59b8019baeea281254c49e281eeb

SHA256
2a4765ce7e39cc427ec77addae65029158557bc2377eb98a199161184022e1dc

SHA512
702fd92b46a6ec9d9db66fe738474fdf03d0a25568579f8494b4a15d29000f93b65422b23de7cab61c66d5f9bfd9d6e08c12cc6348508281bc1c3cc8ad78c0b4

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
128KB

MD5
627c86b42fc3a44879c8ba26df576289

SHA1
5ab322f09161b80093df3e740eb17217356276d0

SHA256
0e828a1fe2bc49207d1705dc03a2004d979968b90db9bd2011d4f537c85a837a

SHA512
293c46bee1169eddfa054679c8cdbdb9a8161c9d1f95e61b91b66eba33db3e0de53c93f0b471a7dafefc9d2a92e28a1c54e51d9b65b971e2d8195191d27c89cc

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
128KB

MD5
351420168c643a518f48e00589bb0495

SHA1
5a1c7925ccc1320c686f094f0694fbf722ccb5e4

SHA256
8bd98a7dce26bfca0eea6bfb8bdc3c16212ee07e6bc94cd5258f2679fdca9e9e

SHA512
d2f405d88046a6080d019938bd87a31230d5d7663c788745f3f1eb3b268b798eb22107f6d3bac95e047ea8352d27fe693bc3bc2ff36d7a24c9daf66a84a8884a

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
128KB

MD5
dea5abec32d8038cc22cfea70293f7dd

SHA1
d47f8993407da43cd8e52839f92e2afd5f10b179

SHA256
08db56498cfbb606c8db272bf15dff7c5981f78ba31f45feffbb22356e309f35

SHA512
532ce9f03d88ceaf5da80a965b702ef73f3239b96d236d8c47733fb9870b8d13fea3e8f1dfb0ccc883f82cea9c8d534c5a763534f735797c311bb12959513347

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
128KB

MD5
40585e16292b8dfd1e1907440611b07d

SHA1
79f21397f1bb6a91f7bdc66c35aca58526281dd0

SHA256
4cc76d325906db1dc88f5b3fcc81ef981535f5e3a8e41ddab3d3a22c83a9e9fd

SHA512
831299a7babb79282f4d6c1edfbf0394320fcb0d25026518ab3c5878849287806e614d37d04f597902d4557699878bfab8bb5c717942d8e218198a0350529149

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
128KB

MD5
f3a05bfd4da7a9cdc709c40834bf1635

SHA1
160e3ab98f6734d62d8b130e0aae6c6e6dd4c824

SHA256
0c22d1d6ee5989dfdfcd4be8b68cf4bee9e50e025a97aaa6426ac70696ec0593

SHA512
59edd96583d6b5f91dda292defa8205e39bc0a1df1bc7dbd3ac3817064cef0cf5e4a149d8e9b9bdaadbe4728f27d12aa4a3ea0ce06092ed7a0b9899b5236ac7e

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
128KB

MD5
cd76f03aad36f274f9ddea76f2413d76

SHA1
c413afc16fb6d66ee337867b6d4c58f8a44bab27

SHA256
25605c69905fd3bf731996e79c50406685a9797ebfb827fa9aa129e99ded573a

SHA512
f54eebf93c599a97bf17ca963d332b9101a050f0728822f6308b705472f051dcd6766988cdb0ef0ec662b3f1b5d2c12e0bcf2920535177ec5b716ded524aa3d7

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
128KB

MD5
6ec97ca58842e2a124b9a73564d611ce

SHA1
44eb3aaaf4c9910e408d0af4806f8b0ad3802b93

SHA256
2a8a9cb8a503be7f9c6486e0b32b8766140fb21d924d93161f25a7b79b342bda

SHA512
c3a36560d23b2943611842b7dbb2aa80995b525708510d90e6f6678fa5df7dd8047bef01fe79f4bb55ca665050728ea8f6ba0b58a14b5cefe39f1b1443576409

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
128KB

MD5
b023036519077ec61943b7e7f44deb76

SHA1
ac61f5b478ced769755801c44115c733cded6e75

SHA256
4e28d3cb73bed5bd7d1a79db881c490686b52ee9cff598503f3b6962554e00b5

SHA512
2db4eed700ba9c57ce089e2c3123653925d3451983d3d16177bb2a64391b3bb6dbd755fe7e861ef5a7c8140495e6c043e8ea8e553e8574ce804bbff0726b2670

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
d5f9bde1b9da3e3ed90262f5abec9c54

SHA1
bc1b8343f0ee0d5e4b908d76a94ec678ad6164a2

SHA256
75a7f4e0ca9b6d876f7243dde0a8f08b04e0e18280a7a213d6109ffac6927a76

SHA512
03b920267d3f752e31277538046aa04f490f34f5f63bb15a6f1615d275afd96877aa42bf57f02527266c5f41b63596b5034d03c9a642b253c05bb5b803e23a8c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
435cb8f49a85411a8fbf556d184688fa

SHA1
0fd1f144a9e2b7070ebc725baf18363129b27104

SHA256
7a4e25e66b22671f299f8b4af8047c9f887367f232a10fd10559620f03d17d67

SHA512
ba7f9b76d7686ba210746c6fecdd0d62fd5c05abfe07df75a57cab4a387c62395daa2b14f03e076dc8465d26255e22917f4d72b6e0bd36ab56e0483b675747e8

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
128KB

MD5
7dbd52a1388a158b7549fb53a4f3f763

SHA1
1e0fdd07bee674e4920286f628ab4a2123770572

SHA256
3a96dc6d9e62dd6218a0ad6bb2da2d82b40bf852c526e2c31710399d4e0851dc

SHA512
44d05f53e72bb2d5c6358601785dc4768437f28817d58fdf9a97eaac3a4126b7e1ed3dcf11b9db4c419bda457cd176b0fe3f33acf1991c43b3b2dd685e2f84c1

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
128KB

MD5
c0b615f5cea0c8d7059a5e8e75633253

SHA1
c69b0d7f2a49f2adc5f8f927487e0ac4d20ddfe9

SHA256
eda9a085b51fa4867f96a525bf9517e07e4962f3af7100e89747305548b3fdc4

SHA512
8db3b481b7e19e2820889b7aef5f2734219ddeed033f789c98511aefb21b05eaa26f09cefd556d653d9644708e189ff070cff8f0203ecf26abc3a99482a63308

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
db6153a1f35b886b63b1383ea4a55b33

SHA1
c53808247aa78738758f2c28f2d23378d640eddb

SHA256
d299974bc7c7a95782a286a6a385aee547485a0abf4f957d61cd06972dc93c65

SHA512
a2faf62cb241ea1250c9b19b582e0e628910cd86df3eb16691e2514232ba617935b123109beb84bb03e55748f1620abe60549b68e558e8edcf677ba1febb98a8

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
128KB

MD5
f30c46b0ffb0e10121d30c711ca8434d

SHA1
30010dc0bfa2777a6dcc70a28d122265d879ab7d

SHA256
71fd6e597c73f6b700b11febb6dbdd19fbdb64fbbfcd13a00ab7c455cd052166

SHA512
455e49dfc6aaa7525bb066c3e0dcf60668f1a304b4abba7edb81ba3571040e40fbae91a9bf011999875cb09a5b7c9541a02dd7d9ac576bfcfb09677bb0e873be

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
128KB

MD5
bff1be9dbb2502e6bd7144e37d669788

SHA1
e99a156a1456c5133de213c04bf0d4de78e41114

SHA256
02b8ea04a807e71dd4fad5c443c93dbb57bd23f7c36895203a578ae0e3d4a49a

SHA512
d6550495f1e55558522dd7be55305426f5fa55d1f8c9049cca0f01d1a5ae5a72a535d387ddace697282d294cb35d93d44439b1be7f0972dd102b4403387b3b7f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
128KB

MD5
992e598285c3087dcdcab3cf1b5c47ef

SHA1
1b20203d58aee17ae8767e0f8e7e1ea371ae64c8

SHA256
a424b955755429dab32cffdcbac5250c5408ee65f53103cea4e05aa109b342bc

SHA512
98130e43b1daea5e882a5287532cd12986388b72f85845ef4e9683f0ef0280c92ca5cba21273a33a3a219451625ed42ea7010bc8e82978913a10d4b9bf3300f2

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
128KB

MD5
2403127e463645397165eae62e3a9ad3

SHA1
a8d28b3b496e3c4130c074374baaba43a647e1b3

SHA256
5de39b0e6b5378615a48135810e165ce7f9db29affee833372787ea074fcfda7

SHA512
e02b8ea99d03a2885e3e367f3b393d4ffd578e60204fb8e2db5f96a40775f7d4eb7fd2d48d3e198c1dfefd9f244ca2d8096d9907638ded1cb995326c0795bc88

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
128KB

MD5
45b3631f6b7805904191ab9cea659d90

SHA1
158f8ad59771a8ca9d9de3985a28a41b0b710c5b

SHA256
9d89abb1cb77dd66c346e47124d19906c68f83f54c8defd6705b9f3faeaaad93

SHA512
00c20469876cc888fd77945e1057e5212c80cf59f73e7b619db416074f61a10bb704a710eb0faf800c25b9d0c52553c0dba078938a35b39a9bebe48580b29841

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
128KB

MD5
a5fe40e87828388c0b04ef203480873b

SHA1
c29f6f4ff6feedc8608edfc875b03e452f3de101

SHA256
673791b7571a059a2ff1ed4392519cd2f45d053a13f144ff25214652d2d3a495

SHA512
8ab58c9f7ae8f6656015b933c00993588b7877ea1da0b555249d0faf998a52ec3df185ea9d2cb830efece7d7d6a7535c0d4dbc0e59847202048cfdc9d247fd08

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
ca33e74c1d70be4ee8bcf5fd8b4e45a7

SHA1
31e93d12b5682e5a1896fed66ae016ea590d5e27

SHA256
003d01eef890f0ff06d13919b1399eba257fe28dded1391d8ba4f7c456114c1d

SHA512
918b47eff83d25f8b63ec3b006211d8c57dd7a558768c3f2bf1e49aeb56c03147178bc4cecd551efbe67789d4c4fecc6f88624b5987ca43e4676c0a3dfa13da4

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
128KB

MD5
d8c3dd3f917582e71a12516a212643ca

SHA1
2a2187066a1a44ef9475d3025a934acd8d0c13c4

SHA256
acf2c518358d5fa57d9dd1b4f8da4905d8c3305de65a56d0dac321748d931d3e

SHA512
5bc2fba8baecb6d071515ba1cd15fd0d1d783230f77d7f78ea420402140b832fa488a548ea53ac56fec86b446a352b6c72de0b514e2538c0b4002c54b3403047

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
57d30f1e006aecc672e08ec9cd731a46

SHA1
ec6405a049faf58649466e43a13c148f77b2c9b0

SHA256
d1ac6a84e8090bcaafb64bc11c9d9deca2734132e854678e4c98ab8b393d9607

SHA512
e9f928a3e056cedb6d20be6a8cc39a81e8f42bc07cd63a9fdac74f23a91a2384b04bc03a1206d6c4cf50ad7f1432305cd8fe96c70cc0a8c361869625d569f572

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
128KB

MD5
245dd09c244e4ac7108f003d421123fd

SHA1
d72ae80363d9271777b413c8a82eae7af0d318d6

SHA256
efcfa990171578bd28784ace766b8290e7593d2d10b4ae7e5ca1eefec1606470

SHA512
60d630ccffcfaa0ff32798e6d92a00882c5dba7ea1b6f4cbfe92c50ad5844a484a8b3180ef126d0565acce5b3d3fbd424788c80e6462e47670d7689a533c78db

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
128KB

MD5
d0e5d4e865872587e9edc99a5c0f8f3d

SHA1
86cdf1a382c04d6948805d1bfe0011062ad443af

SHA256
e6995089e5f11cbf5e6966df9d77caf60cf9c85f77acdbf186ea9acec2943ed4

SHA512
a864c8c3c4fe7fdf8562c515ad651d35eb3942c5c95b91fce12260d608f3acee620243c432d071f874718274f60cf95fe5609233f996378c600c658b553e1212

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
128KB

MD5
e5ad10601f60bbafc160a6a81e02af52

SHA1
108cd8dc972fc2d3858703af932d489803927d8d

SHA256
24af55509963b4d34cfe0ec609f7da2aa8872be9cf93c772a36882c25e4edf23

SHA512
40ef61acd2c8c6babbe61fe9f125c5d1cbd9ba2aa20a4928be74ad901703d1b2db482cf2107003d926568155b35824ea4b651f3d0009e187529c9c1ad5af9167

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
128KB

MD5
e91ccda448aac9ded0b9f0a76e3f2107

SHA1
9ebed7ddf5720aee686d53e3f237a228ae83aacf

SHA256
d18a9e54c0c70bcae355d89dc52e459d7b2a352057455b3ee7dab501eb7f3260

SHA512
de99aff78a1f54fc582e1f9b68fbac850225d3cfa24868b45af242639f43d211bfa53f0f2bc881a99c2c2dfa86cba668350036fc9800c11ce9c401bce8b939ca

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
128KB

MD5
a50adb82f0a6d1d9e0adb364c6d307aa

SHA1
f24f264e2b348a83d2257ca7ab734819916da82f

SHA256
4174dbbf8ecb8929f628f569845341530353ee4c87331c0419a418cd2c0da4bd

SHA512
40505acdc553b67a6ae5227dd782cf6c20a875a1fd99f6cba2e2e98a1ab56a7a43c94e04049d246d6a8aef2d93a5e448ce7fc0f15c78626438a6b526f0965e0b

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
52a93aac5003b09ab418423bf7394ecc

SHA1
31f242a547aa8c9f6e780e11e70729c9d59b0fc7

SHA256
ebaf95d544c1d37f18521b837e1cf10678fa9314b3705946395a0c4c977605be

SHA512
2652cfe637b9e76717de353630d984ce9e26aecbd7504e8bc3c1d495e93ef3ae112849ed8fc041fe2a6c96ba7bccae3b58de45d9ab342b80f97a4b3cf08f63e8

Download Submit
memory/8-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/8-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/368-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/588-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-942-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3968-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4344-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4704-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5220-875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads