berbew | e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
Size

96KB
MD5

37942471811f83b6db57c68f38fa18e0
SHA1

0692ebeccbe6d817b3c24bea35414be1e53e6a37
SHA256

e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593
SHA512

c89bd7add11cb940ba5b8e4e748c4817c1253c45eb0c86c511d8e82728cc1267c0d15a2c5a8dc4614cf010b664a8664b21dcf1416ab6cb52f83aa4e736fd97f3
SSDEEP

1536:Q6hpRrVLQ7X38jDJG7Y/NLm4T8mmfE2Ls7RZObZUUWaegPYA:DJyMjDv/NLm4TqsClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4960	Kplpjn32.exe
1124	Lffhfh32.exe
2132	Liddbc32.exe
4980	Lbmhlihl.exe
4228	Lfhdlh32.exe
4332	Lmbmibhb.exe
2360	Ldleel32.exe
3532	Lenamdem.exe
1712	Lmdina32.exe
1840	Lpcfkm32.exe
2844	Lbabgh32.exe
3600	Lepncd32.exe
4348	Lmgfda32.exe
5076	Lljfpnjg.exe
264	Ldanqkki.exe
3988	Lgokmgjm.exe
2960	Lmiciaaj.exe
3688	Mdckfk32.exe
2400	Mgagbf32.exe
1516	Mipcob32.exe
2036	Mdehlk32.exe
3860	Mgddhf32.exe
732	Mibpda32.exe
2500	Mplhql32.exe
3816	Mckemg32.exe
2220	Meiaib32.exe
4004	Miemjaci.exe
4420	Mpoefk32.exe
4996	Mcmabg32.exe
4488	Melnob32.exe
4360	Mmbfpp32.exe
1880	Mpablkhc.exe
408	Mcpnhfhf.exe
232	Mgkjhe32.exe
3312	Miifeq32.exe
4528	Mlhbal32.exe
5048	Npcoakfp.exe
5016	Ngmgne32.exe
2232	Nngokoej.exe
3488	Nljofl32.exe
4400	Ncdgcf32.exe
2900	Ngpccdlj.exe
4504	Njnpppkn.exe
3316	Nnjlpo32.exe
508	Ncfdie32.exe
2204	Njqmepik.exe
316	Nnlhfn32.exe
4276	Npjebj32.exe
3440	Ncianepl.exe
3100	Nfgmjqop.exe
3104	Nnneknob.exe
4212	Nlaegk32.exe
2984	Ndhmhh32.exe
1604	Nfjjppmm.exe
1896	Nnqbanmo.exe
5000	Oponmilc.exe
1196	Ocnjidkf.exe
1992	Oflgep32.exe
864	Oncofm32.exe
4480	Opakbi32.exe
2156	Ocpgod32.exe
5096	Ojjolnaq.exe
2908	Oneklm32.exe
3812	Odocigqg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6524	6340	WerFault.exe	256

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4960	2796	e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe	84
PID 2796 wrote to memory of 4960	2796	e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe	84
PID 2796 wrote to memory of 4960	2796	e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe	84
PID 4960 wrote to memory of 1124	4960	Kplpjn32.exe	85
PID 4960 wrote to memory of 1124	4960	Kplpjn32.exe	85
PID 4960 wrote to memory of 1124	4960	Kplpjn32.exe	85
PID 1124 wrote to memory of 2132	1124	Lffhfh32.exe	86
PID 1124 wrote to memory of 2132	1124	Lffhfh32.exe	86
PID 1124 wrote to memory of 2132	1124	Lffhfh32.exe	86
PID 2132 wrote to memory of 4980	2132	Liddbc32.exe	87
PID 2132 wrote to memory of 4980	2132	Liddbc32.exe	87
PID 2132 wrote to memory of 4980	2132	Liddbc32.exe	87
PID 4980 wrote to memory of 4228	4980	Lbmhlihl.exe	88
PID 4980 wrote to memory of 4228	4980	Lbmhlihl.exe	88
PID 4980 wrote to memory of 4228	4980	Lbmhlihl.exe	88
PID 4228 wrote to memory of 4332	4228	Lfhdlh32.exe	89
PID 4228 wrote to memory of 4332	4228	Lfhdlh32.exe	89
PID 4228 wrote to memory of 4332	4228	Lfhdlh32.exe	89
PID 4332 wrote to memory of 2360	4332	Lmbmibhb.exe	90
PID 4332 wrote to memory of 2360	4332	Lmbmibhb.exe	90
PID 4332 wrote to memory of 2360	4332	Lmbmibhb.exe	90
PID 2360 wrote to memory of 3532	2360	Ldleel32.exe	91
PID 2360 wrote to memory of 3532	2360	Ldleel32.exe	91
PID 2360 wrote to memory of 3532	2360	Ldleel32.exe	91
PID 3532 wrote to memory of 1712	3532	Lenamdem.exe	92
PID 3532 wrote to memory of 1712	3532	Lenamdem.exe	92
PID 3532 wrote to memory of 1712	3532	Lenamdem.exe	92
PID 1712 wrote to memory of 1840	1712	Lmdina32.exe	93
PID 1712 wrote to memory of 1840	1712	Lmdina32.exe	93
PID 1712 wrote to memory of 1840	1712	Lmdina32.exe	93
PID 1840 wrote to memory of 2844	1840	Lpcfkm32.exe	94
PID 1840 wrote to memory of 2844	1840	Lpcfkm32.exe	94
PID 1840 wrote to memory of 2844	1840	Lpcfkm32.exe	94
PID 2844 wrote to memory of 3600	2844	Lbabgh32.exe	95
PID 2844 wrote to memory of 3600	2844	Lbabgh32.exe	95
PID 2844 wrote to memory of 3600	2844	Lbabgh32.exe	95
PID 3600 wrote to memory of 4348	3600	Lepncd32.exe	96
PID 3600 wrote to memory of 4348	3600	Lepncd32.exe	96
PID 3600 wrote to memory of 4348	3600	Lepncd32.exe	96
PID 4348 wrote to memory of 5076	4348	Lmgfda32.exe	97
PID 4348 wrote to memory of 5076	4348	Lmgfda32.exe	97
PID 4348 wrote to memory of 5076	4348	Lmgfda32.exe	97
PID 5076 wrote to memory of 264	5076	Lljfpnjg.exe	99
PID 5076 wrote to memory of 264	5076	Lljfpnjg.exe	99
PID 5076 wrote to memory of 264	5076	Lljfpnjg.exe	99
PID 264 wrote to memory of 3988	264	Ldanqkki.exe	100
PID 264 wrote to memory of 3988	264	Ldanqkki.exe	100
PID 264 wrote to memory of 3988	264	Ldanqkki.exe	100
PID 3988 wrote to memory of 2960	3988	Lgokmgjm.exe	101
PID 3988 wrote to memory of 2960	3988	Lgokmgjm.exe	101
PID 3988 wrote to memory of 2960	3988	Lgokmgjm.exe	101
PID 2960 wrote to memory of 3688	2960	Lmiciaaj.exe	102
PID 2960 wrote to memory of 3688	2960	Lmiciaaj.exe	102
PID 2960 wrote to memory of 3688	2960	Lmiciaaj.exe	102
PID 3688 wrote to memory of 2400	3688	Mdckfk32.exe	104
PID 3688 wrote to memory of 2400	3688	Mdckfk32.exe	104
PID 3688 wrote to memory of 2400	3688	Mdckfk32.exe	104
PID 2400 wrote to memory of 1516	2400	Mgagbf32.exe	105
PID 2400 wrote to memory of 1516	2400	Mgagbf32.exe	105
PID 2400 wrote to memory of 1516	2400	Mgagbf32.exe	105
PID 1516 wrote to memory of 2036	1516	Mipcob32.exe	106
PID 1516 wrote to memory of 2036	1516	Mipcob32.exe	106
PID 1516 wrote to memory of 2036	1516	Mipcob32.exe	106
PID 2036 wrote to memory of 3860	2036	Mdehlk32.exe	108

C:\Users\Admin\AppData\Local\Temp\e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe
"C:\Users\Admin\AppData\Local\Temp\e73931686e62814b09fde992f33a846b69baf4c9d0bac53714614b51803b8593N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\Lffhfh32.exe
    C:\Windows\system32\Lffhfh32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\Liddbc32.exe
      C:\Windows\system32\Liddbc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        24⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        25⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        27⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        33⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        39⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        48⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        52⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        53⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        57⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        60⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:940
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3492
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3356
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        72⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        74⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        79⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        80⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        83⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3388
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        86⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        87⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        97⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        99⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        108⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        111⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        113⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        114⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        119⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        120⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        121⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        124⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        125⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        129⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        132⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        134⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        135⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        137⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        139⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        140⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        142⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        144⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        146⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        149⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        153⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        154⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6824
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6872
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        159⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7108
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7152
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6180
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 216
        168⤵
        Program crash
        
        PID:6524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6340 -ip 6340
1⤵
PID:6472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
7805fa629bdce4d5b3aee43136c2a3b5

SHA1
e8147d293fec987f72e3f68e5a1de723bd028c7a

SHA256
dd2c1325e44632990646686bde18b83ff2d4c484e926592dadd5dbf5517af6f6

SHA512
52e51d1866a11891a5fb72eb5782facc391f3635d8e294fbc48970879ffe7b4fa39936371f66067ad371c8655b59a07e474a7015164a7886d0d475bd374d1a04

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
3889fc65e9875e802720d24694a25b0c

SHA1
e76a2663fc816d6fa453f558ad82410640089e2c

SHA256
800fa0a219fbbae18646234852fa4d23273b8151e94eedecd0c2bb3a5bd0dfb7

SHA512
1825f4a9705f786f1d52cbac55036af5cef9aa22b03aaa857cd48e6733665aa54df11b322b084d14794708410e00284363484d178fd6a676186995ffa07dd205

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
9b4420d85a915f958942f9fbed723168

SHA1
0c127e0c751b88a27e4fb5bc983b6d074f2cc9ce

SHA256
83a169f709ac7cd467864bedf788c3ae6b0a30090e03756360861f9b3fd02472

SHA512
b214025f1d6bfba015cd3b9898c981e9797fbf2e9b983147bebde36b4087de62e4bc213665b2a5f5571a4ae48fb5a5f7794260ed114b2b4c9c48d052461450f6

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
5cf3af3d0991a22edcb3caddf0776f0e

SHA1
25fc5e6b96815b3ef9cd88101bb1b3456e85979a

SHA256
43c73b043d6ad42c4638da2f515e8d55471d21676dd2a33d5d15ba8feb22c098

SHA512
0be159fb346cf193f46e5ccb2eff1ef437a3fa4d9c3a2654d6e0e7bcab4a90f5d5814539d6262ceb8012cf764292eb5c7dc00968a8bd6ed1fb4ff2c31232a54b

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
f74b7368d5c959143df6fbd47befcade

SHA1
7831997ccf691d5c1579ade89a275eb1e62939d2

SHA256
b38f664b5c0707665b009e150638b81f762091f73913d2bf95ba9511fb734538

SHA512
f35eda4136429ccfe4b574fd4a395d760cb6875be7e6fbcdfc6a5a1623ed955ec18b55476225ad7e79ffd4b72f36a8c2f2942828db59e09d8714997ae1f8f968

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
70096f4142ed6658120e4bbae9c65c2b

SHA1
64a74798811a5413345aee1153fdb3af7163b3f9

SHA256
df6866697e97bbf88a7c3e8ee9b88c1feb6a92f6d3cba7adf2eb385e7ee69852

SHA512
177e6665aa45357fa9f90054ba4f942678329e5460b26261e66253f3d1941ea035942b1bcdb195345370994ec5e1663161362600a6392e962d992d2e06349a5f

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
6db7668aa1f6485a143d0007ba8875f9

SHA1
335dcb76f3633123762df58adf5bfdca1894ef85

SHA256
69287eb547651b3d561b96124898c704f9f32c3e5891cb55e057b21a2d65e048

SHA512
bb37cd0451acefefdb5bed69cdd1e9cd2978cda13bdacd255b00496c4c52c71a7919fe9134973808de67cd6373c7b7524358614e0413bc916d63018d945fe80f

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
321e34c273602f904c7038be4512176b

SHA1
9818e374fa2d8ad90622b7366aaeec410a799b04

SHA256
a4e17cbd1b4e9928ec33403e32bbe28955e8e4ffae2e379823fa136098516d13

SHA512
a96612049f1196d11c01d6058ecc4c28d66bb4c55ebb64993c91da0fe18679bef7b1a7fd3a21a06698ed1894f583a4ced8b0e762a0d5ee428da7b2f4d2dc5b40

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
96KB

MD5
2d958f8f50e69c9c983b911374613cd4

SHA1
35b4f2e6526f7802e506914fe048defaf1ea3026

SHA256
41dbcd2e90720fd17a15a89108363d94e230a49b54a3ef21371251c3503ef298

SHA512
7ccddff8081d05c27342b959108e9c3e1664a0148172c6a7817e42fe324028708c4171d191fa3a3dddbbece797f606ffa9c5d12709adad5827b542bd1db53d5d

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
96KB

MD5
307848d0678aad3ec4539d69a70ff34c

SHA1
ca7f1d6d8261fdc524ba8627d5fa105a391c0543

SHA256
01178449d680190ec8ecf7247950f806e01fa7b9ad9b7040a71fda6386842001

SHA512
93021f3894211bcf7a8dd67321d71219163a106abb5be26676deb062bfac0ac980f5ccb1b0bb762238438807f2f34ec9e403eae7704754075fe7545f292fcb47

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
b3107946af01028b5073b82a3b9482aa

SHA1
b0ca5baaace77f971c63fceccafc57aaf762f25c

SHA256
9443b5f7200798441672f3a897f70fe2f2f9b4a95c0b3c83107fda91c2f1669d

SHA512
da8bd40b2129b2ca5e4e6b16ca33df27f828ab08878365a5dac78e19990c3bb61782c8e09f76f8c015dfde87932cb428b3b55df664513cb0e15b6761508353a4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
743fd2dee2230c8d42f1ef2447015118

SHA1
86cbed70a90124cda7dd49cc159bbf84747dcd86

SHA256
786ec9b240498c6f8e35bedfb7329d24287a687a77d44d81454e82ad2a22b102

SHA512
3e4e8ca55b9063f40deb44b94e8ab5756d7cbe7705216728951dc149e97ea433ee8aa63be16f9c5d981580d2fd959b28565357ed5747bff1277d1ec76afb3188

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
5b8f34991147dd8d0680e28c4fa8c0a8

SHA1
924a8b60f9eb1f88305890fd36bbbfe57d7db8ff

SHA256
895fef66a6636a16f778ad5a0ae7a3080b131b3fb1b496a97574e75ec8474d28

SHA512
4c9d26eb93cfdb0a52bb7eee50613ae0af12b1c4b6f330768661afd98198f5ce1764e723a4330502bb8c68a9bfc2008b1492b4eabb88705100cb5dfabdba3858

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
0f4c4d33a7e94131602826680c0fa922

SHA1
9455586d1da96d5123c0be0eea97b6c62a57d5d6

SHA256
a32dae7f6fb5f991c0e252f5eb0f6cda919b26e0aac1fb4196f5ac6be97b2981

SHA512
0fdd3486087e7557abe433195fc12ca08b013e2d2631f19532ab7e99d7b4540da63b3a88eefb4bf777f51174a17c460a4136bab9d153ee0d273591a0ef481c61

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
74c628c1fec20dde547ba39498d508b9

SHA1
663d3c53db299dbca51273fda4a186628736c2a8

SHA256
a8384bc56441b64797e5801af461fe7ee846545ba6bed17c993a09c21e7d0f9d

SHA512
3a04032b9cd81af6a10f49eb0d26ff45b56dc60bc3ca010b2062bb4a07bbe81592359a2755ba0f2e02f6709f2bbe17cb0dd1629bb1555b21a0a7c8bf4b10606f

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
5a60d3dd4af135e19a59dc157d2a4dff

SHA1
d12caf1ca778a64f4edd6150392727b93c54e0e7

SHA256
2920853751780506d2ff417c03795af450dceee6e5a3210ca0b2307a4931f7b7

SHA512
f59c61bfff673a21364b434a719fc10e455074322ae2e92e5ff404eeed0e0e70d8312f10821823221f1636d22232add818ce1a4dee615f26e71c8892b6564ced

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
1cb5c840f861441868f1bde8b21540de

SHA1
a3933dccbf6207267c9029ee578eede253a4a9df

SHA256
0c05999e319df0cfddeb77bc3b75dbdc507044087d58add9626032942cd783e8

SHA512
f9aa2b62eca6b4fe9f3ec698b26983ed804c634908c8d9b8840acab6317942c674a13272179f8dafd81952bd070c8ed590180c11eba2186b2f1b1ddcf96cdfe8

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
e827a92c7f7f79668991b91ecc5c9e9e

SHA1
ae9af9db5afce90cebeb4e029258c57dc49e9a23

SHA256
13fda9a5344a5fd1a27b7cf0fb298328f46e08e30733d6729235b6d1da1065bd

SHA512
51942621f259a74b83220d9dccb9336ed5af66d6366e1f0036ed98ae5a335adf191c39f3a1b227f947681a66ca852eb2330a8f7d0f5c17bf52fa95b2be59b544

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
369a9f853f21fe82dda1d6aa6f83b6d6

SHA1
d362615ab98f2b268ccbdb4ef4b1821630e8d006

SHA256
ca0ca94900f641b2b5861d1c84715642321a47bdfb307cce15967ed568cc4ec6

SHA512
4b2f6f0f12e9e7adf6039ea6d7d3a5b0cbd5193040f4a260f9d9191ca80c4bf311d87a4521a5f6dcc70db2d8f9d38a1684e1855859365e16c464a054306f4791

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
46193054d1949467259f0750bdd0b72a

SHA1
c924863a4b71ae65b545c73a3a9b9179a71c89bd

SHA256
27361aaf0670801e1b5afd4b57f8e32893f2b67741201f4002dedf055885ba12

SHA512
d7de0595ccc801b13cdaa25fd687c40f509e3f7b8065ed06a8906f2ec4de50c7053265990983fab2556952fb81c5fd4574767b6c34f2e489851c1783b62291b8

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
d95719310d7bc1208cf083d4cabe4261

SHA1
e56feca6cac2e3fa4b62e9b30370ef08681b7d56

SHA256
c8de2f3bbc552d44c45bea1443726d7377b87d38becbda7377fe83bc5738b0f8

SHA512
af44fe62ba0efef292c12f32995b992c24814d6467c462e1bb777e8cc48497c3bf707d9f4660838ae3ff9b8d0075a03d05ea2011421b48bae473263f02970281

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
b3712f96d91ba8b54c21e8c67369a1a8

SHA1
1220fdb1e4d4d031976ce659c9968500bdbbdc02

SHA256
4d8756ddbf6cf322147ec9bcf61186bbd4c3b4eabdd87c69e2a52b1b40a23744

SHA512
87935f5db124a5b9364e8c6dc13906102ce32c8f729cf7ca8e4e2b40c1ba79a0a735b690d77601dc02c4347c68628b7e73f1099d7efa84e6f3f80acb49bdc0a0

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
57e618483cdeacae2541ae4e2a334c98

SHA1
19ebcd3322729fb9b0e6c75ec6a1bdc14b131a1d

SHA256
b3cd3d9c64471e7827e01060f2ed0e9cf19e952243e7b16e97b4d0c6dd39ad4c

SHA512
1cfefcbd5799830804c92c6745b069baf04e137172bbb05a55ac32f3d7f87f416bd0f598ffa92ef850aca1e745c5147a57697c15777d70b42b99ac6944cb2da2

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
3d06bcd1f4acc197af29041f5b76d550

SHA1
3bff555a47493f775fc391168d33cfd45795e238

SHA256
f6ef090654d354b6c65d61511caf0e5008efc5770bae64b336a8b620b868ea0b

SHA512
93cdb4bec6f5cac48e4043a7ccb9e567e591af9af33d38348a3c999ad4337836cba02cce7fde410545e417ec6a94d2efd14fad908d2b0830acfd6f0c6a515629

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
da340025d0c32d4229b2c89e5cf72e6d

SHA1
ff1200398234659b2d8c09d7b444fe1a3061ac22

SHA256
fda9c14ec44986edf8c5994e381f124e3d3bd56d123b56a11afb9ada62c822c5

SHA512
781cae45ae55a4315b28a1dc71bcf7f3a66fdec5ceabf6060256785f70e79e38caacb19afc4accfec9aec97221550ad3985e3b48224c5267605a0c1eaf424670

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
487642fdf6fbcbdc86eb6eb025b917e4

SHA1
58db50677c83b3a2cb8638fa62c8511dfb57919f

SHA256
6d14f85f24ec2c48a32a697a81e12513e66421c1b8b2dea5df3f407783d64c62

SHA512
5545e419fa456b0fdf301a1d7e5af073ad5886dbe77099118bd5f545d6f0d301e711bf7c6c4e21518a908dfa3c46372293672f9a608d379739fff8c014398fca

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
192b326044f550252d0d48d6992facf1

SHA1
58bad8223bbf889b891ae31ab0532a946872fe37

SHA256
cec5daf60bc8c9b79e1e0643bb429805191fcc3fc805d133ad1a258aef3a141d

SHA512
267a84405ac9173b5bfa06358d6950a023e5ba20b99da502e1e6d66c177e884c518f38caa8a13d52662f150fa0585c09749ffc827a4fd879882a1882450a7da0

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
7e4a6f7b5444d7da8357ef8aaa1e3443

SHA1
25b80a73dcb9f5b3ad1d932651a1c758daa21e3c

SHA256
bbfb3bc8f4982489a8067d042083651d6e92abfe552ef42bf78a1e269f1de702

SHA512
85b9e41c7f6255dd3e0cb0c2f35d9e09068f709587184a631681c9bf43f1c5a2c44a1d90d127a90ef35ceb543085c4fb280870e66c9d1193917c6cc67f05ab98

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
7aab58ef08e48fe05ff79df63a46a6c3

SHA1
4e1bf2980d17791a2c89bf8c46d20292da160e35

SHA256
90ee3a08219f46594847be414d3eea4bdb51cfb1671e2efd53e5d98e7ca869d9

SHA512
73a50395c1abcf6355f0529897189b6aa5424eb682f8aad457d19b7b7f060bc14aa8c30a24053023bc219a0cb8e1a29b42a52c16e67a7c57d856f24122835545

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
305622ebac840a7d1073f2956b3bbd5c

SHA1
b0a13e3f03a0b75558d7ce0c86ee902315d62b51

SHA256
8ec34090d9441621e4d8ff6eba9abb67c59cd4716acff5619a3d800cbb5aa282

SHA512
bb4aca9b214e338f0371b086b70caac9de436bec805880c5b851a698f1c5d009846fbbc292196b9038acc403954af2a626c1eb2891682d08a123a98570269789

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
acf3685e0599e6e8a153eddd3aba4834

SHA1
825e73c1225117d58f02599fb944bc754e8fbb09

SHA256
2ab3d85bc689916c7bdda13886229d80c02344eb0e160b8445f188542228107a

SHA512
be673204487a54fa17d57856e388039a832ebaa7d2299e3d98c0c18fdcf89cf9c523a92a52d7809ca56778bd2f8cadf6c44df5b7addb4621652291808da70970

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
cc8cc72eb38b28da378eb7d328070067

SHA1
d019b2bcd7c59118d55379c9bd727d36f447558b

SHA256
6ffa31324580abcf2852ab67abd8afd6375e010f913d3f7bc535798b9e4ae1af

SHA512
6ddb239295b33bf37d5f1f13b140539b432731387a57bde46c31bf039dac6603ef55b56f5f245df0c23ac7a4a5b1fcfe6687a6f1c0ea621508e6ea564c35d0aa

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
49f695b5f9eae1d83a6f43097a343ca3

SHA1
37965a0d485ba0ede1f8a85f3703a1c3f49cbf89

SHA256
1e27c2a7397aecce9bfc9c65f828674069de378f9fff7bddbf7fec9af3f982f3

SHA512
c6620bf3555412a01c77af6c949feadf38651f004714292b2363e0e3c59dd19de9c01be174e12ebf66868724d741b381135de3562e732a59ba7d99f409e5dc2e

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
ab2bf11a3493b2b2284b8b5ec004bea6

SHA1
600eda708562881f206991ebe2c26f6cfe63b53c

SHA256
a1adcdc46f55e87505a068f705bc13c800cd6bc445b41a801a2b9d5fef8b9598

SHA512
ae7d9728fd2142e685f0b1bd0ab9bd03debe803e54f1cf70e92cb1bc6e46901f5a46043476cccfacbcb34ee95a0f93c9b0b9a12bb72daca8ee5bd73f01168faf

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
8a4d4d9c90e757817cb3588cd50efb6f

SHA1
3f27db698127c106e2983fdefb49aaf9e324b554

SHA256
3995d731048bec467d363ff9359c663261da3b2aca3172e1c9c5f28fb1b75a95

SHA512
1e7ad83deefe74e30b54e2570bc44a92f7c1bb9897a62e5e4febd8aa568ec3144a0326dd6f882cd44be56a5d7ae1d73ab39f1a678fea721e096d0376cc814436

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
44a78d8ae2aa61ee679482ba0e3d934d

SHA1
be62cf535beca8101742cd5e147c26b46e67b006

SHA256
8e4d12a93800be55e2354ed6b3d33a4339077a7a5c1593e2913ae47818534e4e

SHA512
9304eabb0eca0f2fc295f79ea2706da74287155ad21fc10d1dcb4816b688a7326f5a80fea4f257c85da3b494b6f167f728463efb2a9b8d2aa217895eeacf3cea

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
c887e4778b2cb05bf3d1ceb43c80e49b

SHA1
6b70aadcc0c1a11e8a0dba4adbb91135f7207fce

SHA256
6ab1234a1d047da570a2b9ceaeb7d614e18eecd1602b04516a7af4176d88eebc

SHA512
2519def17c4a37a0bed00cb7269ddee78918f0eb828adc69af97d0deffa930021197fd4bcfe0ec37a68a5422c3442671b5ae229ad390b3f26c0459f437773fdb

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
485294f5d8f165c9690807c52b8f2cbc

SHA1
d76be62e88c37f45a33555ed229bc9c30e99f89f

SHA256
4e0c6a3441a75c2e4071558bd2559ab27aeadf9e9cd5699cb221a6975159aff3

SHA512
a8f03a11f539eb7183dd19f7f864d1c1613950785287f127de31ec0f48874b0f05398d519cbeb240c7de887d1cce567e9a144a177723b166e66ae7b6a823c2aa

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
ca0da0c9ed3292ed78a6adaa373c239b

SHA1
896e62be2c9adb00e8a19963ca433fdabaab2abb

SHA256
a2293c17199a1372bda8f7d38ec2bdd47b8407635eb255e7264e331c6eee41c7

SHA512
d59511e392f41c8fcf24a7112875d27de6d7350f0392b24fffef2008a312a9fc8bdab013d2d45c73a5dec0e4e53f27bcdd10d9e47d932f262c77b6531e67a67f

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
7a500187687854d6a672db35ab19bed5

SHA1
883900b1fd4f274f14336cf8d52e5a34bd1f102d

SHA256
2b8cdfa92fd440515e537ff209d7003b9b0034632cdef3c65a163743816a6a40

SHA512
9b0ec497e24ff4fed05da03760ad3cad9dbbc1c9b8231ed810a9c46ff8687de78dbc3829b771e9ffa187ca5b2dfedead1823d4643c2e66325b0a227a4927c311

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
547226e2719a6c4932c3713eeb3cf768

SHA1
41abd93916394f7f148b5495230ee97bc70178d2

SHA256
d6dc75c9382a18b578c47ecb1c690df6c169f97e748076e3caa91095539cf620

SHA512
ca5c9a6d51707c114fd2361965ffd1d7eddd477696367e8d9279a958390b80ca5535a9f8c2f8b5788e4be70f25cba3195d5ba5e3063d09ddc4331bba8587c15e

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
f6f5a590124e0cd908971f5578cc372e

SHA1
7de00a2f153970f456731546894ebbd46c33f789

SHA256
500af883bf8ee14bb8da41f6330b5e3bfaa86acfa44677e021f4fed9991f92e5

SHA512
d349441de24b6669483b32e9e66311c6bb6b8896d86d4c80c39b8274d2a521f44b51f097008c701c2cd4c830ef9cc555c894a8b55813e43340ecee3f42896308

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
63498f7fb8c193d53f692d1897b71e18

SHA1
f35f94cec7eabfbb61db1bb2b8f4dc11ffe6c786

SHA256
32539b8828255fab2b62e24ac91de5a0ad3fe9dd8b765bc520769607c509829c

SHA512
b20c951de39eafb30cff910b98a627123d030ef6aa5827517ad6db153887a046fae82ca3da55dbbe24d67e53ccb07d3fe720f7ae390c9d8cf7747b54e0024098

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
aa1d00deddaef8471d21eece59be6bf6

SHA1
8d1c33db09eb05ced6a0ada2ef30d1519b1d450e

SHA256
091f39b790eb2db3ba557856bb3f0fea26f4b9867b109a57d15b490ce32e9e7b

SHA512
908adef792a289dbbb917e75e6c8c712ad823e8e9b6287ba2351f727d2e41d779d990c8d870cab1a7e221235e164ffb8353ab1f6864538dc2d933aa52745d87a

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
936a47a953ea57b83735221dc9f94f17

SHA1
c2f5cf48ab396ef6a8d0ec8d7e8ddce2e9b1f7bd

SHA256
a075de0a47749e854ca7ae8a9a8dd3ca1e0239d7fff28769d871e32df9ab2bbe

SHA512
cb1506f6f31778e09eb86cf4b10c00a37b7a5cf0d948317482f81e88a4d2ab0ac913e70cb4accea9263ab7c7629602600d22085493c3d29cc14f6aaef44c1948

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
fb703cf4651f7eee40bec81aef404037

SHA1
8924ecb80f6c82ebbd1c0a647b80ffc74107b07f

SHA256
59a8512e579f74f22b45c8973a118bc594365853ae721073858db15ff798f6cf

SHA512
c83f0695933a97f4787e4efbc91c349ff7360c6987b178d8d8a790dc87e857d49c5ec29a38c78dc5a566905941d851cb6ce49ada5404a428121be2827cf3179e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
1a90eac1402d489bd8d7ed09b9fa5eaf

SHA1
687070c8de85e687c8db24d4121708c69b2a37eb

SHA256
3c34a6be54e9dce6dbb094b9e0ca8d2ac25e62dc316cf4a1e5b28867d88db613

SHA512
747ab3f838b480b3bdcbf38f7f045cf15c84b23a4ba533b244a406d8d7cba0a0877d812503d1376d07c797baa8bca4927aaf58615cef2b6574b28133fed8ee37

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
64KB

MD5
de49f3a9f00809b056a9a2914fdc80f2

SHA1
0fe729ffc563b51931b739b888a816e875f4ec7a

SHA256
ad26b5784b921f801deaa2a620acd1fb4d973e8e40a6f75fa729f95066927671

SHA512
fa0e8ec3b43dc478a73d4f26fc44a922dd43666ce8892a8c76925d6ffcd261605ab498edc4f22bb1068203b8c178b8009eb69fede3843665d3121934f021d67f

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
bd48d64941847513193466f06a6c358e

SHA1
ae4e34c8376f3548aa11232bdcd251f0dfd6ef70

SHA256
5dd033e86e5693268754c6cb813fca6fe69089ae0e041b1a564ad90c71f2152f

SHA512
e9382501aecd61c4296d37196e28288a267d5675d46cd079e5e8d66153b78d18747f85c6bab08e5e7018e668304e63bc02e09a85e7ae19b57f5f4abf32fd8dcb

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
80228dec06b3999ec5353c796136bb00

SHA1
5fe5c5c4af350b05ccd7a01a269c6f8689fc68ca

SHA256
dfec018f5d9859528469402a78d548f02a0b96b4d53ec221d8d9c19d3bfe8ee7

SHA512
318fd466b37eb1a11ff4b476efbb9f86824c033c575ab70e5ee1317ab21277b138d58be50f325acca16ae730ce70a7541a9dab0583c40c82380560aed762060c

Download Submit
memory/232-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2796-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-1215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-1237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5992-1261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6724-1166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads