berbew | 56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95

Analysis

max time kernel
107s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe
Size

96KB
MD5

283bb814050064ece47835312c4b5270
SHA1

aa19c5fa46de88189ecc6e78bccad90004140eb5
SHA256

56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95
SHA512

66b8c5841ea5c5902d7e16e2139a315a670cc41919a963a1f5bbafb78a45a0f0b7b6705dc41c186579e001207e6ac2f185e8b837349fbea842c8a98987c5f04f
SSDEEP

1536:CrLQIwJoYpkX35NZVxAEMAPLIVdyKMVz2Li7RZObZUUWaegPYA:CvCvpknPqAPLYdyKMVQiClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4860	Lfkaag32.exe
4948	Lmdina32.exe
2800	Lpcfkm32.exe
2112	Lbabgh32.exe
5044	Likjcbkc.exe
812	Lljfpnjg.exe
4208	Lbdolh32.exe
3600	Lgokmgjm.exe
1684	Lmiciaaj.exe
1708	Lphoelqn.exe
4512	Mbfkbhpa.exe
4896	Mipcob32.exe
2688	Mlopkm32.exe
1324	Mchhggno.exe
4592	Megdccmb.exe
3932	Mlampmdo.exe
512	Mckemg32.exe
3104	Meiaib32.exe
64	Mmpijp32.exe
3560	Mpoefk32.exe
4796	Mcmabg32.exe
4932	Melnob32.exe
4928	Migjoaaf.exe
3392	Mlefklpj.exe
624	Mpablkhc.exe
4920	Miifeq32.exe
4140	Mlhbal32.exe
4952	Ncbknfed.exe
5080	Nilcjp32.exe
2584	Nljofl32.exe
2224	Ndaggimg.exe
2744	Nebdoa32.exe
2748	Njnpppkn.exe
2600	Nlmllkja.exe
556	Ngbpidjh.exe
5112	Neeqea32.exe
3192	Nnlhfn32.exe
1988	Nloiakho.exe
3140	Ndfqbhia.exe
4024	Ngdmod32.exe
1916	Njciko32.exe
936	Nlaegk32.exe
1608	Ndhmhh32.exe
2188	Nggjdc32.exe
2196	Njefqo32.exe
1968	Olcbmj32.exe
2964	Odkjng32.exe
4940	Ogifjcdp.exe
2776	Ojgbfocc.exe
3228	Oncofm32.exe
2272	Opakbi32.exe
740	Ogkcpbam.exe
4608	Ojjolnaq.exe
1160	Oneklm32.exe
4612	Opdghh32.exe
3028	Ognpebpj.exe
2232	Ojllan32.exe
1976	Onhhamgg.exe
3980	Oqfdnhfk.exe
2208	Ocdqjceo.exe
4360	Ogpmjb32.exe
748	Ojoign32.exe
2308	Olmeci32.exe
4228	Oddmdf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Lfkaag32.exe	56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7140	7052	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 4860	1744	56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe	84
PID 1744 wrote to memory of 4860	1744	56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe	84
PID 1744 wrote to memory of 4860	1744	56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe	84
PID 4860 wrote to memory of 4948	4860	Lfkaag32.exe	85
PID 4860 wrote to memory of 4948	4860	Lfkaag32.exe	85
PID 4860 wrote to memory of 4948	4860	Lfkaag32.exe	85
PID 4948 wrote to memory of 2800	4948	Lmdina32.exe	86
PID 4948 wrote to memory of 2800	4948	Lmdina32.exe	86
PID 4948 wrote to memory of 2800	4948	Lmdina32.exe	86
PID 2800 wrote to memory of 2112	2800	Lpcfkm32.exe	87
PID 2800 wrote to memory of 2112	2800	Lpcfkm32.exe	87
PID 2800 wrote to memory of 2112	2800	Lpcfkm32.exe	87
PID 2112 wrote to memory of 5044	2112	Lbabgh32.exe	88
PID 2112 wrote to memory of 5044	2112	Lbabgh32.exe	88
PID 2112 wrote to memory of 5044	2112	Lbabgh32.exe	88
PID 5044 wrote to memory of 812	5044	Likjcbkc.exe	89
PID 5044 wrote to memory of 812	5044	Likjcbkc.exe	89
PID 5044 wrote to memory of 812	5044	Likjcbkc.exe	89
PID 812 wrote to memory of 4208	812	Lljfpnjg.exe	90
PID 812 wrote to memory of 4208	812	Lljfpnjg.exe	90
PID 812 wrote to memory of 4208	812	Lljfpnjg.exe	90
PID 4208 wrote to memory of 3600	4208	Lbdolh32.exe	91
PID 4208 wrote to memory of 3600	4208	Lbdolh32.exe	91
PID 4208 wrote to memory of 3600	4208	Lbdolh32.exe	91
PID 3600 wrote to memory of 1684	3600	Lgokmgjm.exe	92
PID 3600 wrote to memory of 1684	3600	Lgokmgjm.exe	92
PID 3600 wrote to memory of 1684	3600	Lgokmgjm.exe	92
PID 1684 wrote to memory of 1708	1684	Lmiciaaj.exe	93
PID 1684 wrote to memory of 1708	1684	Lmiciaaj.exe	93
PID 1684 wrote to memory of 1708	1684	Lmiciaaj.exe	93
PID 1708 wrote to memory of 4512	1708	Lphoelqn.exe	94
PID 1708 wrote to memory of 4512	1708	Lphoelqn.exe	94
PID 1708 wrote to memory of 4512	1708	Lphoelqn.exe	94
PID 4512 wrote to memory of 4896	4512	Mbfkbhpa.exe	95
PID 4512 wrote to memory of 4896	4512	Mbfkbhpa.exe	95
PID 4512 wrote to memory of 4896	4512	Mbfkbhpa.exe	95
PID 4896 wrote to memory of 2688	4896	Mipcob32.exe	96
PID 4896 wrote to memory of 2688	4896	Mipcob32.exe	96
PID 4896 wrote to memory of 2688	4896	Mipcob32.exe	96
PID 2688 wrote to memory of 1324	2688	Mlopkm32.exe	98
PID 2688 wrote to memory of 1324	2688	Mlopkm32.exe	98
PID 2688 wrote to memory of 1324	2688	Mlopkm32.exe	98
PID 1324 wrote to memory of 4592	1324	Mchhggno.exe	99
PID 1324 wrote to memory of 4592	1324	Mchhggno.exe	99
PID 1324 wrote to memory of 4592	1324	Mchhggno.exe	99
PID 4592 wrote to memory of 3932	4592	Megdccmb.exe	100
PID 4592 wrote to memory of 3932	4592	Megdccmb.exe	100
PID 4592 wrote to memory of 3932	4592	Megdccmb.exe	100
PID 3932 wrote to memory of 512	3932	Mlampmdo.exe	101
PID 3932 wrote to memory of 512	3932	Mlampmdo.exe	101
PID 3932 wrote to memory of 512	3932	Mlampmdo.exe	101
PID 512 wrote to memory of 3104	512	Mckemg32.exe	102
PID 512 wrote to memory of 3104	512	Mckemg32.exe	102
PID 512 wrote to memory of 3104	512	Mckemg32.exe	102
PID 3104 wrote to memory of 64	3104	Meiaib32.exe	103
PID 3104 wrote to memory of 64	3104	Meiaib32.exe	103
PID 3104 wrote to memory of 64	3104	Meiaib32.exe	103
PID 64 wrote to memory of 3560	64	Mmpijp32.exe	104
PID 64 wrote to memory of 3560	64	Mmpijp32.exe	104
PID 64 wrote to memory of 3560	64	Mmpijp32.exe	104
PID 3560 wrote to memory of 4796	3560	Mpoefk32.exe	105
PID 3560 wrote to memory of 4796	3560	Mpoefk32.exe	105
PID 3560 wrote to memory of 4796	3560	Mpoefk32.exe	105
PID 4796 wrote to memory of 4932	4796	Mcmabg32.exe	106

C:\Users\Admin\AppData\Local\Temp\56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe
"C:\Users\Admin\AppData\Local\Temp\56a933e12dbc8bee2ef33bdf05df8a291c836ea0d091ae9c2a9f3bcdd99b1f95N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\Lfkaag32.exe
  C:\Windows\system32\Lfkaag32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\Lmdina32.exe
    C:\Windows\system32\Lmdina32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\Lpcfkm32.exe
      C:\Windows\system32\Lpcfkm32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        34⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        35⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        55⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        59⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        69⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        74⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        75⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        77⤵
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        80⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        87⤵
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        88⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        93⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        96⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        99⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        100⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        107⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        109⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        115⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        120⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        127⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        129⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        130⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        136⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        137⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        143⤵
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        151⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        152⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        153⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        154⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 396
        160⤵
        Program crash
        
        PID:7140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7052 -ip 7052
1⤵
PID:7116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
f44a833ca21ebe56096f533581e1d218

SHA1
27ca7dba4905d561b1b1ff6d31a35976e2d4da1f

SHA256
043b4bf77642ab5b482a5066ff285d7c6193bd647893e233748062202995d240

SHA512
aabd9cdcc4ec8102b504f0bbac87e3f88d4bac7a0cdd45aa35452bb5c74e8c42d27554e29d6ec88a04edad0d8a72d935c2b9a52e5e2a715fdae5101b21045510

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
364ac8356e58388494b5d76c12dc23a2

SHA1
a5160cc4935cfc863383fd783f680332c88effba

SHA256
58101ce76e282f2e61962d3dc433897129ba5d58a9044fd71fbbf833bf470ba9

SHA512
ab0dc0f52f966946a88e32cde94b8032674e9ecc95921afa3b5af2d92b1db21e2b643675b156c1962be2e02c4d13499b23ba4f7c5101888baff4da45ef759693

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
cfea85a947d00ca814c842777fc4b59c

SHA1
6ebca1ec5f2ac23ad0ceee83ac7f137d9f29fd68

SHA256
17d45f8dcfd0bf1d005d6ae828eba95c909c934efe7dc88dfad43393adf53ea6

SHA512
540c86971e9cb0e19bc2dd591aed61e58df2b1ed6f3c23c6eaa5a6af52f5b82bde1b5aafecd9ccc9d8c598ce45c006e7787c896deb7a3bf98246075329fc8c8c

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
900d30d26250a7b9dcc74f190ced5947

SHA1
b134632ffeb96d53ebe2e1b36f50f94a77bea787

SHA256
bf99b40ba98a9dc3bbe4e0aa0861b7c5d9201233495034f328ab0462281d56a8

SHA512
0a4381722f08b55e71fca7d48f99455477f5e03634b9eb15dee2bb5ba5c0c843552d177566beada9ae237df75d00640c094922448e1526d5d2b1c9ad657c6c16

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
61a321de70201e565fe5393d9d5f4a1b

SHA1
940c89991b617f2c892006fea9c5430a88ef9836

SHA256
e4393de84a44e1db818529aaeee097f340e624f4dcfb6778604f7604ccdf7445

SHA512
0652f6e870aafbdf84b244d5397ff386be2fee84eb2fc776fc77dbe26837c624bbea6c01fbc1203df4cc30b4f813c315cbc30ce5e8d25147ae7da068bb6a4c1d

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
0255815497ef52fcd5f20cae416c1f16

SHA1
6e61f1b7cb47950cc06114e3656416e16fbd9d3d

SHA256
b732747f2e63d3733648cf6aea50c044ed724a081b8ab8ac6dcaee73bbdac248

SHA512
0f9500806b3b7fcedbe58131c09c7f9586f3d4c012b9c6a8f6387b74bac30ed05f6063fba7659020d00933da4e2a31cd1c661b5009496a8e9f9116ca1cdec600

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
84b77e85ac212c98d79044bf785b0175

SHA1
2ce195b56b3601d557980355b8bb49629d8f16a3

SHA256
f0a1d2407aba6821469363e8884852f3ce14a9fbd32bc21648b0d2120219379c

SHA512
3b85916104fbbf82d32c2257207bdb5e0ccd00d24c131fcf8be35585bfab1a35579602969014832625a1849a28eeaf9f55d81682df0c0938b33a9e70e7f9344c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
01ec5ebd5b338e2bbe9b1d1c1d0eaf4e

SHA1
28669913ac7ff8c71aafff1f3cbd0a3111379372

SHA256
ae919db802f7932c48cef59ba835b30fbb3493f994d39af92bf623ee589cd309

SHA512
18afbbf445159bedef21a5fc803641f6f4dfe256f0bfbb8b658bad2cfd44b6fa3f3dd0c0404ae471b2bf82c3ae9c5bd815f3294c5a03de4a73f8f405b6a0c043

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
32f1351182c38973a84f366651348a0b

SHA1
f8461fa4c8c87020ba9fc83a83d4e1f2e8441a5b

SHA256
fb691cb6f6fa41c182a5c62f11b3acdc6714c9f532ec072509248411351cbc94

SHA512
245bf1e696b6efe044461afb721fb1d7c4f1f3871b5967f36c24b31e634bfba1c56d16bc255f0d779efdcac34b52a5ff53e2fc77c14cd795c06fadcfb01a07a6

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
84f1d6cfb69a428c9b40e4d2bbcea74f

SHA1
f169b9a5edfccf9dc4b8f47d3d82cb7f1a50b097

SHA256
87f344755ef32433b0727a734e56e3a8a81f54738d44ab68874f042ca39f79e5

SHA512
dd9450158f3840c6d98c16255e0d96aafc50c1b38adbf1084fbc42ea099ed79f5a4100c847fe52a9b1e7045f40aa84ea23ca3f8f9418a347cf0d4f0a9b21009a

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
f16d72fb6a4fa068d7c00820298fc76c

SHA1
681b6d06b81645fd5f1709cc44e7baa9fe5b64a5

SHA256
3f3ef978b2f151844ef9532908f275c953206874e6208fd7edffeb762666b2c5

SHA512
09912fff3ce0e43e1f8acc4b2b97b0ccbeafc8d4e1218cd52fcaeeab956ccc94741be570dcded01d8ac3d4123bdc9677bd903f06e89c0bcce77bffabd893c9cf

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
96KB

MD5
b852cc7ae0975c4a308d6711dd688d6b

SHA1
97ef2a620f7f8f44b653160327c8e212ca551ee5

SHA256
90210b17fda79ad4c99b767aa98ce6b1b5853ad70cbebaf47f61a953495f199f

SHA512
8e964e7f3be4bd4791d7681bd2542e12784257d4c688bf469e000810712f19f8746e4ef443f6d7f752c300efd2fc75f266f674f31fa71e6ba5d29cb7203717a4

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
c0838204b0d858c7d73296f6ae90acc1

SHA1
e66336652331031589a30bce41345fb9b6b95380

SHA256
d49dd4bbe2b674ce218da5e844ee20b40b005fd8797eb19c9189887bb58f6ca8

SHA512
22d559def15396900beeecb224a410d1ffda6dced484bd1624a48649cd48e390a8a03ad0d803f2f00223cd825761db0f49779d4e0f951ab33d2a6fe9d3c858dc

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
77e48cfe1cbf884b38d8017105848848

SHA1
1d872fe1dde891a80e967e756789412fdda5b7dd

SHA256
ec38844ca2cad44a99763b63ac8b8843bf41b843811ff894a6be9bef605ff6c1

SHA512
f87c2b054065a29d74d278d879c0b6c5c1caa6ac1f6bd2a6c8bc7d0924b86642f7704b155ff78ec36eb26f5aa885b7b4c04937866aea12164655b5745edafbdf

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
f9cd5b5c58824264206b722b34cf4334

SHA1
8c9f95d18b2096421601c0065190a2cb6d44bd7c

SHA256
7aa45468a0a96f0416eed5f72437f972086dabe1b56e1ec6b898ab7e7e753429

SHA512
34412163eb767ffb5c47a7720faadcdfc740805da77ae439966418674b06593c0a2c55b9f7f80062430b775e0011c3271b0a4ceb5b5c68bbbea6060ec2fd779a

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
96KB

MD5
32fb734c485a2b66722919aff0335d79

SHA1
2dd613370881a23c462a681e0afd4a5d228916ad

SHA256
9b3f7d8325a6db46059aa571f9bb94a3cffe0d30011c96fe1038f2d3b932d8be

SHA512
8df455cd1339a7303bf62652aeb7238545c30345188592606dddb578f1b0e1afd7cfcb5049e63e61fc2a8c13482b09d42ef59d47b1baeca595f68f8e4a29e119

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
9bb573217d9270c497fda475771ebe7d

SHA1
f8ebf178abf8dc50e17f17d6d966626df02c7047

SHA256
7ab92775e672612b5f14465c5616edc055faf96fb8d6b62d75d0a41560916e35

SHA512
89ec87314e5a3a4c90c5fabf19454030c0a125338f261533c2d8894690366cb4c334b69a8d246be864ffe845e17574d8669359d2281d3791132387e9b496dfca

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
26160ce0a23c5cf42b0f5d89a4b2b144

SHA1
1d842ef3e88b81a7c1b3926d0d050918989f5dd4

SHA256
2efad99f43e92e67e4ffd6cc630ed7cda67b763fd8917ca9ad880b1ecb7e2b08

SHA512
ef53186bb0ac8e44e3d3413119269b85ceaf64e3ac3908a3cced96e79af94d71b2a78642a43b646a001e3bbbd0959e3d6b8afc39794cd72b4fede570950aae91

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
1786605bac6e5c2d632aae04221f1880

SHA1
5e7a96b4f123e07a91237511b86df876a824dfe7

SHA256
8b746d92675a39ee251979ac909e7cae245e31498df8cdfa2fa9f0a43413c50f

SHA512
8111fd6c81f8d21f33852ff401be25de79052bf498b566c552dfd29bbc3320ee2dbbc5edf1964cb88e7fa8a0cd288f99b2fd4b566f75854a287db4a9e3412949

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
e89879488bb8d7c4da1b22f69d91027c

SHA1
0a482e13e86d106fcb1a5de356e63c5747c8cdfb

SHA256
323b9db01a0a3adaa65773d091a62d01b87c4faab7c247ef9eb896309fb3dc7c

SHA512
a9547e565b2c53282a4cd20c399178aff9b3c13ad8fa4ed5bf89ead1a7089dc867b9bf83d282db8eab0179080f5c03e1b92cb7e0f0c8c54711a79cc87c560d71

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
4e84fc85069578b7eecfbcf0fed1c862

SHA1
6f217f7c71bf5cd265d9e4b19ba9a18658b31aa5

SHA256
4730ede73de7f8e98d4075606671a9b819299eed1c9dda1a6a1125dd5e3cc648

SHA512
53a2d8000511bf73ee959c0bb2b1bb862a18dadeb78f990bab27603bfd82a44ed1fdd62e5e4e74a54ed349d533ddd5f9b95435bae8d1155349e4ff12edba86f6

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
b78d31f591a9ca60be3db249b89c516c

SHA1
345b9be199723e1378ea54699d4828dfb9efb1ad

SHA256
25da61d23fe59784ad29364999c4df1bc7ecbb2bacbf5c3e49dcfd923f199167

SHA512
8a2c2a536246c63c4638d4371aaf52e347390c3281f4c88c667cf422bed688e0cfd5330744c9e9225f42cbcda6ce79c16978e7fb566838f9815f72d1e4ede35e

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
97b5db7915935f6acdc0356090f72931

SHA1
74332f4e8649fccdfdfbbbfa8bdeeb779bbc12dd

SHA256
28de93ea484dc2014017fcf18a2e4136c38da16816e659411f3a9171ec5854c4

SHA512
95723e254ec4938afa145f7d92eea6f4fc258b58c88d56a63db4a104db181037f5393c7cfe1c0af4d191d5e25139270333e5f2070ae2e46d7c42d72964ee0500

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
7ad60a9f298c961a5fd7fe273fac3cd2

SHA1
b987b5cbbf1a65ce55980c811727ad20abcb6ef4

SHA256
0d85672441c00c125e1df127d5385f1cbd8460d45cea4135a8bec1a6d2a4eb0b

SHA512
3953d42458c7bf839d7dafd041f34045ab47df3dc47dfe82c8eb7fca717dabff47e937393767e7f8a64fb760e3186ffcd61b1215a09f02e1db26afd54e6d5336

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
96KB

MD5
e46a095ad12d09d67e7c8dc277e94191

SHA1
42b16252b74b3547c56d99e2b6a20db3a6476ecd

SHA256
ff7fcbd1d639a10252268457c69bb19a96e6345bd1ce10aca69bdf9989ff2878

SHA512
2471f03e675a0a614ccdced59750b935690bbd2f2ad1c5ac7b72fef243fd0848492add4856799f7482c92969fac36197e807711cca3bf5f8173ac0bd7663184d

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
2ccd8d7de267bbd4e6c30c89326c9837

SHA1
cd4fa70ae9d735aef761cbffd250db4c9dee8280

SHA256
76a6224a7df198b8d0e0ca131e9470c6b8b8c4fc26ebf9978239b89b744c3e88

SHA512
f2fc82853cbfc3b22490bdbbd48ab9369cfaa0ce2cdb42281e782ddeb907096cb84a1f44f0ca4891527f81c326150b78bfde60e6b89b5c39d4f17b780f8f8a56

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
3ec9dfe315e040aa2f8a68a8a1c3e090

SHA1
2222f6f0c9d4c6a4b743cec0089a825713744657

SHA256
c34fe30d4d9b31d89ca501974b9b47dc42f7c117a3dc33e6839df4c9055d4497

SHA512
d8b46feb75a541a0ab5e12e7da7c7065531e182bd1b0e7c75b692a3179d80fc57aab78a06a8567f7102d4c8aeea9d87ce231faaf4d3afdedb938b39a5b00e0f2

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
09e125eadeaa91827828e18044149e58

SHA1
dcbb40cfb31253038f654da274e769f767874d19

SHA256
6826f0f89ee7cbca3879c9a343068c57ffd501202512f9c246d72115353626e0

SHA512
335dbf988fe6bf3dd0474cdeea409075610540992d475147162b539e3e82dadc4959674768758abeabc9b53c6e301fa975d1a07954bb4723cdbb0b702f7f3184

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
0955352241fd96ba4554f05341986be2

SHA1
59b14773ba319011e201db449039fb28c878c9b5

SHA256
d6fa91bbcedce2b4b41e21331e9b00733580c412cdc64173afd97fc3ba5c9698

SHA512
33d3949b61055290fd92f4be9cd61295f715b56e536291b4e2bd280acea802703d63424452a12602c69812f30531d1e5e866b43e60cc10222f0be6f59ad7e3ba

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
4b5429afa6137f8440259f7e22cc72b0

SHA1
02136ea35fc4d101586bc7cd4b3711deb3c37964

SHA256
88f2d4792104048afc0ce0c6a9fc668173096560f4b08ad3f141792fbfef5d4a

SHA512
160f87be7d503a1af17738d997e4fee12b42ad8977041582f71bac71f2b5922a36a190ce5f9d62e21824b6084e2875b36c98c1850676be28e4f95287034dc8fd

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
d4a8ca8183b28b208c633a3fc9a000ae

SHA1
5503aded4290d5712e92fde0e4a5c9fe122c6b05

SHA256
13bd2fcc0e99b86883cd2d423c60538ca43143dd65a22a85115e4ba65b11012e

SHA512
8e26700a608f32c1cb13e01c2bfa8a0422e1ea1ac1302d584c80ec2c7f57fac1fe8d778f29f8d708574a3855a89a1f738f97e2683c46061200bda30c965c6930

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
d77a00648d7f7898cb09e20fe168d00f

SHA1
8022ccad62a7f769068c45c159ab2f0841698325

SHA256
b23d7c62690f40eaf845361b959825ff9c95c763ac0fca26583a908416ec4d06

SHA512
b13476d112a2f94825d08cb3d04672fcf95802455a054655b7b7c764085c74dcb97952064af62d0a5925f9c103b5f3742fb9aaea0c03b214ba0533d9df6611ef

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
29334017b6c0e7d159f731e3d9e0dbc9

SHA1
55e5f1a42fa826f5e2d9a5ebe8000fa6c45339f9

SHA256
fbd104d68c69a2bad3d316c3069b9c36f46f4413dcbc7cfc07f790cb6e5172d6

SHA512
1f97d92cbb5edc31a89d8496067acea625211a2e5893e46cf2dadc627b73e6cf14b0ec0dd4b7b7d13ed42053a343ad39e40e8bb1b907cf9bc2409124ac1a7110

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
adc16e50110b07d3e21acd755ade8c20

SHA1
ea81ff8c2bce65d30fbf13d8dad714635e187aff

SHA256
67a2096bac41c9b1393a63c314b8e9797e84ed438c6c5669985e5d5b356d22b1

SHA512
1d34a6866ddb2ee14367cac5e91db9780a3cc50f14bd9b0bb3fc181a4a5aef52a14f496961c1de397206fc08b02f8e1945689cbb29081718344c7d501cdd6b44

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
c4ab2ce7e3661d8394e2cb273e7ed971

SHA1
ac12b89da6f36db29ee1054f0412ef2f678bc8c2

SHA256
52f7d77e997b0c0be59d3402573e697b28c7a6c225a1648d6984c7f740f72c03

SHA512
79e3a9b45dbb747204fdf418a34d63fdb552741df351a8328fa2b5ea179a69769b9fdd755d86f2efbd8dbfcbd11f6201a28a39d900f9dbc55eb02fbe79770986

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
6f1ca78e7a8545d4c4f80953d1612d4a

SHA1
8c008d94d2a7df6888944812d4d4ae1b4a483831

SHA256
2bcc89807c04cb64084acf541e6cc4300099e37dfdf034f064bb3595d56e575d

SHA512
e16ad64343c70b50bdce4b4b99a34b8924d55914cdeb9451067f36c0bc278d11bf01fde54d1573d99f58c632c2e261d049372aa229ba5fe00d2cc8404a16d7c3

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
a32ff5f3c26d2491a052aee2268da13e

SHA1
8ff94cbe3f876576c6fb5a6a3358e44b4e38ff24

SHA256
af90aa0c65763a05fed7de1eaaa0370a5cff3934e31100acde4725328b50dd6f

SHA512
980022d0644928e7bc1f9c430330ce8c9cac72ac2904473a2d3f0fc7f66e4f0370e8b4b5305e9fc17944ce4f817a84a28bb2973d6becaf78d987d30968f5c9c5

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
96KB

MD5
d8d6cfbd29d1b91765bf1e2de6160482

SHA1
06b0cfc01dcc7b288b2c1058af517893269506eb

SHA256
177428f5fd7a646cea729f53d49ea4f0d1467c49f0feaebe52a656bcf073f458

SHA512
ce2e7abbbba95e7bba511bc4e30cbe7634d4207aca3cd2bb95f2624d6e75a44ad4b62f3486efa272aeccb6f554ca54378d45c47ac7fe756a08f5838866f01c37

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
655f5f909b22eccb3af6f6c3ddb16006

SHA1
f7ca7ce72cdce1c876e3e48a30a6e9f827b9c74b

SHA256
756b80cdf5d144ea8b66f343e74603a0ef1076f0adc62c7150f7d9063632bbb9

SHA512
4f3de5edcddbfd590e14c405e6e0cdd4dd5390ab3b06d80695d9bddf593420efe077cc3f9d1a26f775c6bea351ab69942c50093cb8e169122db2409e6eaa2b99

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
7ac6f19d5170c3320b0f600cd08a6500

SHA1
f276355ec2a8f21fe84e09d28d506a90f6637bda

SHA256
bbf062138298fcdd3788df6bd6bdffd9a621cd02c6ac204af810ed6009a99c1d

SHA512
96d57630505d4fc7d5d63a406d27dd1594ec7e48995726b06d92cc87d3f59882167b5bddc2624b8a0b9f9fe188d3e520327ae2e3c81d785e8e4daf9288823f3b

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
c4b805e10531a254819772aa6d3a4b98

SHA1
f55eae4185946eab8a16a1b17d3cd6170f1a9d9a

SHA256
dcfa518bc07e5c9d253c8faa913faad06d86b4789962c23ec279d0bae72cc83b

SHA512
07c6a9b1ed95174c65e2525e9b352987e8583d5bc0efdce78c9a16105879330122c4d8d93454b6c67a79e22804a6330f65e6ca4c6264fb729c11d959be5a220f

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
c5b140fefde50718c228e9f5f4c18ef9

SHA1
e038df0fed2c3c0d61580b754c34e93cf798c719

SHA256
0f23534d0de14669ddc510230915e514b1b30c25a6cd98d60ebdccb4474b7e78

SHA512
a9d2a889be7164290caa7c47a8ddeb5fd8f8047bcba8148226a3e5966140eec847e12519eb856be019f8301240d54ce951c96572bb50d354d2fa289d3a78e98d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
8051e83e335d676eb2ea2d8bf1043e6c

SHA1
1e763d5479c5790b3fd2beb1f378e1988824c127

SHA256
8c7a254d72ee6f100d9b53491b86b42f07425588ff69f3cfa5287f77477b716a

SHA512
f3b928018ee909fec5fb3f153d48157fa7119d20b420885486fb819ed65d2ba477ccb820a99ab5aeb655824956b5c199c5d236c2db47382013374018f7220003

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
b8bc4d7b16c4554861414a41701bf5c1

SHA1
a2dedcf7182a6d96231bc129a6b724a8a08a28b4

SHA256
6e99bfb5340af5fb1a4bfbb81d0d3ef7025b6a377e1a0737eaf7eda424cbec98

SHA512
492fead8e101a9487937bbc01de016695a37a3488cac781d143088b81d59984307d76d7f4e142eebf431f3a87cb4c6d2b867d322994629c82e01eed1844bf868

Download Submit
memory/64-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1744-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5588-1168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6064-1138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads