berbew | 1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64adde

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe
Size

91KB
MD5

467adf40d24a35b27be704e5b5e4a6b0
SHA1

895716066d3a4e5cec14257385473524f69be50a
SHA256

1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64adde
SHA512

448e6c59372eabc1129db2196f7f5944bbf5eaebcd4e6a87ada9ed37e6ee479203498de7b1610c1f6ab8e1da8a8b498bdcba092baee2d594046d257b54e3654b
SSDEEP

1536:F3s+1U/Xwg+68wVb7oUwpZR+h4lLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaadhXdQ:hqPYwB8pZy4lLBsLnVUUHyNwtN4/nEB9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3176	Lekehdgp.exe
4172	Llemdo32.exe
4408	Ldleel32.exe
4388	Lboeaifi.exe
2968	Lenamdem.exe
4032	Lmdina32.exe
4564	Ldoaklml.exe
2072	Lgmngglp.exe
976	Likjcbkc.exe
3784	Ldanqkki.exe
1396	Lgokmgjm.exe
1776	Lphoelqn.exe
3344	Medgncoe.exe
2904	Mlopkm32.exe
960	Mchhggno.exe
3220	Mplhql32.exe
720	Mgfqmfde.exe
2444	Mpoefk32.exe
3008	Melnob32.exe
1480	Mdmnlj32.exe
2900	Menjdbgj.exe
4728	Npcoakfp.exe
1352	Ncbknfed.exe
1720	Nngokoej.exe
2280	Ndaggimg.exe
2140	Nebdoa32.exe
2660	Nlmllkja.exe
4256	Ndcdmikd.exe
4544	Neeqea32.exe
624	Nloiakho.exe
1724	Ndfqbhia.exe
1904	Ngdmod32.exe
4208	Nfgmjqop.exe
4984	Npmagine.exe
1928	Nggjdc32.exe
4052	Nfjjppmm.exe
5040	Ocnjidkf.exe
2568	Ojgbfocc.exe
4276	Opakbi32.exe
3084	Ofnckp32.exe
436	Odocigqg.exe
224	Ojllan32.exe
2520	Oqfdnhfk.exe
868	Ocdqjceo.exe
640	Onjegled.exe
2864	Oqhacgdh.exe
2384	Ocgmpccl.exe
4956	Pnlaml32.exe
3444	Pgefeajb.exe
864	Pjcbbmif.exe
3496	Pmannhhj.exe
4976	Pdifoehl.exe
872	Pfjcgn32.exe
1708	Pmdkch32.exe
2324	Pfolbmje.exe
2736	Pmidog32.exe
3216	Pdpmpdbd.exe
4612	Pgnilpah.exe
1620	Qnhahj32.exe
1108	Qdbiedpa.exe
2680	Qgqeappe.exe
4328	Qjoankoi.exe
456	Qqijje32.exe
4648	Qcgffqei.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6088	5996	WerFault.exe	208

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3176	1952	1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe	82
PID 1952 wrote to memory of 3176	1952	1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe	82
PID 1952 wrote to memory of 3176	1952	1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe	82
PID 3176 wrote to memory of 4172	3176	Lekehdgp.exe	83
PID 3176 wrote to memory of 4172	3176	Lekehdgp.exe	83
PID 3176 wrote to memory of 4172	3176	Lekehdgp.exe	83
PID 4172 wrote to memory of 4408	4172	Llemdo32.exe	84
PID 4172 wrote to memory of 4408	4172	Llemdo32.exe	84
PID 4172 wrote to memory of 4408	4172	Llemdo32.exe	84
PID 4408 wrote to memory of 4388	4408	Ldleel32.exe	85
PID 4408 wrote to memory of 4388	4408	Ldleel32.exe	85
PID 4408 wrote to memory of 4388	4408	Ldleel32.exe	85
PID 4388 wrote to memory of 2968	4388	Lboeaifi.exe	86
PID 4388 wrote to memory of 2968	4388	Lboeaifi.exe	86
PID 4388 wrote to memory of 2968	4388	Lboeaifi.exe	86
PID 2968 wrote to memory of 4032	2968	Lenamdem.exe	87
PID 2968 wrote to memory of 4032	2968	Lenamdem.exe	87
PID 2968 wrote to memory of 4032	2968	Lenamdem.exe	87
PID 4032 wrote to memory of 4564	4032	Lmdina32.exe	88
PID 4032 wrote to memory of 4564	4032	Lmdina32.exe	88
PID 4032 wrote to memory of 4564	4032	Lmdina32.exe	88
PID 4564 wrote to memory of 2072	4564	Ldoaklml.exe	89
PID 4564 wrote to memory of 2072	4564	Ldoaklml.exe	89
PID 4564 wrote to memory of 2072	4564	Ldoaklml.exe	89
PID 2072 wrote to memory of 976	2072	Lgmngglp.exe	90
PID 2072 wrote to memory of 976	2072	Lgmngglp.exe	90
PID 2072 wrote to memory of 976	2072	Lgmngglp.exe	90
PID 976 wrote to memory of 3784	976	Likjcbkc.exe	91
PID 976 wrote to memory of 3784	976	Likjcbkc.exe	91
PID 976 wrote to memory of 3784	976	Likjcbkc.exe	91
PID 3784 wrote to memory of 1396	3784	Ldanqkki.exe	92
PID 3784 wrote to memory of 1396	3784	Ldanqkki.exe	92
PID 3784 wrote to memory of 1396	3784	Ldanqkki.exe	92
PID 1396 wrote to memory of 1776	1396	Lgokmgjm.exe	93
PID 1396 wrote to memory of 1776	1396	Lgokmgjm.exe	93
PID 1396 wrote to memory of 1776	1396	Lgokmgjm.exe	93
PID 1776 wrote to memory of 3344	1776	Lphoelqn.exe	94
PID 1776 wrote to memory of 3344	1776	Lphoelqn.exe	94
PID 1776 wrote to memory of 3344	1776	Lphoelqn.exe	94
PID 3344 wrote to memory of 2904	3344	Medgncoe.exe	95
PID 3344 wrote to memory of 2904	3344	Medgncoe.exe	95
PID 3344 wrote to memory of 2904	3344	Medgncoe.exe	95
PID 2904 wrote to memory of 960	2904	Mlopkm32.exe	96
PID 2904 wrote to memory of 960	2904	Mlopkm32.exe	96
PID 2904 wrote to memory of 960	2904	Mlopkm32.exe	96
PID 960 wrote to memory of 3220	960	Mchhggno.exe	97
PID 960 wrote to memory of 3220	960	Mchhggno.exe	97
PID 960 wrote to memory of 3220	960	Mchhggno.exe	97
PID 3220 wrote to memory of 720	3220	Mplhql32.exe	98
PID 3220 wrote to memory of 720	3220	Mplhql32.exe	98
PID 3220 wrote to memory of 720	3220	Mplhql32.exe	98
PID 720 wrote to memory of 2444	720	Mgfqmfde.exe	99
PID 720 wrote to memory of 2444	720	Mgfqmfde.exe	99
PID 720 wrote to memory of 2444	720	Mgfqmfde.exe	99
PID 2444 wrote to memory of 3008	2444	Mpoefk32.exe	100
PID 2444 wrote to memory of 3008	2444	Mpoefk32.exe	100
PID 2444 wrote to memory of 3008	2444	Mpoefk32.exe	100
PID 3008 wrote to memory of 1480	3008	Melnob32.exe	101
PID 3008 wrote to memory of 1480	3008	Melnob32.exe	101
PID 3008 wrote to memory of 1480	3008	Melnob32.exe	101
PID 1480 wrote to memory of 2900	1480	Mdmnlj32.exe	102
PID 1480 wrote to memory of 2900	1480	Mdmnlj32.exe	102
PID 1480 wrote to memory of 2900	1480	Mdmnlj32.exe	102
PID 2900 wrote to memory of 4728	2900	Menjdbgj.exe	103

C:\Users\Admin\AppData\Local\Temp\1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe
"C:\Users\Admin\AppData\Local\Temp\1bdfed7e943aafaa95e929afb9f2b06bb3ad2f56db966268308663fb1c64addeN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\Lekehdgp.exe
  C:\Windows\system32\Lekehdgp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\Llemdo32.exe
    C:\Windows\system32\Llemdo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\Ldleel32.exe
      C:\Windows\system32\Ldleel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        35⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        47⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        48⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        53⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        62⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        72⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        81⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        86⤵
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        87⤵
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1444
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1664
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        103⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1852
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2912
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4344
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        108⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        118⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        126⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        128⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 408
        129⤵
        Program crash
        
        PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5996 -ip 5996
1⤵
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
91KB

MD5
71d8def30d758e0772a7ee760241cc0a

SHA1
2779b35e9da066abcd008b03c6e98674af20f033

SHA256
006eabe7b05ecdb903793dba7bf05060717688cc38e533945ca45d8561af775c

SHA512
6845a914ee96387983291c0828bd2167d2533566bf2fcae960b79a4156e6176487d83af41e76f9971f9f8ec69d626346fe434310cbfd8c9493792d6a489bc6a3

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
91KB

MD5
defb22e8f9a638f95d7e8f62a842b721

SHA1
0fc986cf5184f8f4b999fc08ba56578aa1b44933

SHA256
fe9ab4b42d32aee2086fd9ca77f4c8d5bca7875f1f4c9b67a37166a29b2a85b1

SHA512
617d2b6e55d51417e9ed2cb236e777097bc17ff8ca8db518428c3bb62d621d50e3da903fa809ac2646bfa44a165e9775b623b725315e68c0af265c5809286ec5

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
91KB

MD5
4ab978ee962ead17d84e9fdffcc999ef

SHA1
952a7e87d5516dd5f61aa52646d64c4d2172257b

SHA256
33e6d92856fbf1e183bab2c0e412ba7756c440e984eaa2d1299c4b5efc220c8b

SHA512
9ae84984e80234fc018902ed6ffc488f9cb716af6f3bd23fd6d2d03c44cbd59b6db0504c7842809a9ff9d43029a35aeb32d67276f39e94e2eed8e4a8fd2efcb5

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
91KB

MD5
5615e181856516120c13a6d6470e96b1

SHA1
cfe5e6d036d243eba7f1090e85a971c80cb719c3

SHA256
d8062432865400f4ea15f2d93a43146d4e8bc56b0d35bdecd9401f7e41f31c09

SHA512
825ce9ca21a103313441db7807fc1fb3a10c97b37a91640f1537bd1c79e990b51fd73b6be9ae86bbcacfc6eb887973fa9cbf619dea98759491516fbffeee8b95

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
91KB

MD5
4e91ca2ba4abcfe41b3923f4e9f65def

SHA1
2a58481752187fcdd8e9e5c82b377a11282a89a9

SHA256
b3aad5ce8000a9aea463a787e9d145db84ca18a62140ba1b42296353bb2d7c90

SHA512
e72dbf3be95d464a5d5d845bdbeac9baca00e89694efe18b6a71fe85e937c2066a2187fde687af78d4580e751dbc1696cd658893a83926f9ce216e5f38f43578

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
91KB

MD5
5007352eea82012d6e8f60b6d5635b70

SHA1
3b36cd9dcb1a85885c8fd64dfaca7088e37ce11e

SHA256
11489a798be8ba717662fbfd934c59056363bcd1108eedce4f06336202960032

SHA512
e0b42244cc3262a441d43396842ced9f47674a59ea0e3d4963f31521d714930afa2cea87e513b3e957ac55147267ed653313beb386c1e7ce1d9928f389590482

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
91KB

MD5
4cd0afb197840406201781837aa3424c

SHA1
64d6a160b3198fe747d00db3aa6b614baab5ed2c

SHA256
b90d6f7a0e1b4f00198408f5b8c6a1082b7bb7d48ae5fd4c8720fa93fa6da37e

SHA512
1df5d2091cb8e3a58907beb3121bd8d98a5cf8f6503275f479d4dcc3e51997ab89b10197fb3211733f395e6ac15d0a93bcb4af53197903e41d0e6ca9ba11ede7

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
91KB

MD5
5f915b690e8f344e1944deab89e47c8a

SHA1
a3bdc192810caa33939265abc363fc5048e88a9b

SHA256
c82ad370c0f8ed6c1322808f1af47138c3014b3c4ec757740f454b6a0e9bb8e0

SHA512
0c28130f404362ce7618175f7aa34eafe9df9c451630639cbb81160bb4460f7ca49e127d3449d3abb605aa16cac1f01bd0d06288b0d0b4b2e7d70692ad4c436b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
91KB

MD5
abd22257cec7dcf0f9e6fb2dda0fc7c7

SHA1
e94bf89b814115b542407df3f4fc07d366262093

SHA256
e08ee23a98d13bb7410e9f6e2434e67d6896d031fd064aba2f7eb6cd2ba9933c

SHA512
f4455f85fa8d415a50d8f5899e546a14ada7bf314c2c3cd4f66bb1c0146c51384cbea5bf8b6d69921bfbad4a010e705126acb6e62215c2e86a91ddb9e62fcbce

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
91KB

MD5
c2c803f55f63fcf8b5c17f91d7dcf5eb

SHA1
d45d447e0583d0dbb6933bc2b6660f2475957f43

SHA256
52a04c873b7fa5900d6942f07db2265e7b99b07b311d38333414b4856cd23d32

SHA512
175fb3c47003456cdc182cfbc10e137fc40e5b6b0b90429fd5cfe923a08fe77934f145e71ecd3e6ab27da92b05543cd2d78def5ed2a9ffbc7eb6cb8fa5e13e70

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
91KB

MD5
4647d630d2c59cc8eb64742b75ad8143

SHA1
d34e007f2781d3fc7ebcad7dd15a067821de5ea3

SHA256
944ada7a8fa34b4d5d90becb234d1e6cb2acdc6720150fb51d8613fefdc64a20

SHA512
d6043b68eca860f5c03482cd6bc149e11dfa82ac94940667d3b0f7d0a544e455e335a75b087af801f90c6f4af838c298a41e734807b305e1cf9538407bae32d4

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
91KB

MD5
c5a168d32e79e9fbe8ca3e0a90e344e8

SHA1
5d89bcca8b43c27741de331ac922111db9022592

SHA256
5e67a898fde62194e76a9211c8c203758e80c0c5ed978a8d35229816f64ba62f

SHA512
1831821c271c97fe46de2cafb2437a9039b9ebd050606c908b633589ddff66755e995f6ef75c4a391d91b86480e9a305578fdc0ccd7da1ef2ab9d7ad282c1c43

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
91KB

MD5
a38c181c0481d12e1d37bbcf919400a6

SHA1
549941634ae554a6ac2cbe170d6ecd5a745faa83

SHA256
9a1cf5474a8558a25d6ace8f773258488f45d99178156dfdc9b85a71e829c742

SHA512
5de87157843f3d6ada5598a91c214f39c6f15b3218a72e586ac0125d821cc70bd127f4628514c0a27127c2c60f8fc9acf760c6c9750cbfd1598d262c3b04d0d5

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
91KB

MD5
22d386602f3a5d763b8df1583f8e4678

SHA1
135d0a4259720991839e764e40570dd9aedd3ccb

SHA256
e33a63ea006fb5de265c9b7cb01f1629e46f2ccab510b2362f1c72c663823dd8

SHA512
a9d3280b1de7c5056f026fac41b7dd4b18ee07594ec8fde26d9f9629583d1080399fbc0b09c02f8c69d847d1f03dddb5f5648ec6c25c8748d9d4f34a55b3c383

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
91KB

MD5
5430f6724ffa6d0338d4d016f37911d0

SHA1
b1df8d70f81cca70cc730f1456acc7d4faf1a497

SHA256
17b836ef279d272563b3f3282a4f70e7f33bb70b9fade21dddc5741390f13d70

SHA512
610d396921f5fcc22217780cccc39b2492c6eec3ab043824add98e9d6db19934584b3300969edd7e191eb7081eaa5a2fcbf6574bcf9489264ba7b7327ffa083c

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
91KB

MD5
c5d791307f013bdb0d171880a4f7625a

SHA1
dbb156531ae89111e6d50d74bb52c2d3f1e29190

SHA256
b3c10116648c09072e115dfa50c751a4d9ff361cfce9beecce0baff264cfff40

SHA512
f944926d4f0a744cf7e9574f50b5ec767a690f8436e6b78cf32a358657b63ac9fb72d8a388a92f9bbaf463585ac5f4bf080c93d0d618d1bc9f09610ce945bced

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
91KB

MD5
ff650addff53d21abc7154b3cd1cc570

SHA1
9b5e89dd2dd789f87c08b3eece0f7112327c93c3

SHA256
de1ff81ca2eb1e7d796dbfb7e1daa653a03c302a147126275d588df8b7cd2a13

SHA512
fdf105678ee592b9151b26b12f7f06407ac249455c793e3c892097b586bf6634bf7aeb92573a1e0786b1ca8f2f2d6a7c7c28dc07a1c76d05a5985cc45d48b98f

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
91KB

MD5
61ffc039a98156e4e0c1f834b94fb877

SHA1
f69be08d27cfd51c1910f8c9714ba90793e1b40c

SHA256
24efd4c1b92e90859721186f8c301249c091ada17382694a1950f5204b678e0d

SHA512
e58823105e195ad01e1c3cbd9a3dfafa93b579c0709e5df6ce95cf8f216da4ccab8bb4c9a90fccd22e58402a1786235c36a90c95010d452c69db8d2fa0848da6

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
91KB

MD5
5462fc1ba443c1e23786ef1f26174696

SHA1
f68bf54f4da0c0c90e6638dc39de177cf1eb28be

SHA256
7726b580abd1aadcfc69d638679d5650b030ce0e0ac039d41d3d7e29c8f61dc1

SHA512
22dd8632bec31f2c157fa3babb3b4825deabb063931bec9b9ee7068d7ec4ff792e14d8402ca4a0a7b9025100d046c1db951b334806aa57d98f54494c10966d30

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
91KB

MD5
fe9279d137c4b07ef8777d82f9d42260

SHA1
c91303f10cc28cf24e5e623491d5bea70d9b7d97

SHA256
de14b259afae67896084eededddc000286ada1bbb0361be5821cbbfd0bc02dec

SHA512
bda296158aea76d094c71bc8d367e2c1ec8decfcc43fd1b4c3bd45b9c00c5a8fb4d5deb27fc951ad94a635331209ca82231f7059264d46c7be81233783513b81

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
91KB

MD5
4b9beb12a19858c48e8333c7a302c311

SHA1
29054fbb2afe9eedb5a6ad106b938e9bc70fa67f

SHA256
6bf8218436650d0502d27604f025da1b6fdb92eec2fab26a65b4a0d1be75f44c

SHA512
187154e488378d4054cdd79d2ea973ba23645f1b02cabf5c8b513d7d115f8004dd08352695fad9a19bd292e06fdb0b6b3c8833f9fe4d6c5df5bfdd2f54eace31

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
91KB

MD5
0275154cb6f4ac5be3496af326a227ce

SHA1
82a66211d7a3a82688c6a76248d07348f2cb8bc6

SHA256
0003b675260e2db9506e89b8ca3c5a06a2eb77c12ce2588eae453eb463b1a3ed

SHA512
b636f7abc7d9f89afba69e9fae02d0981498105e0cb3e52fae9cfe7d294ad1abb0bfaa34cdca03bde7ef3b425dbbe42f2fa8df69c30e523642bc659dd3ac2369

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
91KB

MD5
a030e9f4804dbe38c500a965088780b0

SHA1
73f0e0b4462b6d305389f7eeaa5e95a7be16f21b

SHA256
df94990b892b8e2b768c2c59fa4911d984468c58a5a9baab0469210890793894

SHA512
7fb6cfd04d0161019a4fa4c85cbfdc854d735fa0b1451248615b6a7b0638ba86ab961965fdd3c89e1c910b74ee3700342dbae2db7b37c8a1d7be64e9335db198

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
91KB

MD5
3ae9415d0939a605b9f1070fb489155e

SHA1
1ed747506c19c4b0891565fb0e3ffe2c8a07d9cf

SHA256
45f28642e1050db76a6621631723a08f3fa1392932d233650a97cf69d95c7dda

SHA512
7495f4b4afb5f6a1ca0902b30cf0c520084f88a4fd965a6e3b240fe6beb6fed03642840f71ad28a1a4746a057c11d38127aecd096b5773b42cb00608a54477a6

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
91KB

MD5
58c47ee8127cc37e5ca8228857f35744

SHA1
d48b028f1f512f118cbb00749b7b80af71ee051a

SHA256
67abf2ac283681b824b31ca3d74c12beeb9e883e95ba40ecab07d5b7669d3c65

SHA512
eab45366076bbb0fb70b2f8d71071d911674e41e26799df7eebb0ba4724f2d0b0c46ef957642f1e5afe69fad6ed00170f7f8f03b1798977e298d7943161e8855

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
91KB

MD5
2f1d202e7620eb0767385597eb53c129

SHA1
a563bf0cec844ba682c1a18d55a8ba63a1643d11

SHA256
51ec9ad4e358907d57c93ceec8738a030aedb65a36a06359f87c9a6d31396d57

SHA512
2495b556c8761b1c43525b17caca73ce29f11bc181c6f337661474e3409707f8cddf5c825812d6463823883b35b8ec2b89c9df3b25bca61b7ddec66dbeb4b690

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
91KB

MD5
e8110e8ecdb05e1e8fabf9b6c7fb5be9

SHA1
8de15d1e5405cc1beb51f39eb282b9245d06c234

SHA256
be7f842fa09ab9647e403ec128d42c3822a779e9d8ce384858d95dff2eef9e49

SHA512
942009716c570fe9bf947559d37a3cc295b7cb983f814322e06ba3f90b3c46a8117e5bcefaec9170bae2bef0391150e8c0ea6ad3a245daaac59b900db9f511ae

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
91KB

MD5
f83a5c3bd66f84e49a682dfb3f8bd28e

SHA1
6c0ada2e0edd1f75154d608e5551250578ad59be

SHA256
1c5ca54b8865da5597ecae2d7e312b75a3595541c8675b40b795350bdc54eb6d

SHA512
a2e75f6a1f95d5ada33620e9c1a1c39669cea6bdb45f26b40665c7d08cae6ff15e22b637ae86072a28efe81d4a1314122f8a4a0ca1b941c25107f4b720aad09b

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
91KB

MD5
298b69949d541225fe6e31ee6d5591ae

SHA1
b4a48281c15aef43e2058872d75fdb6b4cf06469

SHA256
612583e01a4e6941029dee04495851f3fcc8785f5652a0eaf2f82832c9383a87

SHA512
c0201b8ce74ad0fc1abd8709ba074a4e9d7363a6d994b4b18749bb6d168f5b26a2668f2b4da1851bbd8adebbc4377b723f355d3098642628a24400df81cf350a

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
91KB

MD5
89b7d3b8ac786265bc25614b09ce3a89

SHA1
33cfb66cb56f008027985eabae029f112b181570

SHA256
019565c545a4fd33f63c6b6821ab574cfbfc9f8a0021916c064f1a33fb951f2a

SHA512
6767a7a6f6b11deaf556299d97adce27a7c7d9130107fc457f2a5aaef350d494166834313955f8b9934ef29c6ee00db489d0fdf31693128044707e2e21b5e4b2

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
91KB

MD5
df99a0b79fe628d1cb94fa7ff96d7fdf

SHA1
c21f87bd71995152566e0ed30e9c8e7858ac8069

SHA256
6f1b18f26d96387c8b1a4921a56b7b6a2a9e2c7df2880197c707cebbc6db9902

SHA512
02fd093af61e78696a774285f43f26b495065944d27bddb2d74308abd261c59ba8b6fb9bb79da9fd4821b69751f521026964d2d025b91da60279ec3e3ea2321f

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
91KB

MD5
92bbab892815c2b32551abbd730a9698

SHA1
c280d33a97438c1bbb906d27a4f53a6fe7ea9533

SHA256
017b55dcbc7048dc40b6d816b5c12177729a43ec70a92f5773ed6554cf7ea06b

SHA512
fb7c51b6aab990b73d9978c4f32df57466fe447d8c9814c72344d6f9809dea1897b80140d7ab3e6f8f2df097cc8deee959c43ae6cd838d3f6da3ef06b5fe3af2

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
91KB

MD5
52612e10137b4851ca87d21acd4ec18d

SHA1
5ebc141d5beff81ca6444a005d40700938ca1d28

SHA256
ac6198e278129c46712c057220108b54290cc4dddb53d9741ab315fcbe858f36

SHA512
bdffeb4894c338020cab543f001c435a531637bb58928081b86b2b96b3a038a9a33cc080e47e9f95f3cbe53ce49b86544c0473faa0a6139d61b3d69b02277c04

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
91KB

MD5
096a6167c4a4eb1ddcb582657d0b8161

SHA1
15a346992469aa4a2079a6eb53d213a69d2d0caa

SHA256
cfd6aa7cefb1f8d7b26ec67b8268cd299c699397fb1c88f468bd0cce0ecb01b5

SHA512
247a26bce66881eab06097c6e104a9efde7db31526ac1b9c1a235b134e53546f950aa1f7b5ce6133ab18d716a0a99fee606d06b2c7f5764b1caf8ab7d3034cf4

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
91KB

MD5
8cae72cfae403c5d5e58e601de875fb6

SHA1
3a75a4772514232f77bb69c883c81ed4fd4a8193

SHA256
711acb9a9bf44bede015d8dc17b4d79845e14c03ccfe6a4d060788af55dfa0f5

SHA512
9f2272b965f545399488162ad5a404b9afe22af9de6449737c6b1b3fefa01a9acaa7dcffa66a7055f045d3e4723f3cd555d992117e4cf8500ceca5a888090175

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
91KB

MD5
5f28800582e90d1f103ae9687577d4b9

SHA1
1345604e57abbbaba9c9c1843461244225e2b325

SHA256
315b066b93ea6d53735969b7b3c9780975a47c2168734f610b1ad4d9f4784e81

SHA512
89ff66f218457c7c3c2e2111a65bce02be21cc02eaec6927fe8bc13f276233500d6cb59a8787fe8b5c1afc24f83164784290660fab770ef01b766ee8bede48ac

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
91KB

MD5
430b2e814b6352b6f71c55abc09a8b72

SHA1
f8869c8cae82ec7cd226c25855880f565f73bfff

SHA256
c0fb04342a168d689a84fc6edcd879a71ed2b554e2caed02fd4acf10da40b8f0

SHA512
941eacfcb1428bb4e635d600fded4ed09710a5ca9ead3f48bee5a8d20305645efca94c45bde5bb6b5a63f403c089c500059b09a2664aae93a2dc1a2303d96c93

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
91KB

MD5
364fc014e74feacfb420df01d8eb9d60

SHA1
9be4d77586f85bb477741d0a1cc7ccaabe530e4d

SHA256
66e167a2230c8dccd90e84038994e872e446a836fe8cb7f82929ed920fa506e7

SHA512
42d1ab4b87e6c718301a1631925db8c4996f55a4fc80023a71e92d3ba634dfe58a41196a655544edd74dc68180c6ce4256b2bfff2d6d0cc58226fb380651ac8d

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
91KB

MD5
3f919f4389357ffb7d15100c9c8953b5

SHA1
b5cd9049f3c55081943ae0ed8037d8fc8f144fb0

SHA256
5cad969775805134bfe000a243572c867326ed1023aa5fa09eb1ae874ead0a88

SHA512
486690e9aa3b8137bbecd3dbe13b5e93cc38f9628b2da93764a915d8a4d95519fd4fdccd1cea24baf8e3eaa9321c70d59315ac705dbda2e42b0502ab4ff60e7e

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
91KB

MD5
cfda1cb35a1b74b8704854c7ff0d6098

SHA1
88e05e06004a1387c98a028385cbb1e67dd61b76

SHA256
74d4797db58e3182d233803e2560637e06b1afa8e3b7322a44ec9f200291fbe1

SHA512
ddb656f2c334596a2c9574cf2f917113c0bdee2a08125703dca4f99fcb60f427b0d5f051db6690e67f6c51bc411b53350a783ed145193e49bf29bec6715e9825

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
91KB

MD5
bd82fccf436c7360e7ce7b09bfc4ce2d

SHA1
98af79a88a5e848e845ee4d7ba4fa3b2c04b2faa

SHA256
1bc29b0d83dfd2904ff759baa85f9f64130607d09d1c32961d4cae7d80704fdd

SHA512
6fafc25bcfe59b3a7f6cdd2357fec6561993cf89ff3ae890f8ab6a91608bed67bacdf66bd3fa95b5422584769ccfd1fd326ad102249194a388b77cffff720f68

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
91KB

MD5
59491f376ba79f7ef72620b9992b2b21

SHA1
18369947da9ade6826121da66628e48eb6daeede

SHA256
39e746a7aac46413241c61b81693452bace9a840994c247d5c644cca8621b2d3

SHA512
d615affff4aca967afc1eefdabc382852fe25bb179436d33c7438842e8344290c8c7662d5a75430c5d063ee6dab53d578644acdd1e7093ff68531e67008289d3

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
91KB

MD5
0f58d8acccdf24abcdbd8525199c1662

SHA1
0a81c910b08f9ba20ad126d2bd2dfae3f7cf70ca

SHA256
9b29c79088b4e545115025e6ac9b62c39be268eabf2b600d6cf4cba427dcac43

SHA512
09f3a7529e9b9993efdc1f95711fd787c6ff4d971bbbbbb1f20ad8790ca7aacdc166a71d2c72c0656d6c59018e85ac205695e01967914b80aafa5058a1213e74

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
91KB

MD5
6e9653888ef433f91e6990cffd62b52b

SHA1
13870e38db3af921321b2a8e374a33e952d31a34

SHA256
e8ba48e5adc41995e648cf58607eaf0f087568b0ca9f52f3c594cf702c8b7719

SHA512
71043a313c87be1e4d606fde80ba64681b49b8ace822bee80dfdacec2d1d5550ea5dea8499a190cbf79f50846940a46a831fa49adcfe3beaefe9ff22e8d698fe

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
91KB

MD5
3badc52ee962c9649f0ac1f0fe3b6623

SHA1
e85fb476674991d8ee48933a0abb74ea04115370

SHA256
55461a269da35b377c80ae77387d717bdfd67bc8cc89444ea6121f3020848f5b

SHA512
2b7f2b3cd2bedfc0ced3fa298f3bd813a6759ef5e3f3c63d9a51cbf93d56b1223ac0ab50ad8cb65b4ac290f1140afd4b91f227ddf978b8d7add8a00917356324

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
91KB

MD5
2bf2b15602889cf6121b675409c3bda7

SHA1
781b909f3bc0e1be26512bbf2ce7168ac41bf8be

SHA256
a4b60005cd71e4981720df15ed358517bdf91edbf8ac35865767f6a0abfb5f46

SHA512
e1f1ce47b255348eb04835e1de09c369074877845e1ea076e9ef7944294f14c2da885ca09e910dd04d9cab6e8d08f9682b2f7b02baf9558f75d1a36ea5926e36

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
91KB

MD5
eec0904b07a40e0fa5ef4b8f99a2680b

SHA1
cfde1096ba536fcb1c3d9f415dd18ce8aeec57d9

SHA256
0df1c943797caf4701644d8aaec8590408205cfb4fa13e268e05f747ae05c177

SHA512
9bb3e4f4767d9a67c210eb9fa820302155b0cced49b4d2788d7d5d678b8f9ade797d715228b7f10b57a327ca4ee36f8a6e54d0b2b00dc5bacbd0e2b19d6c419c

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
91KB

MD5
46376003e2751ed0f0de4ce3d9b7d640

SHA1
154c3390e0e95b691d6cd0d4de1459f05818f6b1

SHA256
33be19b810ad3b4e98bde62dfa85aac46228c656947d8bdc12bd9536eb64a388

SHA512
7b8b156804571ce2e70f0f249f6275d183af90d3b0d3c4b82ac4a384342aa899a65b681a72d2ffe4d14fde92d0e7e7539606043c2517e58a9c675b5f094bb409

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
91KB

MD5
c24a38ac3bec10771f12f1ef1677b738

SHA1
e1965a0dcb269f893e69d82eb5957ef409764490

SHA256
ae6607ea53506b50c0789148a832b9954a40db707be85f3704c22214ba439dfa

SHA512
ad14c97d5f48e43444ac5fb3fbb82fb43e90bbe77609b5e043be0e0c92b63ec621d3c5ffcf0c141f62e64156975f985121e3165c582bfa924cb678ef1e9585e0

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
91KB

MD5
e6adc167549a707da65ef56690742f30

SHA1
3bea936f5a7de81a377b25da03e49796d7c24c91

SHA256
03938071c3b985f6118a7352e8c44501b20d28dab28da30aabcb27335790671e

SHA512
4fe8b72c78065bde432414cf7656a3895418ef0fd029d4e7b379c2c5a89b3cc8b5968905a287f4f3e38befc401a704e4fc7b6f075877c368b0ac507eea5925f9

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
91KB

MD5
efe5328c6b6b45bb6527c4ec33658980

SHA1
5ee0206207fdf341b08f66bee53abbc1916ec218

SHA256
b46d673e1f8e11d855424d562e7486e987413450ab18c7f4b05f071895cb05e4

SHA512
8a5a95b8de01fb8ae9ae4bb61980cbf01fff84196c368d9e0c8126bba2c18cb182409a70115011f580bdd99efc633ad296a00866a0db7fa969e58a3699926c96

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
91KB

MD5
ac8c03976bfaf7955efa80b5a0e4e23c

SHA1
05b107ee0e1b49f56ed86d192244a159ffdf7730

SHA256
2be077df672605c783f6a38fddba18f328b5f3118d36ca99099789e6cce4d3ef

SHA512
93bd2dd10133eb654f47e747c23fe76b3b0eb5d939c59b32f68ed84c0432e1ce189c17d1331fdcb888307d4c91db2d23274ef283f653a4202b5b57f6d061d0f3

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
91KB

MD5
fe2d10c6f5ca6aeb63bd279477e8622d

SHA1
27913c2d811d166f1e16274c650d7834b7313450

SHA256
14596d0b2f1639bf8f647e8a6b1593dd563c37ef056a9e15f7385fb487e70ef2

SHA512
54a87598e34dfe502987c1974dc1092de03578d4bccd0da697610f03e82098193332679be3cf935ca4a8b17c591cf53181c323aa32588b015175095dc7a3c06c

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
91KB

MD5
41ed4bfa465c7a874519d2aeaffdd54d

SHA1
47861b4f2ea47b3f03a8be187a2e4b72a82a2cab

SHA256
a3b5fc189b7f93f42881554f51c86b2c56cfd544b5e9d39b9ec26598ae718711

SHA512
4305d17aa0795a2cd6b5caf66c231078bc7e81a1395ae71c4579711d1e0ae8e9cc5851654a97bb3adefac86c5891233d809da2df7657cb1bc19a77ef5fc2b8dd

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
91KB

MD5
6d2943eec2503f5b28481ca891f0760a

SHA1
191098d730d9722764df349218a51061b80bab77

SHA256
37976a2e0fc7a747d02a050e0dc44f61c10997307789c3798c2f278f6731c9c2

SHA512
390316cbf7a4d4dc39a8f4965230648045599f3c14ed69f891c81a2d5c0a35ec6acb2d4ef1ee3fd1da5979a11b5d5cb2b9553ec5b29ee647cced6f300296c852

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
91KB

MD5
179640de67559766cf1e9fa69dbc1d78

SHA1
0a87e57864b8b1b08e1d62bb0396a8e66ec20287

SHA256
d97b2a80ccf2622becf56ccec3fa39bee9c0f8f838a57f22e51b147dfa83ce86

SHA512
3f21130055ca5696aacaaa7e188124b2beb4338abadda7096e860e22c6eb35502114dc904abe7050f4b64635b0ad1eeb6b116b5b47eafb61c832fa998d764386

Download Submit
memory/8-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1724-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5076-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5248-908-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads