berbew | 7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe
Size

123KB
MD5

b7e32bf87cf253c85403aa8148807160
SHA1

3507323175979dd444e305f326b61d02a9088e28
SHA256

7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7e
SHA512

25758f85e17e64fde861e0c0b412189cb281c1dbbf11eb331d1064f4bf78c239e34e327134f75c3ee419faa4b771b9b140e948893a2de111a8cb7e86a06eb00c
SSDEEP

3072:yuZxrvuLwuGs0alr26etsI5J3s6bhRYSa9rR85DEn5k7r8:tXr7uj1Stts+3Bbh4rQD85k/8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1952	Kplpjn32.exe
2868	Liddbc32.exe
1620	Llcpoo32.exe
4336	Lfhdlh32.exe
3496	Lekehdgp.exe
2820	Lmbmibhb.exe
4032	Liimncmf.exe
5080	Llgjjnlj.exe
2472	Ldoaklml.exe
2460	Lpebpm32.exe
3276	Lebkhc32.exe
4436	Lmiciaaj.exe
4540	Mbfkbhpa.exe
3972	Mgddhf32.exe
4672	Mdhdajea.exe
3980	Mgfqmfde.exe
4980	Mcmabg32.exe
1060	Mgimcebb.exe
392	Migjoaaf.exe
3124	Mgkjhe32.exe
4872	Ngmgne32.exe
4420	Nilcjp32.exe
1164	Npfkgjdn.exe
2100	Nebdoa32.exe
1576	Nnjlpo32.exe
4404	Njqmepik.exe
3936	Nnlhfn32.exe
1700	Ndfqbhia.exe
4152	Ngdmod32.exe
2572	Njciko32.exe
3708	Nnneknob.exe
3564	Npmagine.exe
1940	Nckndeni.exe
1708	Nggjdc32.exe
3676	Njefqo32.exe
4260	Olcbmj32.exe
1512	Oponmilc.exe
4296	Ocnjidkf.exe
2720	Oflgep32.exe
452	Ojgbfocc.exe
4052	Olfobjbg.exe
4268	Opakbi32.exe
4244	Ocpgod32.exe
3040	Ofnckp32.exe
4820	Oneklm32.exe
2888	Opdghh32.exe
744	Odocigqg.exe
3868	Ognpebpj.exe
2660	Ojllan32.exe
2052	Olkhmi32.exe
444	Oqfdnhfk.exe
2352	Ocdqjceo.exe
1712	Ofcmfodb.exe
3512	Onjegled.exe
3304	Olmeci32.exe
264	Oddmdf32.exe
5076	Ogbipa32.exe
2988	Ofeilobp.exe
1388	Pnlaml32.exe
4164	Pqknig32.exe
4488	Pdfjifjo.exe
2496	Pcijeb32.exe
2020	Pfhfan32.exe
2108	Pnonbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe
File created	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cojlbcgp.dll	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6620	6500	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1952	2664	7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe	85
PID 2664 wrote to memory of 1952	2664	7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe	85
PID 2664 wrote to memory of 1952	2664	7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe	85
PID 1952 wrote to memory of 2868	1952	Kplpjn32.exe	86
PID 1952 wrote to memory of 2868	1952	Kplpjn32.exe	86
PID 1952 wrote to memory of 2868	1952	Kplpjn32.exe	86
PID 2868 wrote to memory of 1620	2868	Liddbc32.exe	87
PID 2868 wrote to memory of 1620	2868	Liddbc32.exe	87
PID 2868 wrote to memory of 1620	2868	Liddbc32.exe	87
PID 1620 wrote to memory of 4336	1620	Llcpoo32.exe	88
PID 1620 wrote to memory of 4336	1620	Llcpoo32.exe	88
PID 1620 wrote to memory of 4336	1620	Llcpoo32.exe	88
PID 4336 wrote to memory of 3496	4336	Lfhdlh32.exe	89
PID 4336 wrote to memory of 3496	4336	Lfhdlh32.exe	89
PID 4336 wrote to memory of 3496	4336	Lfhdlh32.exe	89
PID 3496 wrote to memory of 2820	3496	Lekehdgp.exe	90
PID 3496 wrote to memory of 2820	3496	Lekehdgp.exe	90
PID 3496 wrote to memory of 2820	3496	Lekehdgp.exe	90
PID 2820 wrote to memory of 4032	2820	Lmbmibhb.exe	91
PID 2820 wrote to memory of 4032	2820	Lmbmibhb.exe	91
PID 2820 wrote to memory of 4032	2820	Lmbmibhb.exe	91
PID 4032 wrote to memory of 5080	4032	Liimncmf.exe	92
PID 4032 wrote to memory of 5080	4032	Liimncmf.exe	92
PID 4032 wrote to memory of 5080	4032	Liimncmf.exe	92
PID 5080 wrote to memory of 2472	5080	Llgjjnlj.exe	93
PID 5080 wrote to memory of 2472	5080	Llgjjnlj.exe	93
PID 5080 wrote to memory of 2472	5080	Llgjjnlj.exe	93
PID 2472 wrote to memory of 2460	2472	Ldoaklml.exe	95
PID 2472 wrote to memory of 2460	2472	Ldoaklml.exe	95
PID 2472 wrote to memory of 2460	2472	Ldoaklml.exe	95
PID 2460 wrote to memory of 3276	2460	Lpebpm32.exe	96
PID 2460 wrote to memory of 3276	2460	Lpebpm32.exe	96
PID 2460 wrote to memory of 3276	2460	Lpebpm32.exe	96
PID 3276 wrote to memory of 4436	3276	Lebkhc32.exe	97
PID 3276 wrote to memory of 4436	3276	Lebkhc32.exe	97
PID 3276 wrote to memory of 4436	3276	Lebkhc32.exe	97
PID 4436 wrote to memory of 4540	4436	Lmiciaaj.exe	98
PID 4436 wrote to memory of 4540	4436	Lmiciaaj.exe	98
PID 4436 wrote to memory of 4540	4436	Lmiciaaj.exe	98
PID 4540 wrote to memory of 3972	4540	Mbfkbhpa.exe	99
PID 4540 wrote to memory of 3972	4540	Mbfkbhpa.exe	99
PID 4540 wrote to memory of 3972	4540	Mbfkbhpa.exe	99
PID 3972 wrote to memory of 4672	3972	Mgddhf32.exe	100
PID 3972 wrote to memory of 4672	3972	Mgddhf32.exe	100
PID 3972 wrote to memory of 4672	3972	Mgddhf32.exe	100
PID 4672 wrote to memory of 3980	4672	Mdhdajea.exe	101
PID 4672 wrote to memory of 3980	4672	Mdhdajea.exe	101
PID 4672 wrote to memory of 3980	4672	Mdhdajea.exe	101
PID 3980 wrote to memory of 4980	3980	Mgfqmfde.exe	102
PID 3980 wrote to memory of 4980	3980	Mgfqmfde.exe	102
PID 3980 wrote to memory of 4980	3980	Mgfqmfde.exe	102
PID 4980 wrote to memory of 1060	4980	Mcmabg32.exe	103
PID 4980 wrote to memory of 1060	4980	Mcmabg32.exe	103
PID 4980 wrote to memory of 1060	4980	Mcmabg32.exe	103
PID 1060 wrote to memory of 392	1060	Mgimcebb.exe	104
PID 1060 wrote to memory of 392	1060	Mgimcebb.exe	104
PID 1060 wrote to memory of 392	1060	Mgimcebb.exe	104
PID 392 wrote to memory of 3124	392	Migjoaaf.exe	105
PID 392 wrote to memory of 3124	392	Migjoaaf.exe	105
PID 392 wrote to memory of 3124	392	Migjoaaf.exe	105
PID 3124 wrote to memory of 4872	3124	Mgkjhe32.exe	106
PID 3124 wrote to memory of 4872	3124	Mgkjhe32.exe	106
PID 3124 wrote to memory of 4872	3124	Mgkjhe32.exe	106
PID 4872 wrote to memory of 4420	4872	Ngmgne32.exe	107

C:\Users\Admin\AppData\Local\Temp\7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe
"C:\Users\Admin\AppData\Local\Temp\7f12d587d7a3d5adf970bbb713f4573d1ebec6a9d26d737eaee93a6a4190cf7eN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Kplpjn32.exe
  C:\Windows\system32\Kplpjn32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Liddbc32.exe
    C:\Windows\system32\Liddbc32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\Llcpoo32.exe
      C:\Windows\system32\Llcpoo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        33⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        34⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        36⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        40⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        47⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        50⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        51⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        53⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        55⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        58⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        66⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        67⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4936
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        80⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        81⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        82⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        83⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        94⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        95⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        98⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        100⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        104⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        106⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        107⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        111⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        116⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        118⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        123⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        124⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        127⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        130⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        131⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        138⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        139⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        141⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        156⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        158⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        159⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 404
        162⤵
        Program crash
        
        PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6500 -ip 6500
1⤵
PID:6564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
123KB

MD5
1dc8de2b52e79ec5125a5febf3b2dff9

SHA1
e854a8636b4f5d5baf1ba657a21688d28df3209c

SHA256
64285bad0a0c499733bb02be69026de0a42fc101a3988484e4d4dfebf30756aa

SHA512
388ec43fb394350383966b3a813fc6f24fef4c0b88c3aeaaa78ba8c7915e814ea9dca2b5273c6bd77cd28c51440288209ba2cb306786198b514106ea39720a61

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
123KB

MD5
b96b94d3ff29d6f951602928706bcd61

SHA1
3fef8327a6244f01eaabd5cb6f33493c66f407ce

SHA256
72f1de1368b46f921ee9a5b146e95c8b94f2538b4dbc8f1d48445f8f5e84963d

SHA512
bc18098d48c4b10b44b072aaa5b7ba0d58dd86e18aa7852d9741a0741cc83df3bbabd4b74aae2a0094d219e04cbb21c6523f9401fda7c1a5c3f06a28148350f8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
123KB

MD5
d0bef95ed2ff06834aaf9357cd61bb77

SHA1
c359d47907c98104bd64eae7946507c5cda8e0cf

SHA256
3e2fae8677db8f7e0a0520367e3a96939a8cc95e30b20ab27756826282f9a624

SHA512
7b24671e26976bc1c2d33b71215505d599ec3735e2b3994ce986e5ef2a43e4c75eec156c0c7e4a11d4382cd75cdafb4a00f7d2f6d770c1904f65368932716004

Download Submit
C:\Windows\SysWOW64\Eiecmmbf.dll

Filesize
7KB

MD5
b0d202bc5e488ac03d53f69fcb675284

SHA1
7bf667dd3e51f70e9ae3ea14b8aea2ddba690267

SHA256
5340424b44ce154e48b50d7c5b0b791394278ec8bd26753b578a6a74c037aaa1

SHA512
f4959c4857752e892a9d95122266ac7502c8961ff7e208eac69fd3dfe88791383acd5236da40c37da0a5be982cfa62dbf16f041a6dc6b12c7fd8923baa70819d

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
123KB

MD5
4e77ac264ba14535e5e1ce96993f4aa8

SHA1
755dfe0667ee0a9c6155bcf54c23d5b97cbd8b50

SHA256
ec7766af2ddd6a95a67c06ed7dac2ae3f59a919d33c24c9dfbe8a23e058f1e56

SHA512
51099ace2256ccfc67ab108e9c9ef610792162f409eb92e3470d82b0ea3bf6a68254a12712e6d7ef785279ac3e52c6cdbe36cefb1407a6eb30399cf614b903c6

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
123KB

MD5
f7ceed9d730e75d231ee097f26a9b6bb

SHA1
0976ad0828cc26b5b200822a4390a8d4d7bebabc

SHA256
f8f02ee51cbf7dd307fc8fe1b62d73060b4827731096ade7bf8735aec9310c8c

SHA512
7e385603696d88ce3bd1fd38e32a2f8a1211797a23d5ac22add80775408a474face03e7fe5af51915dc1b6202c84933c4d9c7331897c6f0b882477169734f570

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
123KB

MD5
5b38212ca10eac2378b2b50449149b40

SHA1
507c2fc94d29bd40d125faa70b3551c7c328f7ca

SHA256
6e80ee11e8accc9d754ef7cd441561aee397cb11756c5b189634c02154eeded3

SHA512
6084a93a69055c493175e0c492d7a412f0c49365e274c0f18b1bc0bffdda1cef9c0261740d29eddb5a5a4bded5e0aa89e20b13603e6530ddd7e1099c59e64f40

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
123KB

MD5
01ea6059e85e05dd854836b3c44936af

SHA1
6ae12b5290c19033440aa89e1b0bb37e7f6bb7e6

SHA256
251c1aadb0bcaee9e7846e0e8d947f2b667a93967ac9fa764b887dfcd5c3462e

SHA512
f2e34fd676a2148d7f5bbd4db3ca798b09ae381bde1e7964268e2188fc3be2698ed89f355fd573f30661ff1352153b6306dfebad7284f25c14a6f8b7973e6d28

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
123KB

MD5
fb2d4b47b084a3efb4407ed42389be56

SHA1
0a2cdb3abddd3c610b14c87fc5e705086c08d609

SHA256
d8830fe4fc42e9f6f543a98c2f97b8ff67d748a5a9ecedfcb29bc39e721cf9c1

SHA512
c3d9786984251c2dee573288187165745673670d2f7d62a2e964d0a0e3c27210f5b7e307a1437d26b60e60fe7e525bb852f9172b2b90e42cebf4ee31d3e12612

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
123KB

MD5
9aff63569d8d0760a560a8355570053c

SHA1
e79b7f5c6baf99039fdcf8d3118d276634655c78

SHA256
4ec779de728a37c56a388b22ccae8a125d62fdf291ba05a5f8799bf8e17c83f4

SHA512
f497f413bd1165b20f5d260487f473f7a1a40dd8878de0fdcb6128c2bbc939be7c8fc7570e11f37252f83ca2d6c07aba19870ea5df2fb2e8d63b91800b48b578

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
123KB

MD5
60ff57f8158008850c3e9e0b643a67d6

SHA1
64ccadbe2556aaba3b0f0ba797e43d4abcf7559a

SHA256
826c625a4dcc790f01476c49325c67bdc27dee73bed68fd23d50a9e7ef1794c2

SHA512
01f8cb0f7013087a040f731cdcceeee17784dfd3f69e142a9de5d97cd4487e609d5713cc0df884549af920b45632f320627639f22d43e35162db2ac5f4243c94

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
123KB

MD5
a62280ee3b7ae0ed518669931a021990

SHA1
e1e95d27f8c151dbe9b9078f62572e50742f4606

SHA256
c4fffdfbee49d8240a928477ca3b1efe7e9cf5fc2a9818571a1f087eb196f2f9

SHA512
d942cd94a7979614c42853f65c3afdd24dacf723c7b329674939c4e72db8b54d1bbe0462e112bd3e370dd0fa514c127b6e9bb2168f0a97bae6956f470c9c978e

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
123KB

MD5
c21db525ecce3ad774f9c27bd64dd80e

SHA1
b1bffb5451964e4fdc4b2f0a9530049b5d3d1284

SHA256
72abc962969b7bb2b4d16f44760e64a4a5bd0a45a571cdda4c867b065b9af237

SHA512
555ca643bb29ca7f0eedf53cdbf1d81163a48c2bcf176ba96c0889993860bfb2eee05c07158b15603876dbda2d39e9641e7f5657e895d08a949f7c45d8bc40f9

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
123KB

MD5
5a8175b9d0046bf919138d13f746198d

SHA1
adc2449b7ee0a2a6ba9e939ea29a36f582a0dd0c

SHA256
859459524f53c83c3b940238aaa249ccf934ddf64834c0fb002e65af83892ac7

SHA512
69250ba0c606f207959f706c58b651281a0bf671954aef5aad630923f8e3d0e5ec23c351af12026f4ce2eb8f8f0cf5fa894b44987f09c28aa2658ab114b9e0f7

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
123KB

MD5
f284afa0e76587a35705a6da5944866e

SHA1
9063922b016a591480b78a01095846a3e4539368

SHA256
1d4c55e0e2e2081ea6a2598370a4585f188d6e6ac887bdc620b6e9e50ce90d46

SHA512
508832660867f0ce478f808a48ace958e5fdc2f40ecfd40e49c2f1a9d5dda94629fcaa2db8fd3764256c4fa55af1991a8124ffc2a17a990d11559b4d1b11b586

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
123KB

MD5
24becfd5816e95333e64a6e732cacfdb

SHA1
a2f2a381cff6a3767b4a0c2fc80036221c7b9a00

SHA256
bc1e4901b0b74982f666ddc72452c74cbf52c8389c1da0fc6fc0fa344fb4474d

SHA512
e5c641a83cbf050fab17552f5efcd0eef1879eae012b975e9c4c5e062bb5fe390b607adba20f2fab610afe8a960c9717388ac5ed46e3b21ada590c7acfcebc2f

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
123KB

MD5
bc4f9a536f169e2f03e41fdbc1923f57

SHA1
b1455473f6e8da55f13f726d93261db0819b16ae

SHA256
4d5f416dca1a9eb4ac7ca4c17e14c10cb6c9e91de20b7a74caaafa72e9b6ca91

SHA512
b5c7ce4dc93849e828ebab6f4fbf0e9eb0a6c650084e2351b176d6125f126b5810d3d60115c5d599db0d587ad283423ff64538391110ccbb7c69757fc94d555a

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
123KB

MD5
d5647ea7f591a7f96fbec067ef84949d

SHA1
344b4997a74a731c8304d7846f964753361c5ac5

SHA256
80431be07d0a9d6cff2baf41d0aa44f41b4d985df23f38006a3861675627e36a

SHA512
d2f53786a8f6b9f79c4597d935fad522df576ead1e29d2e8fca7d6e2947138c9e46c88e1ddac85e88f39515ebc2ac3c5d700c76fe4c6106f9b464ed459eb4e2c

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
123KB

MD5
693d9c35321a0930c64d81a3c6051e50

SHA1
eff60ec8f86537cf5da38e08cd94dec96fa8748d

SHA256
2c9343bb5ae5eaccdba14745e9f3424961b0b7b8ec8fc9e5e6b1e72ab8d0789a

SHA512
c001c9eef0f213f5e0f67443719487bb4778de7bc1e5f514add1b62611be4e8548baa95c4f3d90836dddfd7aa3ba4959b6714a29d868f99784b828955a0ca9ee

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
123KB

MD5
a2dffaf961b00e4804a4b3864165070f

SHA1
12efc847076c6efbc2d449b10dab8d4d5c4fd465

SHA256
c0082c4bc91d10cfa6e0bbbbaac3f462ea81c6fdeef6fa1751d67f0596fa9d57

SHA512
f2c16b37a87c8181f7ff157470716aff41bd06ff79bfbd168818c9587e9488f119350ef32505cd9f069ddb863e073860987f1f632915ef8503ed1ad3b7ecea41

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
123KB

MD5
13c5f999e393bc35724d66be7b0bfb74

SHA1
b2c6a553b9f8ad25564256a42001876505a16748

SHA256
1a95785a2e0ad7114b9c67bc9c99cd9d0ff66eae70bab632b8d699424f7e8dce

SHA512
444ecd24db06c81aa74bd71d64f474187723a736bab314f2f42f3dfd4840b101e899163333864da23e5393f1720c23c6a3dfdbf55398c810416b24ebcf1b5f4b

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
123KB

MD5
d041a7a424630ecc7d309401ac01644e

SHA1
7033dd15bfc648c9c24acdb8b442bb61fd558d03

SHA256
cdf8949e3dbe1fcbea95df0124676950a781b60a7ce20a8b49714ab8a517bc21

SHA512
4ecb406ccd55ff38900ba73355dcf621a07d4f9390986670cb4459d9fe66411f7f684001bdc60afc258a87fd3bf5a8079b3fb041cf321255cd493153569e9181

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
123KB

MD5
aaa1a8e33cd2ca6e4ee3a32ed86ceeab

SHA1
9f18f8566f02f9dd5ec1bc2a9493631f82609e53

SHA256
323331dd97a4813cba582e2c35f669e1ab6b5be26737378c7f79360ce90178b7

SHA512
308383d7ab0a5d9790050cc695b7d7277d34a347aa9f07f884c247c03c96b29fd5c62889e19c469cc3f50052d0f0977e7eb4f4b45c12def7040ce14087e8479a

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
123KB

MD5
bac92cac8111b88cb851599689851705

SHA1
b6bf3bdd3041286dfc9f89d72c35559f784dc672

SHA256
147d245b2ca3388b8771a3a8bef07eb1692afcf9913ed948ea97f60bf62d25db

SHA512
5fe77dbac28b0fb4fff1785df09a4e61e363c93bb10f7954ace0a12edc3a7b55f67eb7b5a7022d7f670a736dd035d304c21340f051a9f27ecbe3f4be408b3af4

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
123KB

MD5
8c4cb659432d389473b26f7c09f6f20d

SHA1
c3731910bc5c8895939060175a88db04358d4bad

SHA256
d00723e775bff8fc904bdd30f5ad90a503cbdce2ab6c06e0562ac5b92d5d0d47

SHA512
269a5f33adef01a5301c91f3d0ff064cfa4ae88b1ee2382c2e0a8d491248191d84aea0f22fdeafe127e80697c82823bca67fbfa59dea9f7dd0becb6126b13fbf

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
123KB

MD5
3738e6399e1279a76e9a8e1edc076ced

SHA1
b1b920caea886a0ad1b17f6e1ea93b0cfd5e3b78

SHA256
75583b955bae289a4c2b6a9e41684b96fdd136db5d49a2e9a682cd9f3a0bda40

SHA512
9ff0d8b0317978c273b5fb935c8e3b5722e71f26ab55ca863684d22b71f8878ec5da33a7f8d56776de94e59390764de1da2e227a48b76eee9c3197bf5d265d96

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
123KB

MD5
3d153cbef341964610173d2fd4e45911

SHA1
a43bfd657a2e4d0001d5deb453423dda4c454e41

SHA256
efd79b1701fcbb6cc5f1c9fab4c5220f49713a936ee12185e90080dc758170b7

SHA512
07c1666392cd04d907051085d213028143846276b518150cc5898a0aebb7febed8796a6ea8846e895d53ca5c9f1126505f1d1161d779d059c7b5d6ac68d76e24

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
123KB

MD5
0f46faabc59734b83a1d0638c5a9a830

SHA1
d7834dd67231a4436920ee33ae80d1bafae077db

SHA256
5b311a5ba0607cdc8f112310f11394cac315c83a5ab0c3ea045b8d2c4979058e

SHA512
435ef44e787240ea32e96dd5d87dc8098289a2c321edd48a7dbba876ed14c2def27232434808ded11d3bba4a60f860ede09a6f8803eaf8b676f729a4cec37d4a

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
123KB

MD5
5cb85c11ec2c6e80dcfb0a1088b640b1

SHA1
2fdddc0dfa9e842b7eab060120083af9d776fec2

SHA256
da808f45e738e0fecabf2136699ecc322885f1bf438a1f5d094258d7584bf4e3

SHA512
1c17682374bde27518ab75eda578eec933a9441a1ed56a46f3caec280f8d9c545a58b7fb8d8fea11cdd60e10c186b814ae65db5e42260e88a7a9154368b0530b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
123KB

MD5
1a1c556d6b028e72a24781caea92fb2f

SHA1
8f512ade550fa4e9c8fcd4eca270ca295f87ff49

SHA256
c25ff81e67af577d4963ca7288eb0a1a50d5545f584463ebc70842acf7cfab6b

SHA512
08427ff1a52f06744bcf21b9f9c6de457d32411aa22b5301a05c075f60840f9f76445d5e3313b0ed52d3a7166f5d648eed5fb479cdfa011ec1e0fc5e3e4ba37d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
123KB

MD5
d201f4843a17143bdbefae072d775e96

SHA1
94b0b9cbdb6c32d0d08f9e5a73a4c728b219726d

SHA256
f94e91f541e0d64dacdca5cf2737713792058348a71929f1187f089ad59fa81d

SHA512
5a06e8255915bf2ab8ab78f4142c079893b47bb7db79704c74870f5160d02919b27c9f26841274ccc23a894474a7492209f2301eecbe4f16abe542f7bfd8640d

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
123KB

MD5
141fc824ff42452f1c300796b5e72a77

SHA1
5988fe61156af64ac49fafe1f77c385ac6b9d3e9

SHA256
9bc20e64d57394e9a148681875032bbf5b196a2b3f998b1616431e6d1c95694f

SHA512
7a67d030e5e4fd8790dcc8c76e034bf36af7f2350f5eed97b9b7c26677b5f3a0aa954650896aa4a108a75aa6b3aae04cd36135372a1fd2d53d012e9991ed3391

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
123KB

MD5
8b68678f705997bf30d9e83cf20545e2

SHA1
57e7f65fc1c4f99d627551efed4d0434e90c91cd

SHA256
4e688bfb8c4df0b8bef69bacbe50c6d6491f125297cffab6cb8e1b7d1df4f166

SHA512
a15a85903db800800ccc879e0f111a9e447000251457b9886a32272735a482343397cb21faec33c43d11b4820f6cf352e853785a73b3b7dccd02971e6f354534

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
123KB

MD5
1ced1641516ef24289a3af0a3bf17161

SHA1
76b8fccce67a8c88708b094290d6d88290005ba2

SHA256
07bdece85fbe7183aaaea255c4b452b8eca50834b925c0ce43100a6c806760fd

SHA512
779e3f2ed2b11abbd2ccdb42741ee86c967f90267b4a22a49c23fd68c41fdc02dfbef76716303f08e310a0b71318dd4c42a128e26761696b7d18b7c14d26975b

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
123KB

MD5
50869765a6f93a435597cfe3e9d8ff79

SHA1
bcf03bcb5645f30be0fd783ed7d2410898d49925

SHA256
f68eddef93491b9a17d91434ae8b7caa395931d202de68773c181d376197a07a

SHA512
864c6e7404e8ce0339cf4cf5ed7f6a199fd92e22828186c4e3a41228cd72afa30dea2889968b32943a6b3b978b50546f950744a073617a136856b521d319f8eb

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
123KB

MD5
873cc79e0dc148cb775f09bcbd3e0d3f

SHA1
0ad4e1e8fffd9918f7af78ed12080254b9324327

SHA256
b3d595c9b392938cf5fb72574a0ffdea71aaac90b0b4da88eb08e48b091346e0

SHA512
c156e52db304c614098e48a7acf9795c02ab63bdd9c1eb225ebd2eb85c6e8e4c482cdcb1e2cda0c0a53128b7d1a1437b407f6fe3645ac041c2c47a9cdfd2889a

Download Submit
memory/264-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/392-251-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/392-159-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/444-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/452-329-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/744-371-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1060-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1060-151-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1164-199-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1388-443-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1444-491-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1512-311-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1576-213-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1576-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1620-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1620-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1684-521-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1700-243-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1708-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1712-407-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1940-285-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1952-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1952-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2020-467-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2052-389-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2100-208-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2100-291-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2108-473-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2172-479-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2352-401-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2460-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2460-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2472-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2472-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2496-461-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2552-503-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2572-261-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2660-383-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2664-79-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2664-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2720-323-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2820-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2820-133-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2840-527-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2868-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2868-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2888-365-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2988-437-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3040-353-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3124-260-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3124-168-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3176-509-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3276-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3276-177-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3304-419-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3496-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3496-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3512-413-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3564-279-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3676-299-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3708-270-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3868-377-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3936-234-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3972-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3972-204-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3980-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3980-225-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4032-146-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4032-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4052-335-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4152-252-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4164-449-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4244-347-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4260-305-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4268-341-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4296-317-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4312-485-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4336-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4404-226-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-186-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4420-278-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4436-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4488-455-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4540-198-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4540-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4672-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4672-212-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4820-359-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4872-269-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4872-178-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4936-515-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4980-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4996-533-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5040-497-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-431-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5080-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads