berbew | afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8

Analysis

max time kernel
101s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 05:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe
Size

109KB
MD5

fcef078e8cf67ae69fce82bcead18c80
SHA1

d61ec808342803de2435b9eaad9782d6a7d4d603
SHA256

afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8
SHA512

9801655e1ad572ea49d7b9774e70f2ce5f864f173f7d5e4b218f0034afb1e22c78b02e88b01b3c8f3467aa9327213ee6d41a62db5d5d89ef8fe8c2fcc2279c4d
SSDEEP

3072:2Df67vLzBOzxH4J9hLCqwzBu1DjHLMVDqqkSpR:2Df67vPB0xH4J9pwtu1DjrFqhz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4548	Jlbgha32.exe
4508	Jblpek32.exe
5108	Jeklag32.exe
2916	Jlednamo.exe
1668	Jpppnp32.exe
1428	Kboljk32.exe
1944	Kemhff32.exe
5060	Klgqcqkl.exe
4836	Kdnidn32.exe
1292	Kfmepi32.exe
2204	Kikame32.exe
1664	Klimip32.exe
3172	Kbceejpf.exe
4560	Kimnbd32.exe
408	Klljnp32.exe
4704	Kdcbom32.exe
1252	Kfankifm.exe
2652	Kmkfhc32.exe
2308	Kdeoemeg.exe
2072	Kfckahdj.exe
4268	Kmncnb32.exe
1560	Kdgljmcd.exe
3224	Lffhfh32.exe
4496	Leihbeib.exe
1104	Lpnlpnih.exe
3160	Lekehdgp.exe
2760	Lmbmibhb.exe
4304	Lboeaifi.exe
1108	Lenamdem.exe
1976	Lmdina32.exe
2508	Llgjjnlj.exe
2256	Likjcbkc.exe
1156	Lljfpnjg.exe
4644	Ldanqkki.exe
2432	Lgokmgjm.exe
3360	Lmiciaaj.exe
1212	Lphoelqn.exe
1528	Mbfkbhpa.exe
4276	Mipcob32.exe
1672	Mpjlklok.exe
3352	Mchhggno.exe
4544	Megdccmb.exe
1084	Mibpda32.exe
2484	Mlampmdo.exe
4872	Mdhdajea.exe
224	Mgfqmfde.exe
4392	Miemjaci.exe
212	Mpoefk32.exe
2648	Mcmabg32.exe
3988	Melnob32.exe
4324	Mlefklpj.exe
548	Mcpnhfhf.exe
4440	Menjdbgj.exe
1184	Mnebeogl.exe
1936	Npcoakfp.exe
1312	Ncbknfed.exe
4864	Nilcjp32.exe
2776	Npfkgjdn.exe
396	Ncdgcf32.exe
4776	Nebdoa32.exe
3472	Nnjlpo32.exe
3140	Ndcdmikd.exe
5088	Nnlhfn32.exe
696	Ndfqbhia.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Khchklef.dll	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Lboeaifi.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kmncnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6868	6644	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeklag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mchhggno.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 4548	3860	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe	84
PID 3860 wrote to memory of 4548	3860	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe	84
PID 3860 wrote to memory of 4548	3860	afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe	84
PID 4548 wrote to memory of 4508	4548	Jlbgha32.exe	85
PID 4548 wrote to memory of 4508	4548	Jlbgha32.exe	85
PID 4548 wrote to memory of 4508	4548	Jlbgha32.exe	85
PID 4508 wrote to memory of 5108	4508	Jblpek32.exe	86
PID 4508 wrote to memory of 5108	4508	Jblpek32.exe	86
PID 4508 wrote to memory of 5108	4508	Jblpek32.exe	86
PID 5108 wrote to memory of 2916	5108	Jeklag32.exe	87
PID 5108 wrote to memory of 2916	5108	Jeklag32.exe	87
PID 5108 wrote to memory of 2916	5108	Jeklag32.exe	87
PID 2916 wrote to memory of 1668	2916	Jlednamo.exe	88
PID 2916 wrote to memory of 1668	2916	Jlednamo.exe	88
PID 2916 wrote to memory of 1668	2916	Jlednamo.exe	88
PID 1668 wrote to memory of 1428	1668	Jpppnp32.exe	89
PID 1668 wrote to memory of 1428	1668	Jpppnp32.exe	89
PID 1668 wrote to memory of 1428	1668	Jpppnp32.exe	89
PID 1428 wrote to memory of 1944	1428	Kboljk32.exe	90
PID 1428 wrote to memory of 1944	1428	Kboljk32.exe	90
PID 1428 wrote to memory of 1944	1428	Kboljk32.exe	90
PID 1944 wrote to memory of 5060	1944	Kemhff32.exe	91
PID 1944 wrote to memory of 5060	1944	Kemhff32.exe	91
PID 1944 wrote to memory of 5060	1944	Kemhff32.exe	91
PID 5060 wrote to memory of 4836	5060	Klgqcqkl.exe	92
PID 5060 wrote to memory of 4836	5060	Klgqcqkl.exe	92
PID 5060 wrote to memory of 4836	5060	Klgqcqkl.exe	92
PID 4836 wrote to memory of 1292	4836	Kdnidn32.exe	93
PID 4836 wrote to memory of 1292	4836	Kdnidn32.exe	93
PID 4836 wrote to memory of 1292	4836	Kdnidn32.exe	93
PID 1292 wrote to memory of 2204	1292	Kfmepi32.exe	94
PID 1292 wrote to memory of 2204	1292	Kfmepi32.exe	94
PID 1292 wrote to memory of 2204	1292	Kfmepi32.exe	94
PID 2204 wrote to memory of 1664	2204	Kikame32.exe	96
PID 2204 wrote to memory of 1664	2204	Kikame32.exe	96
PID 2204 wrote to memory of 1664	2204	Kikame32.exe	96
PID 1664 wrote to memory of 3172	1664	Klimip32.exe	97
PID 1664 wrote to memory of 3172	1664	Klimip32.exe	97
PID 1664 wrote to memory of 3172	1664	Klimip32.exe	97
PID 3172 wrote to memory of 4560	3172	Kbceejpf.exe	98
PID 3172 wrote to memory of 4560	3172	Kbceejpf.exe	98
PID 3172 wrote to memory of 4560	3172	Kbceejpf.exe	98
PID 4560 wrote to memory of 408	4560	Kimnbd32.exe	99
PID 4560 wrote to memory of 408	4560	Kimnbd32.exe	99
PID 4560 wrote to memory of 408	4560	Kimnbd32.exe	99
PID 408 wrote to memory of 4704	408	Klljnp32.exe	100
PID 408 wrote to memory of 4704	408	Klljnp32.exe	100
PID 408 wrote to memory of 4704	408	Klljnp32.exe	100
PID 4704 wrote to memory of 1252	4704	Kdcbom32.exe	101
PID 4704 wrote to memory of 1252	4704	Kdcbom32.exe	101
PID 4704 wrote to memory of 1252	4704	Kdcbom32.exe	101
PID 1252 wrote to memory of 2652	1252	Kfankifm.exe	102
PID 1252 wrote to memory of 2652	1252	Kfankifm.exe	102
PID 1252 wrote to memory of 2652	1252	Kfankifm.exe	102
PID 2652 wrote to memory of 2308	2652	Kmkfhc32.exe	103
PID 2652 wrote to memory of 2308	2652	Kmkfhc32.exe	103
PID 2652 wrote to memory of 2308	2652	Kmkfhc32.exe	103
PID 2308 wrote to memory of 2072	2308	Kdeoemeg.exe	104
PID 2308 wrote to memory of 2072	2308	Kdeoemeg.exe	104
PID 2308 wrote to memory of 2072	2308	Kdeoemeg.exe	104
PID 2072 wrote to memory of 4268	2072	Kfckahdj.exe	106
PID 2072 wrote to memory of 4268	2072	Kfckahdj.exe	106
PID 2072 wrote to memory of 4268	2072	Kfckahdj.exe	106
PID 4268 wrote to memory of 1560	4268	Kmncnb32.exe	107

C:\Users\Admin\AppData\Local\Temp\afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe
"C:\Users\Admin\AppData\Local\Temp\afb26d61c60ff6e2a2be2193e85171efb4990a3548b7d6b66d120c68585180d8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Windows\SysWOW64\Jlbgha32.exe
  C:\Windows\system32\Jlbgha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\Jblpek32.exe
    C:\Windows\system32\Jblpek32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\Jeklag32.exe
      C:\Windows\system32\Jeklag32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        25⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        26⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        29⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        30⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        45⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        50⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        51⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        53⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        62⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        66⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        68⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2856
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        72⤵
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        73⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        78⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        80⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        83⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        85⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        87⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        90⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        91⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        92⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        93⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        98⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        100⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        102⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        103⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        107⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        108⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        112⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        125⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        127⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        131⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        134⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        135⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        141⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        143⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        145⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        146⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        147⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        149⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        150⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        151⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        154⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        158⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        160⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6592
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        166⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        167⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:7156
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6644 -s 420
        175⤵
        Program crash
        
        PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6644 -ip 6644
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
109KB

MD5
ca6f48104b6ee0ec826d0aaf6f00ffc2

SHA1
211d89e2db5e192dabeb5633dd08a3bf5a9e9a28

SHA256
b725014313687c8676424f4b291438390314974524567c4b6fdfebd6243ff9a9

SHA512
79ede66544a9c09d81c8847e9578f078c7f37d42cae4e4ee93703ca65bfa62b4146ebdf12b40acb2563bc5c97daef2f5acb8ee402376e8432756fb4ae217b9f5

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
109KB

MD5
45e5003916383e822abe0f1cf2800304

SHA1
86de8c29eb88a9e5d3249a66d58bb8792b1b1ff1

SHA256
9187a2024a7507ba5484d2f521bafbb7da22f2598ec0b3ef80d77864409ba601

SHA512
f61de3d980546673dc8c86743209029a761123af073c03a4638df21d65a4643d30d35019393308a9e95d15f2457dce9990f2f58839b97ac9a41223c5632e6bc5

Download Submit
C:\Windows\SysWOW64\Anmcpemd.dll

Filesize
7KB

MD5
4896ed25fdbffa78b18f120e7cb49ad5

SHA1
b653599940acbd7eef6047899ad8887b7e92ef7c

SHA256
00701416ea596f408e6942872eb7b633181b843a6af5f6b9481939736e921e1e

SHA512
7f4326c25e5ea9991bb090aa66eda97e81d2c2972c130e99a34387889d770183d92104c950b100716f101d483274007ac410eb29dbd2fa73be096d887e96d8a1

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
109KB

MD5
205fc737ec3176ba37156a403d3d7076

SHA1
5820dc53d0dd977f38af91fe8c2059e199986ce3

SHA256
dfbc41c8abfa541eea905b8364257522255cde686090591a3035aeb231e139c8

SHA512
b4cbb39841ce7c906255068da337515555f22b3047d12d42ddcbab07b1bc1516d14689e0ba7bdafc32555bae4304282a0452adad007827417bd8b0a8d9fed752

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
109KB

MD5
bb80e9430dfb1408aa5bfbd6683bb3cb

SHA1
c3afc8c18a23874a1c456cead35f8f25c69d670d

SHA256
0dfff41e4feb190ed14ce8e8e4f671ef2fe60ea38558fb766861020719c9fffc

SHA512
19beabf75f7caade22f9829fb31a61647f86ed7eec19ea41af053f0f80a3521b66e2ab71cb9a2dde52ea946cc17004fd945219625971e01923269ba42ebc0d38

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
109KB

MD5
1384db94a81a2a295baeb0ce21822a34

SHA1
23eb3342c43ec4021ce0d9a1e57e6f2d1127d17c

SHA256
b3ed54d3e82418fa79ec0ba8ffaaa35f2b3686abb01b435de9292d28334c7581

SHA512
1371bd6318e6a041b466f0006b71fb9d530930bf681476639c34faaee2f7f0fb97748664d7446915514cd48082e62ade4c65509ef769bf835573bcde4ee065dd

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
109KB

MD5
c9410e4c46534ac50ce077c630cd64d7

SHA1
bf99120c5b172eda1b7a6dff92ed42c5ea405f29

SHA256
7d442b62ef7df9f73d0f4ccf9832466e6116bc890ae844eeaff75b7a75b44ce0

SHA512
4374c209cfdc76a157358e882c0b135cd41b3ffc62c4e5961de85a369865942731f3ca2debddcf043f4e5862611788cc48456c944f9a6803e6c1b425acc99664

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
109KB

MD5
aba5d84ced6239e3b07bfb012fc51623

SHA1
912faeec483a196ab0d2a4b21d79320c4eaaf4fd

SHA256
2604d5a7a5fa54406b6c118e91d19756486104becb19794d6a3c72c94b6491fb

SHA512
74d297100377cca232d1793588d7d54d6438d592a84b145001815ac0fd8a5c8d241b205b95902305e83bf3c3bff624b45da8d78fb0828d2db33df93f1b6e8c82

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
109KB

MD5
b2f46edb99566a127a3b7e9655a8c6e9

SHA1
9f2b61271e90dbdf12d9b2556f07300ee4382f23

SHA256
ba3178f966ab70a18d4671def66de01a0237fb2e289c9c4f6d2f7491376ec8f6

SHA512
4d3780cf43d32fbf5d8b202731b4e640fbd36f340059f2ad5d6afa20909a543501efe2ed25cf4e9fb265ff86110825bee901a9756df893aa0ebb6267b813e0b2

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
109KB

MD5
ca87a38710e9c71081279b1cdae577e6

SHA1
bce4c51ad4a2c1be43391c6443d148d5c0cbb2dd

SHA256
bbe1f92490871e8bdd825022a47da71979adb4567a2a83df22d97b19f845f473

SHA512
365b821d66f862f5da3ead26c2948106e192d29b3487ffb95d730cee30cee44589dbf8b5463cd5e9d6b14c1fbf470e41f25f67c97509b3b66b3945d9f9cdf092

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
109KB

MD5
392f38e7aca688a028310aa3f6c7f165

SHA1
e1e791846148e2eaa0fac304eaae483df2f75424

SHA256
8bce797305249ef1931255aa17e673503bd4b63f1d6ad3142d16f1ed0380b3f2

SHA512
8b2b0ac4a5c186c1b2de16a9244f52cb408844882b05c1a65b1c8d0d98e9fc06b6e629095f99f0696b5581a4bb174964e72d4620c43f256ed0168434d5792ba5

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
109KB

MD5
67f58402c5171105137a6c210f2e5220

SHA1
50e19200ea8bcf9ae3b5cb699b10c1dc6cdc59e6

SHA256
ff7f2a70d864dc56e11403c6fee186328eb8bc535b7e6f16e6d2be736cf99dbf

SHA512
e7012b12a976eb9ac828f3ee63a43db1ceea35940056c487cb445d671203a9084c1c084e75b1bcbbd67baf40eaa204e745e78102dbbfdd381330057aec44d7a9

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
109KB

MD5
a4f0e74a3b9be4bdab268ab84f667495

SHA1
88d078396f5e1a58384d51ceff9b98f88e2937fe

SHA256
a5f5bf80fd9a109e1266bdec7d6748491f3f36afe82830dce1b447eaba9d67e7

SHA512
5e5f21e6319902a6b0c0dbea19890ea2da9f2f3be6903cd2beac172e63c8a4ec582570b65a3ef6cf9a37b84e9336b8867f6f55198f57af5a6015f7a1e4134a75

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
109KB

MD5
3a82acfa0f43782321faf1f341493786

SHA1
bbfdaf308aa729830b1da9e52273368e1e9ce613

SHA256
c7233b4e85a1f163cf1f8316a9108aad50f205fb7127c53c3a62f3150c4df93f

SHA512
01acf117e8f7d20ebff29fbd0ad416440d6ca8a92be8ee4ca1963326fe0121ded15d1f2e4d4d679e6d10db8fab8ee414af5dcb2168c0a3f4e6454e755ba2db2e

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
109KB

MD5
d9769e0fec7e41e6983bc720e898680a

SHA1
97cf8757c4f0c25cb5e2d91b03ac2d766abf705b

SHA256
b6f4c03459dde250c75a2be0cd67affe845f6fd4a0e54c25271abfb0d6562bbf

SHA512
03801efa1378cf3d47a80894ac792e0fd31220dbbfc2ef9b00b301c735c88bcebcea6ac7849f0038127140c9738a65715bbeb53e04db0813ee0cbcf43a3046c2

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
109KB

MD5
bc2d8a8f2a2705a2741ad3d7f757d81a

SHA1
8789054f9090f7e49600516f7a53c207de9667ce

SHA256
0c32a43b40ca21e3de4cc7fca847a7bb4bd6a677b31d8576e5b1a1baf17fe2b4

SHA512
c7b723ba26ccaa2f82eff66113b7c486d117ff04f6ec1602cf541e65c3c737f83ea63b150300c24f8b8a48d343f8259d37969105511820caada434a048188a20

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
109KB

MD5
92c096b134f851ce591f3bcf03089873

SHA1
309f64d6515185851d604c3c0860b6e02e02d2ac

SHA256
85a6011ecdfb1ec2bf365da50bd8fe516a0bab0e65b6469df25a7314c20c309b

SHA512
1febe01a327039749576a7fc30850da031b7fa1e768f770f148db08a9e90a121cd94d6d97d879ec796bbb45d295832273fb787a7e9e0c585554ca9d5324b1b1a

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
109KB

MD5
2cb9bb284b378c1654b72db9c326aeb5

SHA1
78b627fa5dfc8b69535aeab55be1008342c59767

SHA256
a08a513345c89ff05507b86fef8114fb6bb07cb9d471d3e5ded3c6548ee3e2a3

SHA512
c5ba1db0aef560115ad9203211590f3675fca32c0aad622552cec5db27d106e71b4958a1617d09f167b60f749a8d4c62733412004d99d331b50c1d8840b6f4cd

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
109KB

MD5
921cf44c859ed072547e7a6d68267a34

SHA1
f280aba4854c8ee01eab67eac8daf2b975148cc9

SHA256
70bb9e5f6d5e37f735cc19fdf89702daac38fd1af9ee6c7fb01342f43d8313d9

SHA512
ca1beface6fe55c37f1a22b641edcefa32519a406713b1b81f82138a0fbceec92de91e618dffe54d1f0c9be0921e57633426cabc7b44fd0b51a40fce4aacc5fe

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
109KB

MD5
42ba8dcf4703497810c1d4ef6f4a3e57

SHA1
d4fdbfb79932cf843b6fe8a0f6dd859fe988171d

SHA256
34abee318c7ab483f0dfa3b756265e314acca8733a1515daa8b3db05bb7969ec

SHA512
2850fda2ef1f0365a90a6caca6b692b517e29305f767d2a2df6d8d45234a9734620a6ee1a765a2b4795336f51ada1753de97302025e84634666d1f9fd3f5b50a

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
109KB

MD5
66e585e2d3329bdc055d2e44bb7baa35

SHA1
8db3842e537896cfdca87b0b36c2e8c965eaf623

SHA256
ad7fef57dcd1fd5b0155685e8ce1c38ad8645be2028dc4ef53a3e03658a82681

SHA512
133837282ac496e06e084dfd1f368975446ad83fb64260b748e19688b5d3a82854c2d0cdd9a7c77cf2f78a19cc052731bb1faf39130c45045ae37bcb96a51cc7

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
109KB

MD5
ffb8fa1dbd3ede8390807be0c3bb5dc5

SHA1
1311f934d6b74e451e8598bd2c40b8c960a44816

SHA256
2988bcafef3d0adf61be2605c67f20698f58f9de8e39009d68487385889bd6f3

SHA512
ee18c3ecaf789a4ee3ed211964e0e85cfa5551b3b8ee8a835951d44c4d507bc6f53d2ca46d15d986c64be71c56970582600671a2a8f2a36893cd423b4bac8ac1

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
109KB

MD5
60f2ec236f11580f8cea733988b2d177

SHA1
487825513fc9f8de18793f777fe44ba1d35a3279

SHA256
5fc83246286ed9a52a3490ee8d28c1eec004270b6a8c1ec765e82dadd1803970

SHA512
246d8199e48d096c884c5541b1b6ece73442f495e4c57d0fe806dbb493be6dd8f173635159637f2ae477ea906ff04fbaf508c8f0050c9e15c0b6678c503368c8

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
109KB

MD5
7d30fad53505d84e2e69340d8e03ed73

SHA1
00b4f9733b647f280442817f299549aad7981399

SHA256
27829073a193f1be8d66c9ddb7dc34eeb38b04e58661471d0b59b96a9d7e1dcd

SHA512
8b1f95abe3f97651563c41b412207c5ad39f3bcaa215111272b1140ec63d31b9d39df72ff82c83bd35e2d4cf5939bd8b2a738c694d985f27bab372a33b733f3b

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
109KB

MD5
ca46912fe9da22aee189f6d55d80221d

SHA1
22ab9ddeb225ebc62a001f38a880178af5cf9914

SHA256
aabe8ca24e59e1d4f3b3092ec497774475f62cdfab9049f18f31fd73f5050478

SHA512
94ec036f23828e53edeabf989c3872f707f379f134405db15cd5c452819236aed4bb3c455268a2838c1d960d135f4ddec070528f01dd11f689072ddb75a63140

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
109KB

MD5
81bc12fca5857f9c96ca6b2079d696a1

SHA1
c3680c5341d6e914f91088e986147cc82da93c81

SHA256
101bc73f942831a9106b384d5b6b2633be96f75b4e1a33c062bf9358216ad13a

SHA512
ef60ec570183420037ccc097d5cb3972d8e4443b341074daf43f79fcec0e2457a7d3c374a578edf7087be3891dbb373d103500abed94f836d04fb97065dc5632

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
109KB

MD5
783960b5f8263a6938daa9b5295a1ff8

SHA1
2ab676fbd3a419c0c7dc9d76418a16b27871285e

SHA256
bf071f4b37853122f9ffd547929920cff049343ea49d59e95cd5ed454e911d64

SHA512
a8cde9eed4c6a72214f4623d040065ff975dfa96ca3055a3a175e98009ba5557858fdd17de38c1e916b7894445b1498997ab891da0e77bc80dd3c36fd11139fa

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
109KB

MD5
f67d1eddc91865b14ca8868054182b8b

SHA1
2c489265e641627bc0c8ddde348f2dc5e40c6636

SHA256
24fd5907615ceeaca34c8f595fa5b0ff600e38e788c06be58d02081e2a655a2f

SHA512
77b5a22a434a80c7626af02442ca54acf15a7ca3b7f5f475027f6cced843935a57ded7e845fbdc7bd66c2eb7dc6813b6fb3502b31dfaee02bc0855adcb779a8e

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
109KB

MD5
a948355a97e99b192a3a4b6ed450790c

SHA1
fc2b6bdb748685276ac29d458c79afa1851e668c

SHA256
b15265546548a39a18f9ee028b8c1d195be4ee0eda2544b21cd6e53adc749260

SHA512
91e627a75bcf6412ebd5d3885d4b1284fae507bd7f720c6668683cb0773d2280b883fc44af48ed7de62de5ac1483caf4445be72cf7a73233d86ad93ab25fab4a

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
109KB

MD5
a3cb27a7cd107f0eba4e5c99cd2eb647

SHA1
53e859322690e4379131b73e6824380bb7ac8207

SHA256
7e7e4551dcb5412adcfb952002a5d50a132493f84a451157633da18ce1866fbd

SHA512
0391db304660b812f08c4bdccda90913c7baf4540357e876ef08649df939180b5117d44a5a17359b35211025bd07d64e1a005b8914fb326d5f8d2f974d6b6bf8

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
109KB

MD5
2a658b91f4189dc5cbd01d31d1c4d8ad

SHA1
cce8d942258b8e99fa133fbc6e462afb8ddada0a

SHA256
c5957699e913bb03dd9cd55b3d6fc1cd9c043ccda8946ab516a4db7173c66cde

SHA512
e9abd85912f9bfdfb2c928e16631c833bd7e60c08140178c6815d8864f3be7fd41df009f707d2a4c35c066fe2a4344a8feb0a9c4da23220a218ba28f7447d526

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
109KB

MD5
8242b31036b272fb89076ced0431a6d6

SHA1
12d5bc901bd00e2a5251c42f7d670026137cc285

SHA256
19dff851563cb1a440e020404d4b486d2ea3facfefb03b8c63dd5b16b9c3f9ea

SHA512
2c5a4a8de0c08cdaea41872c8e397edcb4d060893a71361b80481ba697928d103582c0fd517c32e7174dcb54112b979dfedf8c60ca5b6929df03e80b086b2bb1

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
109KB

MD5
b39e49e096c0e9ebbaa2d98ae924d6c3

SHA1
be526365c8a88798ce0e577ad017ede259720fab

SHA256
cd33c97195ea0f97f1b1795c146e49d96bf688f021ddf44a0633d935365144ad

SHA512
e1c659f81292b142dfdd804eb5ae6411fb6e9e1014a864f37054b68f9fdd51fa7a0e69a62e519bc922e14f8d9ea3abf7878d5b17121dab0255ddc3403fb446f4

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
109KB

MD5
75bfe33169311eb558dae926754fd048

SHA1
733bb354c4e5b3e3d048119ddbb4315963e2fe10

SHA256
6a434fefa9245d1250500da5bf8673384907b332df79075dd8477e9f91e49b02

SHA512
c87709810946b498ca091a11f4d45323dad84815107b64434e5c4dad8c9e1f6c55e8802711d853ea74b2facfb7ca98199e6664bb7a94c86f76f38558a6399bfd

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
109KB

MD5
0c5e577b6f4a41ec21e00ba1962ac766

SHA1
ec7c9ea9f81a50992044e227e0ff77647989c4a6

SHA256
9e07e0cd6c68e250d7d38c609788894eef2916061d0a60d428536a10db4e8b85

SHA512
ae76721c95304dc671bb0bf052d91c800b8ca82250feadc7f06d4a5dd80ff3a062c1cd91de4909bae67507a06cd6404bc8c250b7cae6b1b6071afa35e7dfc896

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
109KB

MD5
7c4523d0bbf0d9d7692d0a9b80ee2ff0

SHA1
9a5173b2635de12ebdd6fb7f72d42bc330f783ae

SHA256
b6101d5c2994d41dea0d514258c6a5cf22d3902b8ef55ff26770856bb3e386fc

SHA512
7dc4b9142abe195ceb9fb24b35ae2c6da0ca6021ac240fbbdc3a54d3046fd50266665a0cba6522e2899a819ba015319eb67905fbdfcffdb29ad4bb24885995b8

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
109KB

MD5
612223932ae70f7b207ad31fc9071c02

SHA1
1f0743fbc5580edde74432b85eb3637efba676bb

SHA256
4aa03ecd8abc061f577ee139d6e4205d3f09f54f85745c56b37bcd6766cdbc82

SHA512
d7c63c2add13d387c11be465a7633c164fa3a4d0c8b241b7111b4f4bd551520ee15b4356521de88eec2fd37e2821c0f310e9db5264eda1b94b5915d9a71ca4bb

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
109KB

MD5
40aeeffdc035260eb346531b81554951

SHA1
a2db508790959a454d0be58b66823ab66afdae1d

SHA256
5d3fecedfb729b06f30a20648c0d9e14b58e9ae6b70541f36aca025d13b66407

SHA512
b35ee188a2fdab03c4af8a41466be1e6ea449eca06d64784fce6e2b2baecb05925f6a010ab5b4aca53ac95f63c509975c06f913f51eb253b42a21bf2be1f3fbf

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
109KB

MD5
01ab7ee8417ee01de27b159597df8a3f

SHA1
bdc7345d97433432ccf16cb4199c56a8a16608df

SHA256
cdcc6045ed99639ae52f58ded45dd3d6a0c5906ed3a7213dce118eb7631fbf61

SHA512
4612fb9f5b0eb72bfaad49196a4b36cc28e46b72b040bc0e0982de2763d4847183d76cd6930a35dd3403b3d6ea495f24a345932c2bcbb7f406a48096b3ef10cd

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
109KB

MD5
2d8c046feffbca665b06ef956b5a0c35

SHA1
d668f49242045a4c4e60480478efc37c1ed8fb52

SHA256
1ffbab02d5e440f5db92f3977ad1e109def518a375f06fa90d29b230bbd5b277

SHA512
59d7cbbe75ae82bad67b235892fa2f94c7cb89b5e56b94711d06eec079dae8e639dcb0b0968cc2fccf0b19ac5b54dd10d72f6c4c07430c477a6b9bd71a6e0c8d

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
109KB

MD5
7a4d3726b61b223f73562342f78a7203

SHA1
f34923bfff5c6b6a3e42d7ead9224c8b8388f687

SHA256
f1267dc1f6d9bd3d7a2fb537b31f48f1fcce8a5173eafcadff574ce512a01fd4

SHA512
0d26d054ba4b3da963a208079481934864f277ae3fea737e545c9a605987f81303f3ffd1b91acf4028ea18b37702ba186c4814d57c2f169c0b3ef68ce6ed9e96

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
109KB

MD5
a315cc165993f6d35f0eeb07e04a229e

SHA1
967bdf0e0d33b920ea65403d9929d9fc002d27c9

SHA256
1b7cf6f2f409ecd0ba538810a89a055805b90a2c71b121f610a84c2748e8ac94

SHA512
58c69f7b977e6d17e5c0813a534d35a66457143e3c035709ef2cfd494a0c2f066e208505997906e527db8cd3f356e379bd9c6f83e8fa27df81e6c22d957aefcf

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
109KB

MD5
ea12e7068d1d9e1bdb86d31b82d19d88

SHA1
eb4aa1c1439e809d5227680759bf44bffe2e588c

SHA256
9fc8dd12032094a70223195a1c7b129b40aad862191131ef5a8c9b8a3faea1fa

SHA512
dba46c062f0352a1e09659aee3e982a2912ac60c2479e57746a429ba329b2fe0789e2a612e10ff8d7a92385a9b1035021dde255d070261a7a7e4c151e59bcf7e

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
109KB

MD5
cd9ae63a646869f6229f8bbadd8c78e2

SHA1
3b5792e063c834db791f69ad0b22e1fcd7d89536

SHA256
3869ca813cf5e4703859968c5c03f1f6a939e2e9db6af731baeb1e4cb006377d

SHA512
c3559f03c355a3d195a33ad23e570282f255b547a1ceb333775f00499d30024d8e6da00316ef8709e88d400f606a4e6a3e48f7e085ee18c25f1fa850e2583d12

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
109KB

MD5
9fcebc84c8e0a6d5aaf53127741fc005

SHA1
f47f2a22ab7e569f8b790f4ae66a9bb758d1ced1

SHA256
ba420cd501a844509b9d37c69853630e33919284585578115883e6268067f373

SHA512
ce1e661f2e618ce8c3cc19e93d3c1fe9fa0d7dd2e28687c06bb8cc27a20dfb8be466312fae6a9b514c7e724dd178e0b8371c45abf3fe07605fa36c98840e0018

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
109KB

MD5
83cf5518cfd518632b0947359b4fd09c

SHA1
7b9d14040b3e43bc56c792cec556c52dc955cc7e

SHA256
ae2cbfee89411a8d8897fea453466a809baf23123b133dd7b347a29c8dadd9db

SHA512
9cb40936d95858339a92aef44bf1a3324307e37724448102c9593f7e2c4498ccbabd2c38f9a932b47a3e2f461d7763fec4c86d3f4f5e6633a3ca14e8c3cafeba

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
109KB

MD5
5c722d55315e97f855b4861d4c3ae2e3

SHA1
7dd5ee5170cd6f28d91e3c5d8d5c0a546bfb966c

SHA256
bca92d29eee83cbbba388248dd95e1063cfef23b319f36503a774a4cf9f4aa2e

SHA512
a159045cd32ce12513baa133f3a4e5f0d353d60c7c28d23776f8d058de0760128af6afcec7080fbce47429e397b89d08ababa9fe26e889cab2dba175c202bd91

Download Submit
memory/212-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/396-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/404-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/408-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/548-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/696-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-475-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1084-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1184-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1428-586-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1528-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1560-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-579-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1668-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1936-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-593-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1976-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2204-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2256-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-538-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2432-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2484-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-572-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2916-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3088-502-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3140-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3160-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-545-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3172-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3352-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3360-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3472-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3488-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3496-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3832-563-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-544-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4100-525-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4268-167-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4324-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4376-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4440-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4496-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4508-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4544-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4548-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-526-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-127-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4776-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4872-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-532-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5060-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-565-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5132-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5176-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5248-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5304-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5352-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads