berbew | 74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe
Size

324KB
MD5

ab5d102b201b8c24722153d286edac20
SHA1

1c5ae4f7ab40d71e338884f5d1a04c2c7c5ffe64
SHA256

74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0
SHA512

80ab204dab5d50e2194a8fcba4e9262f897d72be272ca9ce3d0f1500bc0cb980ee6dbf02d8152de3149aa6268c54e02985ba00eba7e78eff8aabc7febde1b161
SSDEEP

6144:qqTfq26pHStZO6zd5IF6rfBBcVPINRFYpfZvT6zAWq6JMf3us8ws:qqpp5IFy5BcVPINRFYpfZvTmAWqeMf3O

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1256	Kmijbcpl.exe
2652	Kedoge32.exe
832	Kmkfhc32.exe
3132	Kibgmdcn.exe
3900	Kplpjn32.exe
3304	Leihbeib.exe
1844	Llcpoo32.exe
3352	Lekehdgp.exe
3568	Lpqiemge.exe
1056	Lmdina32.exe
3660	Lgmngglp.exe
5052	Lpebpm32.exe
2088	Lebkhc32.exe
1816	Lphoelqn.exe
2692	Mgagbf32.exe
1092	Mdehlk32.exe
2076	Megdccmb.exe
1580	Mplhql32.exe
1980	Mmpijp32.exe
4604	Mlcifmbl.exe
1216	Melnob32.exe
4572	Mmbfpp32.exe
1132	Mgkjhe32.exe
3344	Ndokbi32.exe
4056	Npfkgjdn.exe
4952	Nlmllkja.exe
3608	Neeqea32.exe
1552	Ncianepl.exe
2468	Nggjdc32.exe
2380	Oponmilc.exe
2976	Olfobjbg.exe
2816	Oneklm32.exe
3192	Ofqpqo32.exe
2208	Olkhmi32.exe
2452	Ocdqjceo.exe
4660	Ojoign32.exe
116	Olmeci32.exe
2476	Ogbipa32.exe
4772	Pnlaml32.exe
3552	Pmoahijl.exe
3560	Pgefeajb.exe
4208	Pjcbbmif.exe
1960	Pqmjog32.exe
1492	Pggbkagp.exe
4812	Pnakhkol.exe
1720	Pcncpbmd.exe
3108	Pjhlml32.exe
5040	Pmfhig32.exe
1936	Pcppfaka.exe
2268	Pjjhbl32.exe
4508	Pqdqof32.exe
996	Pgnilpah.exe
2512	Pjmehkqk.exe
1076	Qmkadgpo.exe
4308	Qceiaa32.exe
4728	Qjoankoi.exe
396	Qqijje32.exe
2904	Qgcbgo32.exe
1976	Anmjcieo.exe
2024	Adgbpc32.exe
4280	Afhohlbj.exe
4320	Anogiicl.exe
2156	Aeiofcji.exe
4744	Ajfhnjhq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oneklm32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5440	5352	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1256	3116	74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe	82
PID 3116 wrote to memory of 1256	3116	74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe	82
PID 3116 wrote to memory of 1256	3116	74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe	82
PID 1256 wrote to memory of 2652	1256	Kmijbcpl.exe	83
PID 1256 wrote to memory of 2652	1256	Kmijbcpl.exe	83
PID 1256 wrote to memory of 2652	1256	Kmijbcpl.exe	83
PID 2652 wrote to memory of 832	2652	Kedoge32.exe	84
PID 2652 wrote to memory of 832	2652	Kedoge32.exe	84
PID 2652 wrote to memory of 832	2652	Kedoge32.exe	84
PID 832 wrote to memory of 3132	832	Kmkfhc32.exe	85
PID 832 wrote to memory of 3132	832	Kmkfhc32.exe	85
PID 832 wrote to memory of 3132	832	Kmkfhc32.exe	85
PID 3132 wrote to memory of 3900	3132	Kibgmdcn.exe	86
PID 3132 wrote to memory of 3900	3132	Kibgmdcn.exe	86
PID 3132 wrote to memory of 3900	3132	Kibgmdcn.exe	86
PID 3900 wrote to memory of 3304	3900	Kplpjn32.exe	87
PID 3900 wrote to memory of 3304	3900	Kplpjn32.exe	87
PID 3900 wrote to memory of 3304	3900	Kplpjn32.exe	87
PID 3304 wrote to memory of 1844	3304	Leihbeib.exe	88
PID 3304 wrote to memory of 1844	3304	Leihbeib.exe	88
PID 3304 wrote to memory of 1844	3304	Leihbeib.exe	88
PID 1844 wrote to memory of 3352	1844	Llcpoo32.exe	89
PID 1844 wrote to memory of 3352	1844	Llcpoo32.exe	89
PID 1844 wrote to memory of 3352	1844	Llcpoo32.exe	89
PID 3352 wrote to memory of 3568	3352	Lekehdgp.exe	90
PID 3352 wrote to memory of 3568	3352	Lekehdgp.exe	90
PID 3352 wrote to memory of 3568	3352	Lekehdgp.exe	90
PID 3568 wrote to memory of 1056	3568	Lpqiemge.exe	91
PID 3568 wrote to memory of 1056	3568	Lpqiemge.exe	91
PID 3568 wrote to memory of 1056	3568	Lpqiemge.exe	91
PID 1056 wrote to memory of 3660	1056	Lmdina32.exe	92
PID 1056 wrote to memory of 3660	1056	Lmdina32.exe	92
PID 1056 wrote to memory of 3660	1056	Lmdina32.exe	92
PID 3660 wrote to memory of 5052	3660	Lgmngglp.exe	93
PID 3660 wrote to memory of 5052	3660	Lgmngglp.exe	93
PID 3660 wrote to memory of 5052	3660	Lgmngglp.exe	93
PID 5052 wrote to memory of 2088	5052	Lpebpm32.exe	94
PID 5052 wrote to memory of 2088	5052	Lpebpm32.exe	94
PID 5052 wrote to memory of 2088	5052	Lpebpm32.exe	94
PID 2088 wrote to memory of 1816	2088	Lebkhc32.exe	95
PID 2088 wrote to memory of 1816	2088	Lebkhc32.exe	95
PID 2088 wrote to memory of 1816	2088	Lebkhc32.exe	95
PID 1816 wrote to memory of 2692	1816	Lphoelqn.exe	96
PID 1816 wrote to memory of 2692	1816	Lphoelqn.exe	96
PID 1816 wrote to memory of 2692	1816	Lphoelqn.exe	96
PID 2692 wrote to memory of 1092	2692	Mgagbf32.exe	97
PID 2692 wrote to memory of 1092	2692	Mgagbf32.exe	97
PID 2692 wrote to memory of 1092	2692	Mgagbf32.exe	97
PID 1092 wrote to memory of 2076	1092	Mdehlk32.exe	98
PID 1092 wrote to memory of 2076	1092	Mdehlk32.exe	98
PID 1092 wrote to memory of 2076	1092	Mdehlk32.exe	98
PID 2076 wrote to memory of 1580	2076	Megdccmb.exe	99
PID 2076 wrote to memory of 1580	2076	Megdccmb.exe	99
PID 2076 wrote to memory of 1580	2076	Megdccmb.exe	99
PID 1580 wrote to memory of 1980	1580	Mplhql32.exe	100
PID 1580 wrote to memory of 1980	1580	Mplhql32.exe	100
PID 1580 wrote to memory of 1980	1580	Mplhql32.exe	100
PID 1980 wrote to memory of 4604	1980	Mmpijp32.exe	101
PID 1980 wrote to memory of 4604	1980	Mmpijp32.exe	101
PID 1980 wrote to memory of 4604	1980	Mmpijp32.exe	101
PID 4604 wrote to memory of 1216	4604	Mlcifmbl.exe	102
PID 4604 wrote to memory of 1216	4604	Mlcifmbl.exe	102
PID 4604 wrote to memory of 1216	4604	Mlcifmbl.exe	102
PID 1216 wrote to memory of 4572	1216	Melnob32.exe	103

C:\Users\Admin\AppData\Local\Temp\74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe
"C:\Users\Admin\AppData\Local\Temp\74f7679221608a6c1bfda40f7c4a8a4a96d4e3c0ad335acd67852cca6f76b0b0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\Kmijbcpl.exe
  C:\Windows\system32\Kmijbcpl.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\Kedoge32.exe
    C:\Windows\system32\Kedoge32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Kmkfhc32.exe
      C:\Windows\system32\Kmkfhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:832
    - - C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        31⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        47⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        52⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        56⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        70⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        78⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        85⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3520
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        95⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        102⤵
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 432
        113⤵
        Program crash
        
        PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5352 -ip 5352
1⤵
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
324KB

MD5
de62db2349538ffcf3e28e57c858770f

SHA1
da655d9da48a52c3d7401fc5de8b36e1219a10d4

SHA256
77648e9c3313c8569dc4958575a707a28b80ece664f69eb268452c7e3af63688

SHA512
05cd586916e23f4764eaef0885f319cc4ac0b0d8ebcefba1b08d3b94f109c42a4900338be5bdfdadddd165a063ae261d322f4d00351ab18969aa838f72b9e356

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
324KB

MD5
a1406cb20c6756d8bd71a7ff5a773437

SHA1
9fa1d1564885c3bd0d5cd8816e923f42c4dcea37

SHA256
f4e1b8dc124bd1214630102e875d955c078268782547cb77502111d8e8742f1a

SHA512
4d341f7c93e5215c1377be3feb5ca1567b3b64c4bc70c9eb7cfcf1aba1923798309299c7ce8f0d0741183de21674fbf1b2c357b4471ff51bd45a69a976cb735c

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
324KB

MD5
669bc5a0a87d40570fb41585eaff74fb

SHA1
6390eb64e451bc5eb88b1e873c77a2c5ac5eeca7

SHA256
2c6040e948846a5a83ca3786fe204e058c4105efadef349d8991a289e5132da0

SHA512
01fd1908e3f95a9608e4a28b8dbc515a53259bc4e35ad5773bf995220b4fef8af08f08d09bc882a46310aaaa99d1bc166c25fc7de39ee86ebecd918ee6123d09

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
324KB

MD5
13985ac543dc01562cd6b0db7fce83f9

SHA1
bd5ced75036b694a0b5a88e809676cc41634d886

SHA256
5db91892e22ae22cf23e1623ab2d08d73e452de166d3861eeb3012ba8ab40dfe

SHA512
d944572432887e7d66e3407fbfbe996891e81a21cfd1d5214deceea0392629c423bbbd477710293f18c11af802b617153e890582dc54ade055adf7ed72a852d1

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
324KB

MD5
b6ee4be4554665fd07fa94e214956dae

SHA1
ebea2382997e49c2fe258085640c61eb3bc52810

SHA256
6092ee2798ec40cb3cdecbdd9ec381a88a116414d32898a5488472026d8911b6

SHA512
2b435e1ea49d477a1411efe2218d587dc66cb1c72444698593b7cf44c83a70ac3c67284cd5355f89ce48890a02d3e4277b2d6b608f75f95645fcc23a2297f3af

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
324KB

MD5
6eca8284c99ea650d861f09e167d03cb

SHA1
ed8f60b176772863ba39acfc232750461969ccca

SHA256
d4b5cb9811fcda14ae8876511d501811062bf3ec21fbb37c29cb7e00321d24bf

SHA512
42b08920f3d16ec5f96c7cdbc72c25857794343229a4ea7c7d46bc5eb5fea4f0f232395f64af3ccf99ef4a0fe5823d95b9e67c3823299b6b71abe6e40512f905

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
324KB

MD5
f6f07769fcfb887aeeeaa6f1259b51ee

SHA1
87e127016afdf1ffec6c59c71698695ee13339a4

SHA256
b2aaddc0e489eac31212f86deda4c1855466db52efecd1c195c6c1439df7f9bb

SHA512
f193260ff2e2a7e15867d3ff252d9b423b254862f1b1f652eb848db69c2255ddb7931631b53c0c07e655ac741611280bf149db2c1cb0103d5a3864aaebcb70cc

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
324KB

MD5
949014df64102f2879c3a9ebfc09278c

SHA1
932d9127cf1794276f9fd94a47f6c814e4e08598

SHA256
68d9502415aa41e894f5ce93518e1a23a53a11537bf8486a1d4561447d43668b

SHA512
a7dd0327ea16df168e67901d9b1d8a7ead96988ddc55ebefc5ccf0bdca977bf6ddbbc8200001a49c50d9eaae510717778b70a47f41a5d8a6ccab7469c0f32879

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
324KB

MD5
e1fcd40aca862ab832e31c30ba02003f

SHA1
31f9cc3ca35c998bda122f8223dadaa1cc9f2b5d

SHA256
7f64af422eefdee6a5065fe55b37e48b3eaa5168f1ebb0da7da3acdaa1502034

SHA512
a5a989d7c485be1d105c9b01d38cebe622ef02c627c20fe27a6c786fb6901c2b056bfe10bca61c98e48b753b1db17688184ce96b03fa243b0819a31ae92d16dd

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
324KB

MD5
0d01dd7ebcdf159e348bfe05436ee926

SHA1
a657cf933e05853be52c13519019186df896681e

SHA256
f796df45ea2a6b6f32e18a8f46b80e74d3bda5dfb7231a88dcdaac6d3eb5c86c

SHA512
ebb408f6ed139974055910f4c872fc805f53001fd12deb5aa8e5ad4866652fab1c763140d32d6a53db9d4a5a62737ffebb3e10b59a356cce7a282a2bcefc7f47

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
324KB

MD5
e7088ff7f230fce63830bdfaf6e5df0e

SHA1
727b4c921f92f5166d9d227be31997082d8a0c6c

SHA256
5618f08e28b86744794202b7715ce6594516a5029c1ebb137eaa7ce0d9169eb0

SHA512
adae5c17848bb4038d38df2178377b933c99e355a85aee0a9e7ee94562fe7b3f0604a6c1f6e054213caa74716211aa524a9d21e8b7d1df41128eb91e04796c58

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
324KB

MD5
a42d8ae1024b595f5d8681140a670434

SHA1
428554617aba0b6e7d4de408ce134d62800ce730

SHA256
ed31cb02ee8af3ed5bb4e90f9abab6d2bc391c1156e88f16dee43c04c28bea77

SHA512
f68de6875368371e6899d4f18075ed2c8c058c3adb72187574bfe7d4cd9e60475e2afa5c3c2263dfde160c9c3464f6d8d358ebb5e715d26eb655d5f6a387aad0

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
324KB

MD5
b5a9bed5ec71d3fe1e11ec089cbd887c

SHA1
0fb9bf56772ca735dff6be4e0f5123bb1b430ea9

SHA256
af67c75d5098495556831c288bc601abf70571a26f81ac0565f9d16f1f69bb28

SHA512
0ec2eeb81eebbbfed9092acbba023eb840555de52d1a76050bf140dd9e5f7d91d8c080fa762d5d45044f6989cf7fbaa17ee6d7502778732b73845f41aacfb514

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
324KB

MD5
c54b5633b32eaeaab551041b6e9ea8bc

SHA1
8ec2b262230b9dafc490f954b9d300c2665b9d88

SHA256
10330b4791237184161d9e30359a0aeef805889783a29a2f8a7c284d3dfcf93b

SHA512
e682e9652b127e12614e5b6d9b4e7b0a0d43a07ed122879a050093640ddabd2eb847363872bc9879960ad566ca719c46dd82b40a15f686581497d3c447242c25

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
324KB

MD5
0eb86714e424278d3c57254c7ac9b43e

SHA1
308b91a140f93237e49398e104f87ccdf0231d4a

SHA256
cb66b063be809ab7b3413ba322cf154404054c9c822888bde7b50eaa8513cd36

SHA512
ec0aed7260b1d3c84c050eb4d28d386c112bf45dbb8ed6e04049d361a5a7f40ff4e4ed08cca8c4c2a762c72b7a20eca19d98909a1897def1131ce723d255d21f

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
324KB

MD5
067b3fbb0cbde4c846edf75ef4c82db2

SHA1
f16a98439921eb26e6ef841e5f028bf7d35f426a

SHA256
f08bf47563ac76a4255d30c75504595c70c6c409a28965c9d7ddab7956157872

SHA512
3a19405048d75c18a435faefdb68e5041cef3274f2e41a11e94486eda427c73cee801c372f56777b198fe9c84860836032c254c04a5426b1c4dde0376c8749aa

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
324KB

MD5
99ad6ec850026c5c863c4091e885ec25

SHA1
e6f738a1de8d7115f4a59a43a3a3d4b72c1d3349

SHA256
d7a56e5bdaf4419359a472a8ba7d725837fe1e75df99f8fa6980e60c91f0ee7b

SHA512
c50588daaa340f20e963202e4a3c2e736274e791a1838415b01c12c7108f64f50b0ffae9e8ce3d1a4085b9ea955b01764bc9a68faff99cd3f4c7ea4e11c5e493

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
324KB

MD5
a35974a47ef70be0d3dd33cfbf552c13

SHA1
29df7c410f32c487279a5d65c8a3e52761ba6648

SHA256
a5d5843f1bcf950d557ec1e724e95b5a04e525fadbb1e3f703fb88af8e76ea4c

SHA512
e87869481ea7042da7d3613b976fafc1512a3760f2a458a5ed7565b8840eeb836cad464c3ecbac2e1d21cc0d64a65e1315dcd068ff9551cb2f01307cedd5f06d

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
324KB

MD5
3e47cefa4c244214e81cbf0d93552fd0

SHA1
8b5fe6776f362594d16ac6eef0728f94af81eecb

SHA256
d3477345511ad4ce2e3e83b214c06a5b1815a8c0cef54c616c7d4e3a9da38c05

SHA512
9b38457644e12be2fe39094a636545451f25f8064b80b396897a4b0f7ac2ddf444735a194ed99662501f5c47e5d79c3dc152f131dc27880b7fbd713cccf8206f

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
324KB

MD5
f50e451859e0b517c77677d7f164457b

SHA1
befe87da65f932df37966ffeda08867107474524

SHA256
4ab85afed30ae57dd5f9355d44c525da2eb497b10f9c4bf7074c7ac4d7483763

SHA512
b771e5df2c2feba1dcc0538a8d82f83240b876dbe316cf26dc495a84fb316f1372e557459d4f1998d14a8a0ec93fa5aaad8596198b900745f9a4295ec59499ec

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
324KB

MD5
c22390a20f9dbb879b06d5f745ddfeb3

SHA1
30f6f92900a1d29a9c9690e277cee2ecc3d6bc33

SHA256
c1e2f3cf1ba7942204d213f52c08ea17e3a7fd239e07b3ced69681689e8077c1

SHA512
6e838e1611501ba690ae3cdb2d5b5418a8a47e7a1954e1c27c777082d3aec3573697df4e0cec3701728eeff939e19240a7bc0a675758f51f68faa22629770c7a

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
324KB

MD5
af5e11a3e8374eb5812dfbfd602d301d

SHA1
98e9c4249e2b4671da21dd1c86293c0ff844e11d

SHA256
6d321619b7231a3b381d2985330b7ed131b0814271fe819499054cdeaf17deb7

SHA512
aa389ac6eda00f8eb2e1dfc0198b4e88d88ea2b5964c558bc23fac63bf755c2cf8b9504ccb454346a6623ce62bbdf899b974c70c3f664f85594ef9965d91fa32

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
324KB

MD5
086bd2a167ed98fe6add8047f4371449

SHA1
6eca2a7d2c41d26fdd1e455841f62064659f0cd4

SHA256
51f6ae92ef057d37a877dba740866081ef441e505693ed4f40f5ec5593c50b32

SHA512
eb0b3e5f6f409f2247d451cd6e51375d8a78920113e6f71364c5244805fef140f1178a04295e89d3e2885003b4a1e58a1b9cbf17eb1eda44a3ba04faae69582e

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
324KB

MD5
4bf2a2b48a8e91f3340947cd6870ea56

SHA1
3b45b6d6708d5d0ade46f8efa44744fc910e605d

SHA256
72f4eb56a28fb0f75420c7bdb896ba5d84ffb5e07ee0c855790cfcf408b48ce5

SHA512
89e3880fa402736b309e2768af4f95c4ea9403c000710559668a05e417ebf7de7f96df7a3915316f5a88e7859809d17ab45195c40c3d42833704021a91f46444

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
324KB

MD5
cd22022974e2149239cfbca52dc3c7a2

SHA1
e66acc903ec8739d77315159d085965aded700e5

SHA256
2c9c517ba529dbdef1b9eaebf89708d59d42258eb27b4a12fb3f936c9a1dca02

SHA512
a4e0490622e018fc474051fa1201205ca5afc619e53ba03cbf91568e6be6463306668578397d7efe8c95e4c71df5ea46d99460f387ced6bf60e28fff965041d3

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
324KB

MD5
914bba73daf571626ed663788e143d83

SHA1
ed3d14aff031ac413868bc0303fa2c0dda630e55

SHA256
66aedc9d7281d8d76813ee71416c66da6cc36e31c45e92e05b8e7ced84707ea0

SHA512
9564fcb2f8d4803c5fdd11a08703886dc5b8ff1c2a2227dfb3958bbc50bb63768d9e9be54e44bb76687cc9b82e58dcb8fb809d676dc7f6d4be452c302e3bd730

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
324KB

MD5
feb393f07f55e74a33404d960787699c

SHA1
25a97767bd37aeb2fd2ac6aef8b8f409164509df

SHA256
e5eb8ee80894b99efedb3c8fc315631bafa4d7de0a1e09ab06358b2d8df4a4c7

SHA512
b3f53615fe6efbe25e95c56495daa5845b1fa1a4b2b492454638a7e643430db9bdb3a237363809eacbfd4576fa2eca1402a04972d6ffbf877dadfdcf2e5bc5a2

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
324KB

MD5
b763b0dc77d6cb0db228811fab706ac1

SHA1
133407c247938f97f6d7076b861ddd37f74eaf1b

SHA256
3ae07a8ad10d55e1989e1d93e2566ca5d92949f949f134086b77a97e3fcdefa2

SHA512
c01573e9db29287e2189b1e0b290be349807140c1eb97a847ac66b28aad444e12319a8a133d100f54d1e148d5df0c87359606c3d0fd42126133ab59bca0b6e67

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
324KB

MD5
89d819b902eed7b66a88863aeec4a0f8

SHA1
958acefe80c096203066d278c5ae6d11f7549f08

SHA256
49d5373f934e969382327f1b634e5a0b62411e5f9b5fea56752e083589e19173

SHA512
2ebfdcf54ddbcf4aca36f158efd4ea6a574627cadb1714309f14fc27c67382881f86884a7aa6ce541476f8b30fa3f1b41b2cff4e8855ae2798c63f862940b1a8

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
324KB

MD5
25cf7a59972ab4813c59ecd6ae033c34

SHA1
efc31ee77bd122bd67139bd0f78af75d09aa53b6

SHA256
51c554cf60eac7d04ce3b70119422bb605bcc53ff2ac948706712c1a4abfe488

SHA512
a427c97cc19e313b902bb6a22b13142330bb0719b501d4a643fd7494bf413728a8fda98f5234f3bad191bdb82ce4f2d9ca80c57c3f874a00d7aa7f9269d12433

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
324KB

MD5
dc99b8ab73f07a04d733988ac363f90e

SHA1
120f321a863c0e31a9a947890f841c7bc5994e0d

SHA256
0b1e737275a6d0899aea0988251c48e87bb87cf6f52d4aafd52568cf86f28fd1

SHA512
293adc1728079d0bc8dbb229482c435889fdd0f2f6f20072e8f9def9ceee4a1090d7fe38c01cafbef16b556da8f2f6bad2f569e1dcfe2426ec145370a39bcf0b

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
324KB

MD5
e249ba3c12ec14be4a356dc93695dd33

SHA1
1ccac3e6a4f732e9aa9b8c20a59f172fa25feb15

SHA256
c486561aadd5a1678ab433d822cbd9f23abffee61bb8297baf1e7b5b61dc5e6f

SHA512
76e1a3b5d34b176abaa7aef75b75b892efc41ba810d1a19d7545b516c18bd117d048ba7c20f91403782f215529b6c34e8ab5930c0a7c7c826c02057efeb29eb3

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
324KB

MD5
f7a94c8759d10a709a597eaafed76746

SHA1
f6b1ed4341a9d1f629e4b284b77580665aa92bcf

SHA256
b59fe0ff2c41b4d9b633c8e3a1a2e41195c78d01a7dac46155f00518b2e96141

SHA512
09b84a37edea065322236094106ad3e259e4d33ca6129328db33f1a230021c1d7b7289bcc1c4cfc234a90d33ad39e0e96eaaf7ef35d1d2c21c639ed50dc4ddb3

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
324KB

MD5
8d9497f191e0b4d1b1920e5be7e76f04

SHA1
156707a323781998321f6c434511ef776f9a7b11

SHA256
24b49d29c8fe21439ac48cef02c4c9d62bb9ed5a04ae48581c2cf10068a6ed12

SHA512
cc9a4d14a8d18b0ed7bb2b1613754c97ee743cb2435acb5c3ba96b8ee2425b9ba7f564456e08a0fb68d3d2c72bffe69551d4f7f5c7b157590177dcd73d514f25

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
324KB

MD5
b1b2ea912860fd9df2fdfe298a8b707d

SHA1
312e61e24eadd5189a0f790d7b54d8cbc49c20e6

SHA256
8a01d5f591f9151b2fe92baed4c839b6acb87b0191ae0a7a2be03ff1fda3e893

SHA512
025226181fd55544bcfd75f220243f763fb631c8f6246c4ba360c778bd1289b009379f5019db03a864aa4644ef9693a2f51efcfaeac899508609d8fcc1467d17

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
324KB

MD5
5c1413e0dbab6e17d0b22c08e9980a3a

SHA1
9a98f2a6f1facacf663a4006a487b227c273d052

SHA256
3988b3dbe7015bafcfe3cbf021c7febd1287d9790eb666e28c1d36e68f12b7ae

SHA512
6c8c1f915d14034f022f2efe73cff5897d6422b8d1b75464c15bfd4f5c69628b153baade88ca855efc0d998cf0007b6421b1153459c502ce4ac034db60174c72

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
324KB

MD5
b0925a84cb5b31b07ecfe6626662ae06

SHA1
2bf3547a64da5ca0b03aa26e543e765eb795b810

SHA256
10b2b328734f797c91a6af0d284e2de9da19de6ba43faa4018824816bcb297b3

SHA512
7f9586ec459773bbcb8cc279b35608f17539f1750e7ea493798b589442a6a30d5fd79406b3a7d51fc8fd272f86d5c7499cb56bba04f3e61a15c3ef814c5cc71e

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
324KB

MD5
77f95a1f60230fc746cbb3a8c7dbde4d

SHA1
eb3767ec026f1275fa4158706ecaf4cb7e7d413b

SHA256
f4a2d83834fb9cc8b90acab7c839e1cb127f64ff9e710ada4c49befa60d1fae1

SHA512
0e9cbc66bfe5e701e52a7dc6f49d3728f3102691145830d7f6a964db2e67e83a86757f11c36903801f13a9b74c1afa77415d0266b2890354421d35da3e30d1d7

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
324KB

MD5
727a0b028ae92043ec70ca70542883c5

SHA1
b8d6d10e7e43040306676c60666234ba780392d7

SHA256
e857a90010008deaabf2b32c039a64b1d0a6315deccced6ea537ef2bc9b2fe0a

SHA512
7c388b3a6adfe7987746fd100a6f9a73274236d93162d70069f46ecff4b7b1084be6058eb2e9447ef30a20d0f488a4f76b1a3c916003cc4ac511421ddf7598e9

Download Submit
C:\Windows\SysWOW64\Namdcd32.dll

Filesize
7KB

MD5
5966756ef02f326f8eb1a8a04b18efb5

SHA1
1a6745297a48aa733ef50e063d450341b31136dc

SHA256
cafdc9a38de682418aea7914e6df8cb225207b1a9f20e1e6483338af76ec8fda

SHA512
5e34344ec0156104d93c25e4a14f767fab5aa1e5eeb5f8f53b872f0accd5f906856f8e490d5ea16d6dc61ed3728b1ea2dfdcced3289e6712eea7a51f051236f9

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
324KB

MD5
df11d7d780e6c641168e6ff4138d821e

SHA1
fe381ea172d14762d7f2265ad4de5a017233dfaa

SHA256
ff94a2fc88c047596d928ae3a31dcc95caf2cfe0993da088f8d4e457703f291f

SHA512
798325868f504742f7d633217339de276fce4bc739fb654d8bba837e5fa1965ddd1a31d700ab20a630b3ce6b73d84cc1a202c4ea08e38cc8ff89062fcbcaa663

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
324KB

MD5
db780caf89d8a8e4c5f837cb3b43af20

SHA1
3be9d5302ff4ba9ef6ffd7717d43f96ff1d70925

SHA256
40b5590227941ef298990eaaf4ca41cbbe2d343eeed0831a66ff142ddc2675a9

SHA512
9a22ad2ed716121ac15fc31d7a74e1bf44d9441accfbee1e0d39c7afcc9e6c6dd7971ff0d33dd680fe785fddd9b956f42d14cee7465c46a6028ed1acb039df77

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
324KB

MD5
ed884163ed77923ca0699da42e7775aa

SHA1
0990a1a1ec25024aa3bbe82b1fd53e8b0641520f

SHA256
bc46cd737c590faf593f211c88e9e2724cdac199b17e3f5b20e8f5ba1661f36b

SHA512
4d3d46a7ebacb19b0fa4b554925ab319469ed22788a984108e86241e7878801b77f699ba6bf11859516ce9b71f69f9566ba2c21efe1bbf787dff0b06574cfe5c

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
324KB

MD5
d2f11052c6115ef48084ff09ff338d20

SHA1
b964cf9ec648cab401c010d8b9dfa9a7dedddcf8

SHA256
6dfd8c033421abd421aeaf2a0f30bf2569a932a24a162d9071be245c3b0da446

SHA512
74b10c1c878bcd18d8bf8de8a700cff7302e685d96816970a48d128d8ae88f245ca869b8c8a2b9add85abac45e28ca2afef3daa828bceda01d03be35a78bf8cf

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
324KB

MD5
4293b0b14b7102e191130b27e5626cf8

SHA1
9808a5c5b260b1c4d0cee4f7ef2b143b73c9dad2

SHA256
d4cae8d21b8a3537e360d8c3c3121f66e9b996e7a26d9fdf704d967cc4668642

SHA512
c03e9d8a17080b919a542abb2326b23a674646e7c4538e7aa6d0b650a6adb695472dc6dc4d6a60448d5c8d59746741d384a2cde17022de958b562fd395c42218

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
324KB

MD5
25d45d07dc63966e8ea3130fbc2ddaf5

SHA1
f6fee757c41131652f2a04982921519342433ee6

SHA256
658c9ec2971d0842735d85c1b720bfb18f6357f0c86f21f0f13dd45b70340295

SHA512
62baeb0879dd0f98ccc58717fac2179a5041d247b3878f37b5fa246ea2b7c4d223baf831e62b1d4b48835d7d641aad92cb472909163a627acf357aca92c0bb80

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
324KB

MD5
a989121e58f4e62233c6286e91c32c4e

SHA1
77378e4e5c433b1a30efacc4061ecbd0ff425bf9

SHA256
121f5fd73add52faefc199c5f482179123eaf2a1edb0383fa25e8be41edef1ac

SHA512
aab37e47e6ebe97875e61b198753b07a221ff4e2d81e4eef30c2bff0f70857e7536a983e355b41032e33ed4071ee7e2401aa032f5be61677ced5a8a278e75e57

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
324KB

MD5
d6346802bc20e1cb4b5cb9c33dcf1173

SHA1
1d4f7584ef3882b004be4f7ef390b47230d5b0c8

SHA256
75c1ebab94eebaa73182e140764cfa0bd74768bd69823dea2c83f6a79889eec0

SHA512
7cd1ba5a7838265726f9ed03f1c1c0b77e8eae2a2c5e1554f895a9fa5d4d74eca117ba5938efc8a8b3e32ec88e9c7210f0bb69d23ebc715ca092c7d3b6819b41

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
324KB

MD5
bf6bba188dbf688ebc08a53b03b9ada0

SHA1
2d7a7bf6a927d9b28e85423f2a93d8b227e6156d

SHA256
6140a810c4979d8a9e6185516ae9fbc93438c14e8723670b727200dc25b1e623

SHA512
d3fe5fffafb53e6a8dab4242334e751808bfc8c04f1d46c310e9a91b4eb43a15fb96cbb68ce1a562ad00b81ce690ba4fe00d6353ca490bda438bc13c45950b1a

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
324KB

MD5
13cc6bc660d1a6df4f58124243cb2d5d

SHA1
2e7cf90e2bc29e5f9453dde5efe6089c9ddd81a4

SHA256
df8be65a22c12239d5fd94432eb8421f64673789b65ae5cccb9d9eed83d5d70d

SHA512
6748162e94d2cede9215b687545ea8543d04adfcf70f48232d5c26569e767ae544913bd5e3c1571fb3937e280f58e5d0da3d6fd741a2eb66f30da3c43e8a2c68

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
324KB

MD5
39f7985b4eaece9307a6c06eeafb557b

SHA1
bfc588aa3a0d675d7888173708304ca16abafff2

SHA256
41af691bf78d5c7cce2bec0537c74afa84011b796321a54ce51fce88d763ea99

SHA512
373c863234c0ea464f2686188811487251ce61fd84043c25dc190ca3e31197abe7d969e2ad38397c0a682d7dc1b1fdcc729d7ae50d6c4a9512f63ea1b2ba718c

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
324KB

MD5
346a1b69f7eded3ff5d3cc7ebca04d5d

SHA1
46785cafce934ac7c855bf3c53f18535f83a8c56

SHA256
5f48949ab82b71a5f888415569f7927864a22c1f33ad4dddd42d5d7ed83b5d03

SHA512
17b10d2fe437417706f94fa4b59d0be79ca95c8c8ca4c49a379e4c1c4ccdc0c902afb354df2240aa4818fb322c91e0c55f958ccc6c1cac1ac76647898c611c13

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
324KB

MD5
0dd92f70b63173ed144d77cc6bb14447

SHA1
c43c24402462dd601830f093e5b3a75155dda6c9

SHA256
7eab91c3ea2b6dcd93a4665219c473ef5a1bec3bb31366a3efa45e46c98c0191

SHA512
17797607ac55a2ea0c8405767cfb0085d212c8bc9e81b7aed7c620ec5bbf1b39ebc1bea75c24cd0663570edd1494af3ba02911d4a7ed2097e4410816d82dfe78

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
324KB

MD5
e890713d7634b45a2e1906e8e87f9d66

SHA1
4229d80c6e2e51961e62d7702897cc99844b0f03

SHA256
c6ec406e9e6e813f22f50d7a1657180229478049016c68db7ca878d918a7aa9d

SHA512
bca2fa3e34c0cf6a3bac4a9b270f542098706d3883e67713fa6097afd5f1bb5c7d5477528915094df6682ada57e0e3240e5e1d0b1640bd108956e986b307019a

Download Submit
memory/116-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/208-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-848-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads