berbew | 49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
Size

205KB
MD5

babe3e257a95046f95f0317d09937970
SHA1

def89a998803d02a45e59d5bc2fc05fab5780d9e
SHA256

49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838
SHA512

3e331c87ad66e359476ef4681a9067900d3ffe77eec679d0b4b34f7a889a003cfb8e9e56b6620c091ea0e6959a05a18cfc4ba10fde408e7be76e06937a922486
SSDEEP

6144:/6XDLR/Y1j1GyZ6YugQdjGG1wsKm6eBgdQbz:CZg1hGyXu1jGG1wsGeBg8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2888	Lpcfkm32.exe
2676	Lbabgh32.exe
4568	Lljfpnjg.exe
648	Lbdolh32.exe
4932	Lingibiq.exe
1412	Lllcen32.exe
2076	Mbfkbhpa.exe
4088	Mipcob32.exe
3560	Mdehlk32.exe
2036	Mgddhf32.exe
1356	Mmnldp32.exe
1756	Mdhdajea.exe
1824	Mmpijp32.exe
5012	Mgimcebb.exe
3532	Migjoaaf.exe
1052	Mcpnhfhf.exe
2412	Miifeq32.exe
4452	Npcoakfp.exe
5048	Ngmgne32.exe
3808	Nepgjaeg.exe
2960	Npfkgjdn.exe
2684	Ngpccdlj.exe
1776	Nebdoa32.exe
1268	Nphhmj32.exe
5076	Ngbpidjh.exe
2856	Nnlhfn32.exe
4184	Ncianepl.exe
4928	Nlaegk32.exe
1732	Nckndeni.exe
1716	Njefqo32.exe
2608	Ogifjcdp.exe
2620	Opakbi32.exe
4356	Ofnckp32.exe
4432	Odocigqg.exe
1720	Ocbddc32.exe
2208	Ojllan32.exe
4256	Olkhmi32.exe
4340	Odapnf32.exe
2332	Ofcmfodb.exe
2780	Onjegled.exe
896	Oddmdf32.exe
1788	Ogbipa32.exe
2844	Ojaelm32.exe
1392	Pqknig32.exe
4664	Pgefeajb.exe
1932	Pfhfan32.exe
4648	Pnonbk32.exe
3540	Pclgkb32.exe
2500	Pfjcgn32.exe
1028	Pmdkch32.exe
3744	Pncgmkmj.exe
524	Pdmpje32.exe
520	Pfolbmje.exe
4444	Pmidog32.exe
4084	Pdpmpdbd.exe
3940	Pfaigm32.exe
2516	Qnhahj32.exe
620	Qdbiedpa.exe
3544	Qfcfml32.exe
2480	Qmmnjfnl.exe
2884	Qddfkd32.exe
1784	Qgcbgo32.exe
4036	Qffbbldm.exe
3844	Aqkgpedc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5952	5864	WerFault.exe	206

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2888	3292	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe	82
PID 3292 wrote to memory of 2888	3292	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe	82
PID 3292 wrote to memory of 2888	3292	49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe	82
PID 2888 wrote to memory of 2676	2888	Lpcfkm32.exe	83
PID 2888 wrote to memory of 2676	2888	Lpcfkm32.exe	83
PID 2888 wrote to memory of 2676	2888	Lpcfkm32.exe	83
PID 2676 wrote to memory of 4568	2676	Lbabgh32.exe	84
PID 2676 wrote to memory of 4568	2676	Lbabgh32.exe	84
PID 2676 wrote to memory of 4568	2676	Lbabgh32.exe	84
PID 4568 wrote to memory of 648	4568	Lljfpnjg.exe	85
PID 4568 wrote to memory of 648	4568	Lljfpnjg.exe	85
PID 4568 wrote to memory of 648	4568	Lljfpnjg.exe	85
PID 648 wrote to memory of 4932	648	Lbdolh32.exe	86
PID 648 wrote to memory of 4932	648	Lbdolh32.exe	86
PID 648 wrote to memory of 4932	648	Lbdolh32.exe	86
PID 4932 wrote to memory of 1412	4932	Lingibiq.exe	87
PID 4932 wrote to memory of 1412	4932	Lingibiq.exe	87
PID 4932 wrote to memory of 1412	4932	Lingibiq.exe	87
PID 1412 wrote to memory of 2076	1412	Lllcen32.exe	88
PID 1412 wrote to memory of 2076	1412	Lllcen32.exe	88
PID 1412 wrote to memory of 2076	1412	Lllcen32.exe	88
PID 2076 wrote to memory of 4088	2076	Mbfkbhpa.exe	89
PID 2076 wrote to memory of 4088	2076	Mbfkbhpa.exe	89
PID 2076 wrote to memory of 4088	2076	Mbfkbhpa.exe	89
PID 4088 wrote to memory of 3560	4088	Mipcob32.exe	90
PID 4088 wrote to memory of 3560	4088	Mipcob32.exe	90
PID 4088 wrote to memory of 3560	4088	Mipcob32.exe	90
PID 3560 wrote to memory of 2036	3560	Mdehlk32.exe	91
PID 3560 wrote to memory of 2036	3560	Mdehlk32.exe	91
PID 3560 wrote to memory of 2036	3560	Mdehlk32.exe	91
PID 2036 wrote to memory of 1356	2036	Mgddhf32.exe	92
PID 2036 wrote to memory of 1356	2036	Mgddhf32.exe	92
PID 2036 wrote to memory of 1356	2036	Mgddhf32.exe	92
PID 1356 wrote to memory of 1756	1356	Mmnldp32.exe	93
PID 1356 wrote to memory of 1756	1356	Mmnldp32.exe	93
PID 1356 wrote to memory of 1756	1356	Mmnldp32.exe	93
PID 1756 wrote to memory of 1824	1756	Mdhdajea.exe	94
PID 1756 wrote to memory of 1824	1756	Mdhdajea.exe	94
PID 1756 wrote to memory of 1824	1756	Mdhdajea.exe	94
PID 1824 wrote to memory of 5012	1824	Mmpijp32.exe	95
PID 1824 wrote to memory of 5012	1824	Mmpijp32.exe	95
PID 1824 wrote to memory of 5012	1824	Mmpijp32.exe	95
PID 5012 wrote to memory of 3532	5012	Mgimcebb.exe	96
PID 5012 wrote to memory of 3532	5012	Mgimcebb.exe	96
PID 5012 wrote to memory of 3532	5012	Mgimcebb.exe	96
PID 3532 wrote to memory of 1052	3532	Migjoaaf.exe	97
PID 3532 wrote to memory of 1052	3532	Migjoaaf.exe	97
PID 3532 wrote to memory of 1052	3532	Migjoaaf.exe	97
PID 1052 wrote to memory of 2412	1052	Mcpnhfhf.exe	98
PID 1052 wrote to memory of 2412	1052	Mcpnhfhf.exe	98
PID 1052 wrote to memory of 2412	1052	Mcpnhfhf.exe	98
PID 2412 wrote to memory of 4452	2412	Miifeq32.exe	99
PID 2412 wrote to memory of 4452	2412	Miifeq32.exe	99
PID 2412 wrote to memory of 4452	2412	Miifeq32.exe	99
PID 4452 wrote to memory of 5048	4452	Npcoakfp.exe	100
PID 4452 wrote to memory of 5048	4452	Npcoakfp.exe	100
PID 4452 wrote to memory of 5048	4452	Npcoakfp.exe	100
PID 5048 wrote to memory of 3808	5048	Ngmgne32.exe	101
PID 5048 wrote to memory of 3808	5048	Ngmgne32.exe	101
PID 5048 wrote to memory of 3808	5048	Ngmgne32.exe	101
PID 3808 wrote to memory of 2960	3808	Nepgjaeg.exe	102
PID 3808 wrote to memory of 2960	3808	Nepgjaeg.exe	102
PID 3808 wrote to memory of 2960	3808	Nepgjaeg.exe	102
PID 2960 wrote to memory of 2684	2960	Npfkgjdn.exe	103

C:\Users\Admin\AppData\Local\Temp\49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe
"C:\Users\Admin\AppData\Local\Temp\49cf35bf82b2c54df37d61eb9bbafba2400aef26c81b8423c6a92882e65b3838N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\Lpcfkm32.exe
  C:\Windows\system32\Lpcfkm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Lbabgh32.exe
    C:\Windows\system32\Lbabgh32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Lljfpnjg.exe
      C:\Windows\system32\Lljfpnjg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        34⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:520
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        74⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        80⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4908
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3216
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        91⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        96⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4572
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        107⤵
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        118⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        125⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        126⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5864 -s 408
        127⤵
        Program crash
        
        PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5864 -ip 5864
1⤵
PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
205KB

MD5
1e2ae23518c9bbcd49b6709c647b505b

SHA1
0efca6bc9ca4368b854e7934fd90a7765c99f860

SHA256
7af589224806d112698f5bd83ffb859fbd103cd844a170a08ecc85ba73cc09fd

SHA512
91a1b7a51415dfca4380bcb70f98541d760aef694fd1d4e886e7a77b0f916861356802b41dfe78b4f57d1d813284cf5a23bf0bd79854d00543af516d92128157

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
205KB

MD5
fe33807d5ad45b56b1cd721d48934f1c

SHA1
0d12dddcb23d67a075256bedc8c3c745a00a47be

SHA256
8d3dabe27868c537b3cc258d9ec21dd75a465c2c9f60953281c7e7be0e974c49

SHA512
23eabe72d6e33dca69e6c42f7c420b925f0db5fe25000d3bad0e5dfb349f713fc98c4b86631e9e12068c6fa254a24e3c57cf248b5ce14bc4bad37736173652f2

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
205KB

MD5
85842b258ba16f2a2a0d5c6fb6934dc9

SHA1
51272d0105ba2b9043b84a30831d8d6063021f86

SHA256
af263fff38f00bf838c7fd6c122cfd3ddb2728ca9e5b3f91b4d73d0a6dd997af

SHA512
6f0181a20c04ff1b967ef3726f6f4ed265f03ccea9fc9cdf72e4cae932481737db7a27b4163e761c9c1c209f53661eb44b5c62695c1bbdd73130fb3c11e05b97

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
205KB

MD5
eef78430b12452aa35759700a75b938c

SHA1
d49614e2dcf0a85b460e29ab78c8f85e0aadc4a4

SHA256
def9140ef0e79748aa5082d321c797d8e8cab66908605c76be24e02f3edc1d78

SHA512
623addadc6a613d7d53d80a888d07a83d7bcede2bbd97a96d546988ebaaa59339458d0fc4a3aac7d377eb98a1c25bc00fede56494cc20f7aab7b3999b0a66cc5

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
205KB

MD5
f0aecc644b6b3030a306b369b9d80299

SHA1
e7e22b4f7a5b535eda69c4fc656321de3cfe20a0

SHA256
5674c5f9d1ef8e5bf2602cb0036322662148e81d95acbfe61b3235eb42e55a87

SHA512
7cf72b953f58f903408b3d7368b59da1fee200a615c96fba81830fc3e2969e035e9717ec8da38446bbee8884106339f88f1b79c31b6c9ba14313d9f3038b1cf1

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
205KB

MD5
d2b3031583702f9bdda12fecfed192b9

SHA1
d3de3e4d9f879c881bb88011ee1e5568a924aba0

SHA256
18f79b994af79963731addcd14625c8311ceebac9141e4800aac37a12e632024

SHA512
70cfcb8a174a12faf5f1fee5c83354c06728a74b6d433b9fe6ec0fe2bd56f4ed8aa99b7ca534dcc1d673e4dbb5772b6355fabf2f32f4fa1ea3bebdedc6131860

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
205KB

MD5
fd9118767c8a7e6e99b20c9501d6641c

SHA1
8d61aac1d869c57b6d1d0a4e84ce417244dab786

SHA256
b7186ccca9f3822af20af5142f2025b09c269cd31de9901aff05b893cce3cdc9

SHA512
f78dacb5fec93e4e347031077027af6e2219fc18ea64e02104d68d4cacd544712751fe3f5b7b6a87b8d24839c7606e79e45cc74781aefe658b5d6bb0d917ade5

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
205KB

MD5
75f94dd3eceea7c59e1e912ffbb85191

SHA1
7306354dc1f2de692dc94db8ce9faf4280c8f687

SHA256
fea24bfc95df3061621140714d3d63bcb89308d19ee9fc80a2b1c7b90121434b

SHA512
3245bf8773476cc5c0838bb6a89849e7a12a9c14eb7bded43a25e9374ceab80dd008df958668acc7df8163160565a1c3d5bce21fa21afa52850f9cf7ab366aab

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
205KB

MD5
9dbbc24b82e9ea14b000ed0467b3953b

SHA1
561ceb712c6e19332fdf1a487051cef62e8c4f21

SHA256
97008a3c75865a1088f37af989a3a3ad43b0171f1345319eb786237be4439851

SHA512
c2988a1fb12920e53c0a9733555e2508163604749118ded11cf6cfbdced1c07835c83acdceee8e651df6f826f3771781c6d20adbbdb129b630d773647f5c3d50

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
205KB

MD5
219f235a059f9cd4deb9ae3c0e4f8735

SHA1
7ef3bcdbe642bc17ff23b7ec7c642ea56e6c24e3

SHA256
4a65699494312140b9da83ddb6d705b10b4306d73a337192946833fe30f0135f

SHA512
91aad37c23e74e01d812431b04c1981a6d7a2419552560f29e9c577916698eb3c50c9a5675ec3f8a624148f746a278665ce9a0501efa06fac43282109de3fa11

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
205KB

MD5
b8c66791f85aa074e3dd77688270ac5b

SHA1
ec0ca1a75283288e134b2e90c5285836cd766b04

SHA256
c8e43849b1861eb7935890ccce6693fb3a9ff9e78db50effdaffc1fbf2678506

SHA512
e1a67ab7a29e383815ebebf2f993703c78b38cae52cf0c21e3f255797816d7190d2a414f17782f3a8105801745a4d61c8f52d6a31bc8739cd69439121ae15940

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
205KB

MD5
7d48b9fbb0b0ac335e81c40e1e090dbc

SHA1
82af3b46a70fa70700cbdf2ab593348c20035588

SHA256
d3188eea2afcc852bf6cc572c0655a803eff64eef541870e7baba44abdd8f8dd

SHA512
27fa8b4c3671323c4ef309dbf80593dd36c3b20715476466250ef5fc2bb12180a4288bab0c94ac8175692c60bf9c0ad822368d752a69be50c33c208c90ad3bcf

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
205KB

MD5
1afe1fab79431a888d4772880bf8cae2

SHA1
c5a5de6eb39a811fe8193e20a1fd0fd2abe66aab

SHA256
36615b6f45d4b1c69842c6fb340ec342df2bcb55690f90709b6383efeccbd764

SHA512
93a50b8fae78a8267ed91a7cfdabc1dfbd7a144b742fd9820fd04dcc2c9c52d0b82fd0d41ca4897c0388f1bfb686eff7679836b00f074a986d02e6a636ebf576

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
205KB

MD5
f8ab792363e46b86af6cf8f3004d6c40

SHA1
9c598163b83845731563442c519bfbe97ca63adf

SHA256
63ac927a5ce1bccb4985e28a13bfdc7f81c2dbebacd372e20d48ac46fbc8d1d1

SHA512
66fb96d3795f7ea8da5610a9d2dd54f8084c32cf90011e4f3c22cd8e1a40158cfbae905bc45a7e862706bf8000e1a274f71640f9efda7388f0b30403473ccadf

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
205KB

MD5
ef8c8b15df55ab253655998cc2abf897

SHA1
a09a61f9e7c58590948b4c041dba629c0ab0ae9b

SHA256
5bd18c0185218521de87818433563780d7d1a88ba4c0374225c6ff4dad5fd3f2

SHA512
56a99e873c4748641a0d338f6679fa3d0fc65e95ef5904965e0a9f1852e3bf4201db84a107ba01bf1bb77db8cb8dabfe0aa7025e2059336a71b695204fd2c662

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
205KB

MD5
8bad308cf51c390929b958d6a132d8bb

SHA1
94f6fed897b6fdc4d58647a4bfb99d97b5b5a3ec

SHA256
5614f2f3742815816fb4d3807c079a8fec05d1b1ba7f6cdcf95b5a30be3b2f36

SHA512
7595e215568bcd6e12285cd0339febd31c96029f90f757a80c2045558ba1ce31f388d6ac7903d11101f0cecbf31497cd4a6d09c3ee486e6f7009fb8a8eda2fec

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
205KB

MD5
c3a55cd520e0b9e34e1e08d289e1a0d4

SHA1
c6a4a0a78ea586cef754021a996555190bb71c5f

SHA256
543ed2187e3884b9fa45dc98e14cb44b3209d715ce2db08b890767f15777a768

SHA512
188072384816583130c65cd502dd1f13b3f0dc6f29104074158bfe7545fe2f1998845faf8de899a459d7de25b791afcd66a64cb4d1d9172cef8abbdbf4fe01ac

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
205KB

MD5
ebf5ddaafdf18bade5e889ceaa4badc5

SHA1
bbc0766e75e48a6dfc751000c4a0669482cbad8e

SHA256
d6806b28e7a8aa2e2d9be3c945cf436bffea16c4b0cec26aa9ae4980631ba0e5

SHA512
9f94f5faa73bfbe62791a6755130df9fd790cf1de14d9cccee21c66c3abe52c220a0d6e289c1471c8f5d053bf339d556c624e5bea1c40ccea8971521bbb1e05f

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
205KB

MD5
3f75682b35cd6f9d57cae3d25f390c39

SHA1
ca50aedd10da446f40339e3db865397ab383bd96

SHA256
e3cdfc50d61fa6a246b46c03e06c82a3cc3d6f2d7dfb54cfa9bd340a6576732f

SHA512
01b852aa155c5fcdee679edf34b3a690e8a7d1f789e547c7961891c13ef9ec6f1c4462a8d21bd893d3b24695ae133579d28c94fabc9e0d8af15365fc8260d9c1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
205KB

MD5
2c9da30fb789b540e349628153c3c74f

SHA1
8c241629af2439f072c77fea217e74f84280dca2

SHA256
da7dc650c706f15d45017e5dbff7a239b6d5bea2523737d1a8143ca517ec0d45

SHA512
1a3d6beb9bd895d8de705e5852bae4b78d91f7c1c72705d072ecff0a14e3d6fc2ece47bb975c30891ca8c59b8a2a4910cf81267ce23a7883a5f249a55215b82d

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
205KB

MD5
97d32476f4f377943155c683942543b6

SHA1
8f12eba2e69e733770a7f795bbed319b3f26f42a

SHA256
8e3819aac795571d1e2e3e006cf98821dd1d0a71586691738ec02cd057ae4c6d

SHA512
d725dad86eb9bfd65453d193bfa86eb3c96d3013cf7b5f00c07da21294b57a7c3e84c477e6a2213d6f2ef5ada59f066b102bad459535cb6cd691fbe2c372e137

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
205KB

MD5
b1c5136a9a88e5f478162268895523b9

SHA1
bb8a30599cc671ada61c245ff721de82a16c9aa1

SHA256
0dc4d29aaff79f045d5240712b099e007ea15d2e36aa4ed0a2543eb26a9997ec

SHA512
fecfa8b5fbf6daba759dee11723e029feea01ccee8eb2f8cf7be8c3eb71c1a3e5ee3dd29523d81c922cc8fd86f80d8ba075d58b161959156386c40f1e3ec2059

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
205KB

MD5
4efdb55020908084f11d6ec85b427632

SHA1
97026bdfb5bac05a1c7737dd6ae37848b2f28dbd

SHA256
103e98e90e0634cf0e7ca22cc621473f89b7791f0d0f79fd04b374c254c581f9

SHA512
7e71505314f9e950f40a723bec52ff5bca6ef36bc68aaafa4392439c523b3dc09a3a5d481d37b8c2979398c7e41a08c00c2822b147fe8cef333bfb134cd51655

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
205KB

MD5
218e633532e17604cf003b086a54e490

SHA1
ef3f6954e08f70be4d39f703168eb6a39eec6e2c

SHA256
b2fba08b0f11523cb93007657b82b34fd58beada37a137063b357720f065a1d3

SHA512
7161c7d4b0feaf498c0a4784d8a331ac8735fc8cc857ad8d94e621a05e6a704357e313f969df2e781a86f53b36c17fcc644f0c7b32a1891ff0ee72e617382380

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
205KB

MD5
34219fae767ca01e325153630a6c57fb

SHA1
baf8848e8dc89fca07108cc9f5fbaf4b8cc719a7

SHA256
9334a0c02067fd62c3f86ede534e5ea20b72c96e55aabd7cbad0f7bac597755d

SHA512
fcc4be5f84ec3ddd8b0493e6e35a265943e34cca7cdab5dc0b1d0c4072de417ca6536c2d1faadbdb6805e33213220c93e67ece9dd8fe62ffa2386cf7aba26e46

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
205KB

MD5
d17b2036b147138c8bd1270918f49427

SHA1
9c17d2cc7599e6a4230c375bd496f210381724a0

SHA256
12c6669862931e50343c93e37a4d9745b9fa75ed1c55f69a0684ab39e3f1d29f

SHA512
91e5a7cf510426969c490962491589b3a4197a021e2ff7eab347166331695eef2c12df1dcc364402feacd987bac98bd16a877087d42082f1b53720a5e1ec2b3e

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
205KB

MD5
ac37c65d8491127b1decebacbc1ad0a4

SHA1
2967b30a8e06071d5b00d5aac13b71347234ac88

SHA256
1dcc6deeceb34f90236cfe0dfd018f41a3034c73c81958bb0c52b1325d2331f9

SHA512
7c2d4750af3dd2a72e5997c5208a83c3e0a49cb8d9deafb9864707a37801b2b1f197a28a9e0eccbd72259cb4dd2f9e8a65e3693c005cb007fe40aadec03419a2

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
205KB

MD5
7c0b013d1903aa004907d50712af1de9

SHA1
978e559806088238dd0799672b0e9dc47e6fa876

SHA256
15cc29269f79d13b1923963aa1fe522abf1a787e91d38af75360e1168344dbb8

SHA512
b9d6a6aa17ecfaad0cf31e37cf27b8e00931abc1eb1953160dc046f7f3a89936bf1c954254d78dee9c1b8ec98e7f6346716df6ad05f7cc774d2d9136b8d57b72

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
205KB

MD5
25e720d0682dab15b3f48b07799ae601

SHA1
b392698d2a2259dbad91b5849bf8dd6d2827581e

SHA256
8fc488321ff32f07965b01d06af401a019b599c75450691b5586067aa4129e4b

SHA512
2b63ac4acd406178a30ac62f23c09f3d9916ce4f791177a80d8482c4e567fab1d08407f90dbbf191f77ec7ac27061469c7611f854e4ba75966906f2a9321caa0

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
205KB

MD5
7707076b7a6c28e771ba59475d27824f

SHA1
e39aec2e11d725ae5408d1f8568e3532029c257c

SHA256
1c49908b59ee0ad4a3204c613452d2fffe843a14163dd6671427936f9510c3a0

SHA512
dfa01bd4c0ee768bafb49c51d992448387df3a0dc02c528429ff50ae49aed3d0300f9c10d821883bba72aad05a02f325c3e21b33eedbc542bbfd3a693ed22ca1

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
205KB

MD5
7bb8b1915982d9e399d064de23aa2fbf

SHA1
8e67352eeb87f9c8e843103f7be11e0547ecf937

SHA256
60c6369c30ae7d04defda40f40137b29c17b84151b36f9955b4710844378899d

SHA512
62f21d065673ea6fddd46bdc1b680cc7918d1753dedf7f50264c53a78842f43fab11d4c73873c9d84c967c0eb586575ea4351ac0d9ff241715f4254f2bdf1c3e

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
205KB

MD5
c856029d7f87e2a7f4ad678e2c1e328c

SHA1
cee0c081903e2ca40c613e82825f7e6e4e0d2548

SHA256
4708911bfba7f733bfbf0e57194609a44ee96b5b6500252abb0de9b06ae2aea3

SHA512
81a29ba171a5a92d8b37c781341d8de459ee47601f880d337cd08ea6684e13c0e7885daa436e20fa21482394a38a005fa4ee4a20af5fa1fc5e349c2d86a1abed

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
205KB

MD5
41430ea6fde164b70065eb6c70765520

SHA1
5732c62df7528f791a56003204f1b4377d9e0041

SHA256
4dfc2816a596fb6cf08464e526c781fcc72d49c0f8012e089c437e31cfca9532

SHA512
38eabcbbba87eb94c6af9d5eaec39f856f48d7ec4ecbcb8deeda2230a41b791098b4d46c6ad4b1858b07461dbf1f11b1c03953a7116114fcaa9b6434e8e79678

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
205KB

MD5
a0239251d8858191819fda22d7d5f2eb

SHA1
997f1249bc2d33c67cbd3456a8309037b3f04e7f

SHA256
9e9c065667572e942e923c8270ee33bf8344b53ec0e62279aa073bae37cc6efc

SHA512
6b97367ebf6896db62a68e295d0eb2cdcdd43d8de27a9ca2a8ca84db848c98275289c8cdcc2b14472e62f60dbe137610ff90db4adf8a077a443072dc0db34a23

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
205KB

MD5
5fa5007531b4ff1bf740fa51f84bb16d

SHA1
b78a801a88f6b5b02c2cc601a6142f7fb725778f

SHA256
31abdbdaa2ab3d4f2eae2769d2cba809743ae101c59ac5d07334ca0f5676356b

SHA512
f657f0122d41cb2a7541fb99b174edef763ee79dc827beb220af365fba6c618074155a29e502f53dafc9f52a6216df3d80d3e3d0da38b753a3b06c59868fa2b4

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
205KB

MD5
d7aada2daabfbec1f8bdd49ce2b40ca6

SHA1
331dd896e11b93c4e5799563a3b3e74a12341323

SHA256
4af3708e79195f93822c0dfdca166d8b12a6c463f66e4af0dbe6c0a1adca9aa4

SHA512
253a078a2cc75416e975dd64d949a9fd453750dc25b1e4933242689dcd2f65b71c8f04dcf152d780987811c3ebab5de7060a00433ba343a2d55afa2014562803

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
205KB

MD5
edce251bfe207b6864a9515ddd17fbb9

SHA1
3c6df339f59b76050c01a67e7da44e4e74e6dbbb

SHA256
9db5327c48e80dec3c6b1ad491082dfb151f34cfdebec763d1bc026ae83488c6

SHA512
76af6267578018b3320621719351a3581c1ad6642c955f3e216a19b3740e5e998989256a5d24b4421275c38eb9d6d23e2688e347922ccd864caf39cead981ac3

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
205KB

MD5
fbe4e268da21d70f642dfaae89368b7e

SHA1
260462e10e35be74f48e751e3d0dfe5148825361

SHA256
1dfee14f27bce572e9c5b79d5dbe61e5ee2ecb0eebe6d38c4d9d4b6954f25cb9

SHA512
e2adca6481425d74af5a16480f20f0f4363637f1b3143fa4759f59a5d7ffcfc933478f56ed60f76ca1dce86931ed8f758a6c20c8b47383378d824afd936bc563

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
205KB

MD5
2070c501189f6d895731e1e6b60ba183

SHA1
44f2107918820b3e0dacb171d4254c42f3f93f8d

SHA256
7da7dc1e931f4b4b45942c853c8e0cbe12b29c4f439b87c7cdbe52c0d6e8897c

SHA512
3b736984aea982ab5dd6c1b35674beea052ea3b728f83a97b245538245c665a8390f04d8c959a4199a88d660e8cb2a53fc2f5cb088eddb564ba73aa5bed894a7

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
205KB

MD5
0e0a83e1787e28948d71db0573205d37

SHA1
605ff9b2546f131361c83c61dd8d20bab8b23f55

SHA256
cf237ba6799c1f9fb4459c02cef8be4eb8c62752c02c260a91ddc3ac8431b645

SHA512
1be184106e41ac226bd41f0cec28d27e92631e914243c7dbd26964c11094408ab9128e45ba49732cf53b16c280e7387db9df431dd08e520563998fd2ebc5b416

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
205KB

MD5
59a68362d2a81ce1a956fe6e2efccbd8

SHA1
01d785779e99b84b902775cc9b54e9ff645589e8

SHA256
ac203cbf50a1510ca575754535d341642bd8032772f07abbc4112cfc784b80b9

SHA512
fc5a46ee8521bf2cb0cdf2a69a9c3a4ef949b24d9af265272dcfc82826be6e024ce50b7e1c843ce981f18339e4453bc7c5f6455f870afda89d939f3c2367e685

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
205KB

MD5
4ade596e22b160cfa98a552bfa0254e1

SHA1
fc1d7b3614d8c487b084c752352d90a53091a232

SHA256
752c0da4d4355ce076346c3a399f8f7bbb040292658d96e0c29ec8c38643bf60

SHA512
c55da94845a33128daf634e31c4855e3058ab8c892dbf12e22145b513a38fd0e45f20e9d29fd41995dca69f6e2985703c444bad718d283d66744add8fb1c1d9b

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
205KB

MD5
3a61bcee932c1b53d8f494b627d18f6b

SHA1
995f6a6f31863fd459c8538834b6ee2589ee570c

SHA256
7b75bb04aa08b7f19402017f49faf9fca48776de66b865128368069f870edbc5

SHA512
d9a57e4a7098c00672c0a793ce1e6e518e5a5ad41f1157310c13f429a1917e632aff84bb7cc0504fed64e9c669ea610ecea1ad226e9ecae378c10482ddb479b2

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
205KB

MD5
4b5db9105a72bfa2302b0ca326ae349e

SHA1
3e361a7f4ac3880ef1afe028992d3c82659e198d

SHA256
8487bc93043ce3ee0aada0bee1b09f64ed84785737b570dbf35b42282360236c

SHA512
8f60d98252be606907582601f4a3a5877488bfb4496cbe111ab655b6a30483fa02500180f0d742944bdfc59f7fd22720348e80c8f3699633b2a2e3a9fa8e703d

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
205KB

MD5
bef6715f3fd4fa27eb81bcbbb1681f97

SHA1
6096c4f2c5d3366fdccea2b7bad0b854e3e10745

SHA256
037811d7c72fba4c0827a29c6bd7fa36c636c21004a0fb74b958a631f5df3e4b

SHA512
b5d7fade0fcc7d7008e4d84f2a0b46c857efd9e34a40843f845b994ebf9d128b795529f6000102c60c7fd282f09a9541981d12b52f9c610869ea00dda5fdb656

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
205KB

MD5
f4e50f0fa17f9757cca10106f955d95b

SHA1
08ce3eca25cc6e2be50e213c800f0bc16a2b5f75

SHA256
f98309a41a1585fbfdfb99930d09596f414b622cb5180894a3680f194cc8662d

SHA512
b8e40c2ac90e2430619d9162512278865f98f953786782372906cb830751bc3eba383edc0ac6fb5e926a2b657c5d53569d35fd4f7100dd1aaae557dccfbf6ce1

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
205KB

MD5
4af9cbcf4b642c74d3ea9e3eb98a6cc5

SHA1
d36bfdfa522370eeb0029879098ecabf34c2b2dc

SHA256
9945ef3a8dd55d27813c63ae21791b6cc676ad678d50f42d155f05e9bef76ca8

SHA512
a4c7e486ed0952b24d12f3db9601bf1d78a3e1dbf03645c8d7bf06344aac0bf73ef96c877ecef2653e940bda36a20514b10e4b499f8a69e0bea6cef3e30c5928

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
205KB

MD5
6b609cc77cde2c97fcbdef918ff18058

SHA1
2b35058fdaee21c6b943ce427c62a7f69e248654

SHA256
cbc58969d192692b34139dd2577bcad661424d0cae734dd0597287891d9498ac

SHA512
1e606ab52e58ad8a269b67573fd0ab8a0b60b0c8b530e7c107029e17b1020318edfe31fd62fd76b250f2667e398b66330487656418f802dc7a508f2d9081532c

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
205KB

MD5
ee22fa7b158c56efa868729c89674723

SHA1
6a4d462bb91093e463c5038020da67778c974728

SHA256
4ea83f96d76205599a2e9fa53ef1eda6f0adb2e51222da07a8ad779018fd2d91

SHA512
528eda84620142cca9ebe550cfb29679edcee489d682acc3204885ad459e806c1825f63bfe7128e56059bf9caf68a3f561b45df8c26aabe724b5d083c6e98e68

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
205KB

MD5
9d337d6809865a7ebfb3c023723094eb

SHA1
02d3a70ac9ed82d8042edee929527c0375e38979

SHA256
152dad2bc34f9bf7452ab50fffddfbfc387b6963f822d3f68b035c40bd90f432

SHA512
60e5d70f98a6538050305e0ee52c6e7395632e429c4f6a628f6cf419a4b97106dc846025d490e909e8ea68477b011888b0930c2f45d101e33443cb5570ed4905

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
205KB

MD5
06d4c0c6eeb40778df962f15b73c1259

SHA1
6d2671a083a001414e00159480d4706eb4269760

SHA256
25f8a3471927a4984a97cad2fc6723055343e78720ea14ad3ff371d1d16d13f5

SHA512
7f99dfedb439e0c3d8790dcdaa93653210ed2388b5c9d1710ae11149ecec497c9ddf03e8ff1b59f0fe8915fd6650d94ad87b7161cb861c46eafaf2e4f5f77733

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
205KB

MD5
96fc77032e051be4c104e6dc380b1c33

SHA1
f9c41d5fad56cb9d8d9fee8cbb3cf492e8bc36f7

SHA256
a5756465d01056f13a8c48fc4790c0fd698b8445379819680335a2234dae5366

SHA512
11309e0ad322f8109edb57513332e85008420bfc95d1f14c15e9cf77c190dbf1d74e7c44fbdb337010c60312f852355930b75abd3d7c4e38bd1c4dfef75237c2

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
205KB

MD5
b1b8403950e53818f49b91937a4139b1

SHA1
2df16efeeaed25cfdb5a6ec35af6398947f47fa9

SHA256
e1d1369d70d3b3adbbcd93e30289fe4a5a9ae51675a98cd1cad37926989d598b

SHA512
fe177785337dd22ba9c44cfa63c404b35b5726467ef3b187e27e054ba39b7f9815b8e611d06f65881c7de4f441c28cbe3419c5ffd07726ec3cf0592f1410b070

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
205KB

MD5
aaa05bc7cac2d9ada65350594650a8ed

SHA1
d43422185ad46517968c00a330161ad113c0e1f6

SHA256
da0f5738028fdb80655b8da773fa3a15f30f753e425641b6507f7686606c1024

SHA512
2ea26b64d74988f99910f893c1e8f9076f7211afa0aa9cee67f0716d4de7358c2664b8fa055dadffd01159ea82d00440785e5a0151e79df0fe5f9970f56ac7b4

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
205KB

MD5
656dd3e9a13ae5a0e75e5ba2016afb58

SHA1
c479f4426ad1a9283adb3fe2b6891e8e9956cd2f

SHA256
16a044eaba36c7eb92c5f859e0561f52b94cf9e66775dfff3813bc7cfab25882

SHA512
b6a93fef804e4b822e889732a1ae701457af85c174d5a1ef7663414fed75182f6a7de2832f7af8258cdafdefb72a9cd7ea3842fd1e03d6b3b5349b41cbada554

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
205KB

MD5
7da764a98d47c81403c42d4a0e3cf1df

SHA1
23bbfadfd303ee1ffba55681a399e29194fe8fc1

SHA256
d29d4166d8f67e3ae99a4bf80ec8be81286686f76d5a0fb6037e5c4db67ff1ae

SHA512
ff50110022faa223a84a3ae957fc3ba0c6477511d242266a7c3baf0a22980afc171c4044e0089bebcf4c321bdcd162a5374ee683789e0b945ed37afe51e4e3fa

Download Submit
C:\Windows\SysWOW64\Pkfcej32.dll

Filesize
7KB

MD5
fc6b0ddb5cf7b64c21aad4c842533f19

SHA1
57474aa2fb199a01e25eddf85998a06b5dcfafae

SHA256
3ac6d8371b99646f8e9337bd8f3d815b3dcd8fdc09e4cba6a4c4c2e08c554423

SHA512
c2a315f7a1390909e56dc84f0008b396323e1bc5e909992a5d9ab0976e0d2471a4f9e0e34090081b3d117da282d3de6241780cfc7b55c372cb235efe6322eecb

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
205KB

MD5
89c97747202bb20a2d6468aa0fe9a441

SHA1
6629cd98ac6dd35ca97827191e22a0889b3f1e26

SHA256
3f3d39098efb2bdc2790d4a76100a49d3d92aab9cafc002c98f3df76486da5c3

SHA512
ca37e0e4a3f51c302eb7eae52d8169ff2eacb3e19ff96c308421e45aeef083c221da6e731a5ecd8c40c975378731230de26310b89223cbe114e0622e0416bf3b

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
205KB

MD5
77a8c915df80fc0889edb11b591a6b45

SHA1
dd2b3d6069d616f16a153700eba924bfd13cfa1d

SHA256
44f9c4fb020055652237a5a5c6be9c34d3c7c64a1c428f8b6206aa8c90c704c3

SHA512
c451e7dfd094750161b192f37a179cd56f10a5945103bb10c1a7a24d4e25489dd8913bd060f3da507eea062b23691a26d23b383b7dcd3bb893e4221cd4c81743

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
205KB

MD5
44f376538d0f1da6d03f8ae0c32f78eb

SHA1
0c701cdb7cfbf4f1ec2cc4ece203a866ebcbbe97

SHA256
4b3e3e752079f461ec3732a7dc1cd6eb9385e24303d0bf9304ece1f3362b9567

SHA512
47c3b7e40037a16fb569b2cbf00d99aea41532786bd22d8f1bbcd5611e6bcaf3c9864618806f43bdba43764e339b69905e147c13940219b56fdd7307453a4b79

Download Submit
memory/520-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/524-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1716-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2440-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4648-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads