berbew | 0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe
Size

552KB
MD5

f2f2bdb1eed6b358b73740bf23c7ca90
SHA1

d51bbdb174f04dbc1d1949567d75aa7d0c11498e
SHA256

0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9
SHA512

4b8156b600f97729e30b16d2e27030fd031399ce4edd7968e20d33c1ead7319f52c15964e731ecf211ffc3381927d829ff9ee674660c4e2f619b90542a0609b2
SSDEEP

6144:9/PIXhZoTrk7h8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:JPIDoT4N87g7/VycgE81lgxaa8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknig32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4580	Lffhfh32.exe
4176	Llcpoo32.exe
960	Ldjhpl32.exe
3424	Lfhdlh32.exe
1340	Liimncmf.exe
1816	Lepncd32.exe
996	Lbdolh32.exe
3544	Lebkhc32.exe
4152	Mgagbf32.exe
1084	Mpjlklok.exe
3260	Mibpda32.exe
2328	Meiaib32.exe
2768	Mdjagjco.exe
1444	Melnob32.exe
3300	Mgkjhe32.exe
4244	Npcoakfp.exe
348	Nilcjp32.exe
1740	Ncdgcf32.exe
2976	Nnjlpo32.exe
3728	Neeqea32.exe
3316	Npjebj32.exe
3780	Ncianepl.exe
668	Nlaegk32.exe
2684	Nfjjppmm.exe
2244	Odkjng32.exe
4992	Oncofm32.exe
1488	Ocpgod32.exe
4588	Ojjolnaq.exe
4476	Ognpebpj.exe
4388	Olkhmi32.exe
3988	Odapnf32.exe
4844	Onjegled.exe
2656	Oddmdf32.exe
1780	Ofeilobp.exe
1812	Pnlaml32.exe
4936	Pqknig32.exe
392	Pgefeajb.exe
2892	Pjcbbmif.exe
1804	Pmannhhj.exe
1592	Pclgkb32.exe
4760	Pfjcgn32.exe
4572	Pmdkch32.exe
2408	Pqpgdfnp.exe
684	Pcncpbmd.exe
4912	Pjhlml32.exe
4496	Pmfhig32.exe
2120	Pfolbmje.exe
2456	Pcbmka32.exe
656	Pjmehkqk.exe
688	Qqfmde32.exe
4348	Qceiaa32.exe
2948	Qfcfml32.exe
4828	Qmmnjfnl.exe
1160	Qddfkd32.exe
1376	Qffbbldm.exe
2972	Ajanck32.exe
2592	Adgbpc32.exe
1412	Ageolo32.exe
4896	Anogiicl.exe
1020	Aqncedbp.exe
608	Agglboim.exe
1604	Anadoi32.exe
624	Aeklkchg.exe
3516	Ajhddjfn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5156	6068	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4580	2572	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe	83
PID 2572 wrote to memory of 4580	2572	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe	83
PID 2572 wrote to memory of 4580	2572	0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe	83
PID 4580 wrote to memory of 4176	4580	Lffhfh32.exe	84
PID 4580 wrote to memory of 4176	4580	Lffhfh32.exe	84
PID 4580 wrote to memory of 4176	4580	Lffhfh32.exe	84
PID 4176 wrote to memory of 960	4176	Llcpoo32.exe	85
PID 4176 wrote to memory of 960	4176	Llcpoo32.exe	85
PID 4176 wrote to memory of 960	4176	Llcpoo32.exe	85
PID 960 wrote to memory of 3424	960	Ldjhpl32.exe	86
PID 960 wrote to memory of 3424	960	Ldjhpl32.exe	86
PID 960 wrote to memory of 3424	960	Ldjhpl32.exe	86
PID 3424 wrote to memory of 1340	3424	Lfhdlh32.exe	89
PID 3424 wrote to memory of 1340	3424	Lfhdlh32.exe	89
PID 3424 wrote to memory of 1340	3424	Lfhdlh32.exe	89
PID 1340 wrote to memory of 1816	1340	Liimncmf.exe	90
PID 1340 wrote to memory of 1816	1340	Liimncmf.exe	90
PID 1340 wrote to memory of 1816	1340	Liimncmf.exe	90
PID 1816 wrote to memory of 996	1816	Lepncd32.exe	91
PID 1816 wrote to memory of 996	1816	Lepncd32.exe	91
PID 1816 wrote to memory of 996	1816	Lepncd32.exe	91
PID 996 wrote to memory of 3544	996	Lbdolh32.exe	93
PID 996 wrote to memory of 3544	996	Lbdolh32.exe	93
PID 996 wrote to memory of 3544	996	Lbdolh32.exe	93
PID 3544 wrote to memory of 4152	3544	Lebkhc32.exe	94
PID 3544 wrote to memory of 4152	3544	Lebkhc32.exe	94
PID 3544 wrote to memory of 4152	3544	Lebkhc32.exe	94
PID 4152 wrote to memory of 1084	4152	Mgagbf32.exe	95
PID 4152 wrote to memory of 1084	4152	Mgagbf32.exe	95
PID 4152 wrote to memory of 1084	4152	Mgagbf32.exe	95
PID 1084 wrote to memory of 3260	1084	Mpjlklok.exe	96
PID 1084 wrote to memory of 3260	1084	Mpjlklok.exe	96
PID 1084 wrote to memory of 3260	1084	Mpjlklok.exe	96
PID 3260 wrote to memory of 2328	3260	Mibpda32.exe	97
PID 3260 wrote to memory of 2328	3260	Mibpda32.exe	97
PID 3260 wrote to memory of 2328	3260	Mibpda32.exe	97
PID 2328 wrote to memory of 2768	2328	Meiaib32.exe	98
PID 2328 wrote to memory of 2768	2328	Meiaib32.exe	98
PID 2328 wrote to memory of 2768	2328	Meiaib32.exe	98
PID 2768 wrote to memory of 1444	2768	Mdjagjco.exe	99
PID 2768 wrote to memory of 1444	2768	Mdjagjco.exe	99
PID 2768 wrote to memory of 1444	2768	Mdjagjco.exe	99
PID 1444 wrote to memory of 3300	1444	Melnob32.exe	100
PID 1444 wrote to memory of 3300	1444	Melnob32.exe	100
PID 1444 wrote to memory of 3300	1444	Melnob32.exe	100
PID 3300 wrote to memory of 4244	3300	Mgkjhe32.exe	101
PID 3300 wrote to memory of 4244	3300	Mgkjhe32.exe	101
PID 3300 wrote to memory of 4244	3300	Mgkjhe32.exe	101
PID 4244 wrote to memory of 348	4244	Npcoakfp.exe	102
PID 4244 wrote to memory of 348	4244	Npcoakfp.exe	102
PID 4244 wrote to memory of 348	4244	Npcoakfp.exe	102
PID 348 wrote to memory of 1740	348	Nilcjp32.exe	103
PID 348 wrote to memory of 1740	348	Nilcjp32.exe	103
PID 348 wrote to memory of 1740	348	Nilcjp32.exe	103
PID 1740 wrote to memory of 2976	1740	Ncdgcf32.exe	104
PID 1740 wrote to memory of 2976	1740	Ncdgcf32.exe	104
PID 1740 wrote to memory of 2976	1740	Ncdgcf32.exe	104
PID 2976 wrote to memory of 3728	2976	Nnjlpo32.exe	105
PID 2976 wrote to memory of 3728	2976	Nnjlpo32.exe	105
PID 2976 wrote to memory of 3728	2976	Nnjlpo32.exe	105
PID 3728 wrote to memory of 3316	3728	Neeqea32.exe	106
PID 3728 wrote to memory of 3316	3728	Neeqea32.exe	106
PID 3728 wrote to memory of 3316	3728	Neeqea32.exe	106
PID 3316 wrote to memory of 3780	3316	Npjebj32.exe	107

C:\Users\Admin\AppData\Local\Temp\0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe
"C:\Users\Admin\AppData\Local\Temp\0b2cb97765cb6b19fa4f622b5df37a50aaf907078b40d781f375c9b5382a2fe9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\Lffhfh32.exe
  C:\Windows\system32\Lffhfh32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\SysWOW64\Llcpoo32.exe
    C:\Windows\system32\Llcpoo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\Ldjhpl32.exe
      C:\Windows\system32\Ldjhpl32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        27⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        41⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        48⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        53⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        55⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        61⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        66⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        76⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        82⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        92⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        102⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        106⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        111⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        114⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        115⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        116⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 420
        118⤵
        Program crash
        
        PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6068 -ip 6068
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
552KB

MD5
eb218d725753e9ff5133b0312e78b91d

SHA1
c47b0cef68f4623c426b19992d28acc13d999aad

SHA256
3975638221cfa9c1d0e2cf86f1702e088614e289b44aed1e6986cac012c3171d

SHA512
c6a504f54b9713206eb659ac3a363218cccc6434d88378bcfa751cb8b36f94a752356e7ccd09d929735a94694580dad7ac74c22849757411429298cccc5c0272

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
552KB

MD5
cb098ff28f6af7f90fdc188c35bce876

SHA1
0fa5bf2dfb8de9a6a97e4afe6422d3dfdc9737eb

SHA256
e761ed63125d110d88db59412110eb90b946ea2e6572ed178e72341ba933bea8

SHA512
c03c21fd4ae059a69724129924d3e0fc518257e260473145b321f58c2128cda785983853909a5dd6ebde1c3f9ea28c83ec5d7069e116009c232b2e4d6a06d6b0

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
552KB

MD5
0ea97c02281fd03db2e152bd2083fd6a

SHA1
ef7246b84f89224235bedb55eab62f1932563822

SHA256
bebb459154dd6bde6c46f8ef751096f61acb66d82c8ba39266b9a9e9059981bc

SHA512
388959f98837cb88867efdcfb78b519e3cdfefabd0eb495a8615a40da2dcb0d8276285bba1ddf64c3f83f2c8ede366c4cf925ae40303332f2153fd3873e24db6

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
552KB

MD5
60cba062c4595a546e7b99c802723938

SHA1
1f22a70c9f35ca1812be81e87b7ab9f9266f382b

SHA256
dd0524d7b6d413c239e2f15b2295b6850b42640efcef095f91346812269102aa

SHA512
6a7bb7610b6e6d9fb3af7104f5441a72f6c2779c231f07f1e5ac72277fc89882534cdaccc37d50dde7fe0a4a08c7ead7ddd4960ba81aac782b473b5c1197cb9b

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
552KB

MD5
352d5b7d0ed44bb03414fdc61a6996df

SHA1
4127c36a68a809a92a06968bb2439daa3081fd8a

SHA256
2db14575598d043b1a2d8f82f84c27d469c33755d3bae356ca5888a007f5d903

SHA512
92dfdb571166a8aa8a6fd9ac46b8f13463ff6aa0a66f88db8ff6ea2f7b65594dd42654bc3cc56d71b1863cdc20630125fddf52d937754dab49932c94b9aeb1be

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
552KB

MD5
225fb0f31151775d4b87b9bb73c284ea

SHA1
a5e6396a50af7eea664c6d249d6a8ab7b5b12bf8

SHA256
39b61c85d3a0e573f68514dbfd220136c6290d115584c041622039976871d1b8

SHA512
0f21ce4f04d4b70f58babca6a5f1fe0dbeda1942e300e753737490bef71bed7b20d2e53a59ddc22c09ba4ec183d9b99cf5113763536a210663ee5e19f9bf07e1

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
552KB

MD5
7fb4217070da6e21e690bcb1befb0df3

SHA1
29207718ce49169d44e02aa563d9f77db3f74082

SHA256
26ccbc4b0cfb28d28fd40bee7720273874410bcadf4d540081522756be2cb0af

SHA512
dae905ff9d1a2e0817909eabd9d8b44a06d08eeade31ea4db123905631e7e51d023991ba6cf5b41e96c5a0c7b21c78d31abdd49f0d7cab46c3784e42e8b2231e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
552KB

MD5
a8c325422df652f38d358fdb25734213

SHA1
0a3702ddbaf960cb70dd87c03752f555ec17b91b

SHA256
ad925927a0e6a13e084d92dd08480cf5f04a21cb3f6f8056e0c646a0002e7962

SHA512
b5ad9e9e9cf0b87c8fee786132b57da272f409dfe88cd5c885f71dd5475d4e0cf2eb4da32b20911b5e2d97190bfd6009532b12acbbaea2448f5806143be6b2e3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
552KB

MD5
d5c958168d448e5dcca813393729027a

SHA1
64d0e011a07aa0bf48cdbc8cd273a6e00ea8a317

SHA256
e59aca92a713239b23e9023c687eea9b41d8a2a31f32e90d9d974eea7148ca88

SHA512
e42e3d1f2639cec997de6b9514f3529274cd7e42973b730f0c6b5aa630218af4795d91c8b17352a9456594d5550dd8b032f624324058c57b36fadc4ce6a97c14

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
552KB

MD5
f9d5003427b145f688a640052f98fd8f

SHA1
8cb662a45bffdfcde45f56599f5f41000cb6f29b

SHA256
9f0b8fbafb951923e152a110e4156fd4ae61d0660636fea725e4c516ce6a1b6d

SHA512
6fa3482b0bcfdc6b9768a611c656a215bf4d74997e5e6704f709d64e2f10498211731900d55495817feaa05972f5fd8037d75519c1f238c7c46382fbb239fed3

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
552KB

MD5
21f98160146f3d539bdb8b286cb3e062

SHA1
cfbff67963196d9fef88556c289cb4191b94528f

SHA256
1e11af32242c8cc44a4e33e19630afc247905df4ccfe0de3256c1b840427b14a

SHA512
e331f2715723814b7d5aa0ffe628206e396d30f69b71f62b11486e18ff04862aec5185409ec5643b6d1e1b15d1b852e6f04e28d25dfad5c7b8a07f5f7fbd5978

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
552KB

MD5
f650a711986b8282709057e417c08035

SHA1
9b197bd1a3bfd4b3bc24a02a850b7aa86d5b8968

SHA256
45bd60d4d7cf93674c1e239413e4b2237a8728838f3be2d84f204bf0a91f431b

SHA512
cff99c7cbe9931dd045966bcb3cd5673b43415316c12a3da7bd87d3e7954bffa684e9429fae50de774c99bb0774aebb84987158b5ce6ba42a6df351ddb2d5465

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
552KB

MD5
9195a4be6f70e31992074926454763e4

SHA1
9cc1fa0e4d00a6172e9581950dd208326921742a

SHA256
d96ce8394b226bbec6eb497cda5937384c384b76ba69b8484405405a93edf5fb

SHA512
476ad3ff92eb075fc79c70c272b98a34d108189f3a9261e25cdec5eaa95e44540feeb3a818c3e4011264b939729048e2b8628a4fe8d126a026f2bc6539050410

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
552KB

MD5
92740b7b9cfdcf3275dda945214ba66f

SHA1
b6c2310024de87a412cd2583fe39b2542e9b5350

SHA256
de1f4d378ea8e0414dd6403bd15298fdd662d9fac833fd36783c4adfd81deb61

SHA512
a1c93aac8629f9f7b35c4d09c54ccf4e49d604c1c0998181c43688753f88d8ee47b6b290038a274426728618b62ce60e2aa4b4d5a0dcb22ccf70339327eb51a9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
552KB

MD5
e8113d8a7a74837314870a2544c7ce7f

SHA1
1f7432bd8d290d8175f09ec3243594c8e8580668

SHA256
1419371c471ba3ca0d3b9531f4dfccc8266e540831cf6456a5298a21063bd3a5

SHA512
afa49188044aa3a357c01af900f98df2b062fb00ce229138a398ca39940c9a7b818cf5b557743c8643c7a1161d18e057e73ee893210805bd8212cfbe8b3f51c2

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
552KB

MD5
9375b92f4917b7b774d8761009dae743

SHA1
9bb5e8fad4fa8124308594362cdf1024633d03ec

SHA256
57b0f0c15613cd9fba1bbaec9b4ab4d6cf41dc3dfd0b5915ea6eb95a27db2213

SHA512
0e131a9fe7ba5df342f161d9cac5fcc146b9edcea56dbe6924a2052a7382596212fd6c5bfb4cc88854868a6a509cc13ddd8972ee8281fe3883851ebea0c3c62a

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
552KB

MD5
e5cd600bce330423d9fb94407f0a636b

SHA1
9cd2509a356f325231cb7a54caffac1e9a00b6b8

SHA256
3374b3d25948bb9fd98edc264e7fa9172a193cc124b6ac3a63ce04ec45b1b85b

SHA512
72919551d748d61e0c0607498979dccc7541059fdd1b42db674c9e0b6ead6e8252dc419629a76414cf66eda4d376fa5fbacf54050acf948943fbba11e36badf6

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
552KB

MD5
852b70dd8d92848cc5c988f3713365d4

SHA1
80871bfe75677a638f2d1b84d1b35e77ef0d20db

SHA256
0dff75b17d0627c09d4a4a52bad46cc9cd9a9489b50439643cf9565289ad0148

SHA512
354bb04ba0be1d512b868a199fc03ae6f3abcf7535ff89fbc50297ba1534a35aa586671f19c4c39dfa29a06ba06b7987733370f1ef64a1422fec7591f0ea0e54

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
552KB

MD5
c13c56654cc0c3178cf8339cec2cf9b6

SHA1
887ad57736eaccc4e1570266e602fbe4c77b7756

SHA256
56f4cf609f57f49a573160c6af39620bf55622e66d6700731e942a6a7ccfd556

SHA512
b6a29bc19d2141f83ae2ce541c6cf74c5f37c1776d1983abcc80767860362959ad1c0dcbfdd5182daeaf434de2adda3ffacc8b5fb959ca81993be00cb825cadc

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
552KB

MD5
6d503c2543827e0b38388375633ad295

SHA1
feef582acbe17770dd799eab69383ee377ae4f5f

SHA256
a069b358b0d08a417a1a7f2044617809428d1918579ebfa1caccacf662005363

SHA512
138939779657b62e960b9adb303047f899b4f6f9d82b25b9444c5e5b15593756be463f9dc24de1072f88fd24a479651e3f3770645a947bf8e0ab409cf735116a

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
552KB

MD5
d305ab6e7fd280e3779b3490da04c3f0

SHA1
c708fff0358b20a843fdac28ba6a7b09d13db16d

SHA256
30ec5d75218756063e880e3a19ca5a039948136380a124bf7df43135b0aed1e1

SHA512
f6aa2fae3706698ff8e39f26ab192e73bd934dc25ebfbb9f6d156e4e4a12cd59735958ae10f8d264300edf414b60979e937bd15bb26469d6d94992338a44f973

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
552KB

MD5
5b6da66943bd04f591c7eaf3caf8b07d

SHA1
ef354d1e828867df063633a2dde970157d914561

SHA256
05c2183230cd76d3a09ff2e0af2eb25ac06318ef7d0511c49ebe3de8abdec019

SHA512
9f2ab7b80eebb6d08a402469599b2137429eaf1da1c8be3f9fdc40c290f3c49828ebbd0f58c69157ec8dc4f8f3474ec5ca8ed3c61731e2f4b456f36585845513

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
552KB

MD5
852b7e06e61be93cafb08909ec98fb61

SHA1
a31b60bd868239aaa28d21b1e6971ae6c6ddbae1

SHA256
0081c0f9b9e6a97d1eefd0b24f07eb86e0f091e41d86899d84a4a775f6bcc997

SHA512
93b5bc3127fef989e2b0ec890ddad1ea020d65d8bb9a601e4c027df49dd1c2d8448e45ce9d7515adce20348ff9a2259fa591fe2b1ea9f5cffb02d628ca7afb85

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
552KB

MD5
7479cac987a408cb3fa8340a66098d87

SHA1
e11a86034380cc46c804b0b63532520628e75dbb

SHA256
47f730095098fe825163efb43a6c1e75346df292010d59acdb20e518355c71ea

SHA512
0cfd43d2b72d5be08741285564aad7d71bbc9d77b071a126d77e192de93671edb3ddff0731312c48965c23074cdf3518f643a1a9a3d23807e364acd7e18003a4

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
552KB

MD5
61c9565e639396592f0747a5e1bebde3

SHA1
05de139930c964da3cb785e7b3a1a3e884ca348e

SHA256
b8f0c9e44133343ee374f5af337af7871a26a391cb8ed21540764d293cd9ab84

SHA512
7211c03da72ce5d2f7939f697bcae64c39e1f2c6716cddf6453a2d4b8b317002737208d4d13b7a1dfbd6d8f65cbfe1f35dba89a5cddbf34cdbe79a287a093cee

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
552KB

MD5
e6c2c256ff2bc1ccd20f48f515673a6f

SHA1
9885ed754d784e0a0b5feeecb88c7035233253c4

SHA256
be4ac478cdea6f48c71d4d7badd3573b97b2bb0729d5f8cb35fd44d2fb3503f9

SHA512
a7cf02c063302c4bd51712b1639c480e6c71bc9f88469db61afcac85421cbf0deb2e164677c49611f04be98d1f5d4fb7a4c725b9a88c9c649727bc1be0808ea9

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
552KB

MD5
e77c8d75a5f4479e32ebdf516586140c

SHA1
e875456e7bf1e0fc4f60139467b7a6819f249979

SHA256
eea51f65360a654de8b2cbef0978f17293f3ea316574e78cb6eb794cab6d8853

SHA512
3c01c1873345ac0ef3be7270c8b02f850a39afd152fc17a4a62f8a361fc2ca8313fc6f8eac7a3a8cb85fccaac30c345e964ab2a8f695bd853aebe9f49fa5f77d

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
552KB

MD5
e8d2e098a7691d8d38a4b6a68b49ae22

SHA1
f7984f6e8ed46ec965ea622b0738eeea8e5dbdba

SHA256
689316bf700124208ee3832131e7d62909e22bc0dacca050e6f05226068aa624

SHA512
00f4182178acbabf174de84915d79bbd3e54e2217fb48477f209fd0116e49580fe9d7234139addca0f696e990462eb3695be1cf930db4053a81868ecb5916b88

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
552KB

MD5
153985158d41e044c3bb658fb479e01a

SHA1
3ad28e36216a8d943e2a7b9f41512b44268e4cf4

SHA256
474b2f1364eb8fb5b5b72ccf3d6b1969c284b387b9370df24c804beefa7c92c3

SHA512
05db9b4590434c16d4327a6a4fa68db6ef5911f8ff7ac699d49c3878ebe0a0efbd031983b535f08d8fbec6109559c68c2e7c3e32642d54df2f9654012041dab2

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
552KB

MD5
2f8ff0bfec5542302381d3c507947f6d

SHA1
887b5248451c96cdbecd84aa3484219dd1ee4d9c

SHA256
c524529bc1e9532005ecdaef330fa069827bc52ffbbb55ab37b90219a6cf1080

SHA512
350340dd03d0f735ac8039934e4538a872db3e4d7adeecf70d5bf0e6b18648e1b19f2ce8dbd2853deb38a4a7ef7278254377563945fdfa56d6456ade434020c8

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
552KB

MD5
41b901db85dff349acb06925215e8d53

SHA1
6db19526bfe66320f3c13db2ea9a724849045bff

SHA256
f8ccd27b67f78d9fa23d2542e8ae0c9141396ac7068117c56e5e08f897f41130

SHA512
ce7f7633b17c163174d0654c8428f24af8627966a13b267693bb6e9c3b44bc13f032560ddfd69d7c08faa0552807a28ffb5004631da474dc6301137375e32e9d

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
552KB

MD5
20bac8ea8e52bd3fc316b16785e55f60

SHA1
e28e225bc89066e25b8fe37c5a367f5dedd23e9e

SHA256
2a1fc1b43e619b8173ea9c9990286528c0343d89514a94230252917c27a1b75b

SHA512
c14ffa653bfa3349f9432fa1d2ebd2aa27a8ab2c32e55308f22530030484d588ddeb41cb18e9b9145a303d79fc33c23d4c67242747b118d66b5ea4a728cb5ab9

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
552KB

MD5
4098d8257329612a3e7698f1ec3bd1bb

SHA1
d1382383e15bc42c2c2a753013a5afcfc6c9009b

SHA256
78b297e943491ff72372891752e677bcff397df43797a8b9a5b1840c3ca2bf99

SHA512
777d860655a2e53f686cdcc6a4ea10619cf5f1a7d7760107e31b3a2103cca30208adc6b0d85117215acac68ec51a907c5fcdf7e8a087ab900a8f8bebdb397594

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
552KB

MD5
0b39358c387fed35dbd041d61e758799

SHA1
625c9240a7f68d030be2ed2ea9e09888e6c9d561

SHA256
9f67cfde75087b54c5f95a30f2a4d19b00a5c289d6b8a45ecfef270a7d1ee6e8

SHA512
dfa56de407f1bc78266cd778d06e8f1b2845b8c46b4519c8f398fab8533438a28db5281f5d04a7ed3efeae1004e805da381e1b0e84185ec172618a15f7cade36

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
552KB

MD5
582ca2b07bbce8695e62e5e6f94424f2

SHA1
e32c5e6aa58a261bf3519936db38fd54b7d596a7

SHA256
ea7c431eaa61c9a72ce84650ac9749fc4136e837e32a88957c42329306f92a54

SHA512
a719a7b0d3fb38de5e977885fb1ab761651d5a4f2243f0e8cf9920ecfd3ace9ab09bcc17d1f2d8693d03abdb62df8df71b870a7d39b7c8d04087548bb0556445

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
552KB

MD5
f58517023ae64c4ff571f057c5a00763

SHA1
aff00243a1b9e90ffdaaa89a998c3c95281cd6ec

SHA256
5621d53b110eadd5e1615dcc208d469cdfe4b4892b7d6300070aae51d78ed031

SHA512
1ea434f9ac8dde45a6d43c70663adaacecae28261612222791d51f8917245ea5620602aa5684a0c00b167573fd9eb258dceb5d941c16c7125d106a8f8a33665a

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
552KB

MD5
75106260fcdcb435391be94ffd04112a

SHA1
c1b0656cab8fc3b0bdf38eeb3ddd6804e84c618e

SHA256
a2f17315a4f6b7716b542acc4214fdfaa909e6a592cdc50d0a1cbbe87b27f0d5

SHA512
0cc50aa9c076c59fe71ddb2946afa9568ffb7276b243d01fd28113ff77a0b8c3e2c8c172da33035363716ea6b04cd25b9c97cbd9241f3f337ba4f0bd33f6be86

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
552KB

MD5
3d9c863868b218866f22d00aa2150431

SHA1
e3f5b2e565b715d92d54142cc0ca89894cad6ab1

SHA256
25b1ab19ea688f922371bfca5c9ee678a5425f42a5d8abc53aad13db5532133e

SHA512
51e8598bb02b27b9cbec25d174205e07cde5164e65e67f9ea74d548430e900812353fc801ab8fc0b0f6bf85ee4e4b46017d4b944bd5a564e84b3970645195a33

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
552KB

MD5
e9383ca981f30fdadc6857a6c25c2751

SHA1
84d0ce5cbc3d950f11e6bab439160363b49cad27

SHA256
87fd20e12548b3dadb02418813aa7a7c9e53e04371925da38f61c413711c0aa9

SHA512
438f912a86d91c32275f29a6f36853f4868df696611473585d8aeb43c5ae02c1dcf91e592d39964bf32924806324cb3f2e5b85f0a81341f12ca51afa372fe87c

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
320KB

MD5
f6eb084219b2b92d454161e576a1026e

SHA1
177d24b6b2b7688d22cb272c268ba72f7c6e3548

SHA256
3f58dce4f415b02a1101c0abad5e1ae8efdf3706f4b36cac27d19749b1e83f6d

SHA512
7f7a5027d5c6f00be9c639402a698cd39b547480b81c84a808af164cf134ca64349fc6ed0537a1388f2d1aeb1706f4020190d057d94be7c9c936d0cb04d05d4b

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
552KB

MD5
5765a2ed0c4c179bea6f008964fbf913

SHA1
2d2ae0aa6ce250658b11ae33dc423d792a36126a

SHA256
558599ce887198f937601fbbddad2216025997f6676ce249ad3ffd0664c1d47c

SHA512
0a5bc8951f5704b7e95553a6ea4b8c62c0ab82be77863e063dcdb699dadfcb91bec17c8a3e6ddf83a72cbd4bbee4ff480d56dca069bc3245a29e5c7102b6778b

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
552KB

MD5
27c515a6d524d9f32f3e1bc65506cba5

SHA1
edbaec6ff5145b0614ad1bfcc253e46207ceabde

SHA256
8c77d74ce6dd8a067dc63332b0d5ea9b89bd9de2320b49dc80d61ef65fe9b932

SHA512
30dd23bfdf2880fa76dc334a09c4ec8152cbbd5d09d872ff2b8e1a38dee327b1da8fc71ede94bc8b2162d0115d1edc17a05a84b3e6ba4b7ca3d067ae31119873

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
552KB

MD5
7801baf6962e74cc0ada5f7cd4048431

SHA1
9d6e873d65299bfcfec76ba64d2798b816d8c4f6

SHA256
88eaa89f644e32ba56caff3f2d57b50679f6c287bc6154035782842c5db2386d

SHA512
5c64ffb4a6f13a8808844bd18378753fd76d36e8ed597965f6d3443afbd76a824e038bc3aab6b6b22ef60d6741e63aeefffcb40fb584258025301376b8bc6375

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
552KB

MD5
77f4e71dfed4056428af85b87767e5cd

SHA1
2de7eae81aa8efa9868d9fe41c2964bf19eafc6d

SHA256
862f1489fffdfb1fd9c1cf0906d51341047d9f75799d26dbe73b2447aeb11e6f

SHA512
42cfe2004f0151aa46549ce1b245bf69079d72fa451c0243f1c4768a8a6f0b24fd546f3182b246722853d5839f85992fa92b51e6c1b4107aa88a9f86ff4e7447

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
552KB

MD5
ea6909145805e442c85a3db1ce01a1f4

SHA1
1c92d6b04dd955da4d15fa3ca8174dc72800d71f

SHA256
76ddb5ec16b6a88ad726eb4d146d7e234d00b620f5a88b4a14339ed7a8e960e0

SHA512
ad2ba20215b82d4610a1489b8d5d9dd26eb74d961b9b9ebddde75b9cd11478f7b7fc1ba513f9e2f973744d3a150810ca8e011bedf99b4be0d8a24eaeed96e575

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
552KB

MD5
12eedb44aa6f56fad7b78081d4a3c43e

SHA1
a244b90a4572bf0bac8abd975f58b1683cffaa2a

SHA256
d8cfa1eb348ccf13ee475b04cd98b19c8bbe231bb2482afb0a812175165244b0

SHA512
e7a16864b6fc3f5fe02f0cefb518970d67695444b0c9edd7b696b07ffbec07f6a38a2c14e2ca6cba0a16562f697c08f78333e6608752186ef92101aa335bdacd

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
552KB

MD5
0d8a83a121e35260a380ff16eb2c7a73

SHA1
c595f70e8a89eec169452ca8a9c7e05fbbdb9b5d

SHA256
c9df764af0a0b3bf7bd5c5e721de0efc571f4357f9afec5f8ce88d778c998b6e

SHA512
87622901037570b63205d4c69baebb8be7f5f5e70c4bc902a532bae508ff29022b4acb91a28f36bcc995ebb3261bc83a033c75b903e1206b2dd8f2ed63640c11

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
552KB

MD5
5c962f5553720b9f2bc00d8d2277e0e5

SHA1
95ef1958b5b077443457b89bf5ee1ba19927c374

SHA256
b6cc7db8b00e18e899af49f5196623ac28ce1494e7da339a1280fd907da3653a

SHA512
1ec97dcc675e69a571f04e792dce323cbcdbf90545856e1ad40d5fdc1348c6e640b9089a9e279369b620720d692fea054ec3f7aa72bb8ee4933a2190bdea9720

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
552KB

MD5
f64a3ba6d19173b971c0ab5a9fd9155c

SHA1
6f120878c5d8ebeaad0e86fbe83fdc439ce32ebd

SHA256
305de841e41a194c6112106aa1b74d3eea41901b103f2ab0b1b6c71210bf885f

SHA512
03c00563eaf17570d9564cc2f80635afbcae190fb1d142f7d6941ee8da7c8f56d8d08db77b9b19cce4bbdc92f0c8b658925ded78d641f85fc29d5558bd807ae9

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
552KB

MD5
f09ce1fc97b5d7c3a7cc1c8637fdf37c

SHA1
0f900c215560644b43ad4a2fc96f79cc0c7788e6

SHA256
4312714879ea77d8ae0cccddaab9afd89822e50da23826b82044b0a0c7d08652

SHA512
e44d27a23eb81523fe2358ae9aecb217432d0adda9d1fc78ab8c396995f55ad4511239d42815f8cbfffbc03e161182497d2cb4d58476b051b37851a16e1a6d73

Download Submit
C:\Windows\SysWOW64\Oolpjdob.dll

Filesize
7KB

MD5
cb93ade862739c2e3b36a9d4d4dab51f

SHA1
a733e9f292c959cc1b011b2a21edb188f9f968b6

SHA256
9189767306d6c4da45e34799148aa64456a6e8536075731305e10fee65fa371f

SHA512
33bc2633db1170930f214edf1a9d515f4c09fbd62172ebd416cde8dd06c655349b2370d632ec98af3bdb552fbc9784ad20c59ba278f5799e2fae928856ca783a

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
552KB

MD5
cbe699df6a14145b7ea719d8a97e101d

SHA1
0457fd0f1e6c5d2679f389d31848f71975ff5e3c

SHA256
b4d5c4c9943d1e005b777df05694b681b9bc5f2efbbb6387621dfd7088c13a3b

SHA512
4fb60b2b35428b0e48791255eeec16c974c17e90c903dec8d22affc8ab987fec09d4a849919a8d22f1b9447b6d7a1e3c3a9f366884f9b856a09c6bba77b2debb

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
448KB

MD5
9c194065449fd9f7f8804cd6e981f42f

SHA1
7d53d84af05cb2d658b7d66d45d1b94715471bc2

SHA256
0ab4295e5cafcac3b3b3c57e071e3b502ceec55fb228769fb863d5fa13ad539c

SHA512
e1d40710354bd0998a6df6b9da71b19ad00a9986a123bfd54b2b63f5dbe01631855473f78d28219d721e461aa6a2a0bf7691bb6b5b638113ee7db957be8569d8

Download Submit
memory/348-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/608-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-901-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-911-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-600-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-858-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-835-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5892-805-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads