berbew | 3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cb

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe
Size

76KB
MD5

7a0b455fd5ddafca0bbe4f7cfd910a10
SHA1

f8f54aa4f687de519c50c23ffeac06edbf390754
SHA256

3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cb
SHA512

c810616aeae8b322f830cd15ad4687874afbee2b3af8c49aa3e79208e79bd01cfe7c51c3037556174757fa1de3e1fb086deb62b8798773434138fc85a946d2c1
SSDEEP

1536:Q5UbLbHrXeVzFjgrL8WsdyxbnQQ/Cd9qz6Oun134HioQV+/eCeyvCQ2:jbLeVzFjExbQQ6S0IHrk+0

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4644	Klljnp32.exe
3628	Kfankifm.exe
548	Kmkfhc32.exe
3856	Kdeoemeg.exe
4808	Kefkme32.exe
1660	Kplpjn32.exe
2000	Lbjlfi32.exe
2408	Leihbeib.exe
2004	Lpnlpnih.exe
5024	Lbmhlihl.exe
1748	Lmbmibhb.exe
3432	Lboeaifi.exe
3520	Liimncmf.exe
3328	Ldoaklml.exe
3596	Lepncd32.exe
1752	Lljfpnjg.exe
1604	Lgokmgjm.exe
3156	Lingibiq.exe
740	Lphoelqn.exe
2084	Medgncoe.exe
4576	Mpjlklok.exe
372	Mchhggno.exe
216	Mibpda32.exe
1780	Mmnldp32.exe
2448	Mgfqmfde.exe
3552	Mlcifmbl.exe
2064	Mcmabg32.exe
2560	Migjoaaf.exe
752	Mlefklpj.exe
4384	Mgkjhe32.exe
4848	Mlhbal32.exe
4476	Ndokbi32.exe
3884	Nngokoej.exe
2888	Npfkgjdn.exe
2120	Ncdgcf32.exe
224	Njnpppkn.exe
2420	Nlmllkja.exe
3000	Neeqea32.exe
2016	Nnlhfn32.exe
3292	Npjebj32.exe
4856	Ncianepl.exe
2192	Njciko32.exe
2036	Npmagine.exe
4328	Nnqbanmo.exe
464	Oponmilc.exe
1108	Ogifjcdp.exe
3500	Olfobjbg.exe
2828	Ogkcpbam.exe
2880	Oneklm32.exe
3744	Opdghh32.exe
3420	Ocbddc32.exe
400	Onhhamgg.exe
1508	Ocdqjceo.exe
1100	Onjegled.exe
3668	Oddmdf32.exe
3088	Ogbipa32.exe
4100	Pnlaml32.exe
4528	Pdfjifjo.exe
32	Pfhfan32.exe
2476	Pqmjog32.exe
1532	Pclgkb32.exe
3580	Pnakhkol.exe
1096	Pdkcde32.exe
816	Pflplnlg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgfqmfde.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5612	5128	WerFault.exe	219

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lepncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4644	2844	3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe	83
PID 2844 wrote to memory of 4644	2844	3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe	83
PID 2844 wrote to memory of 4644	2844	3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe	83
PID 4644 wrote to memory of 3628	4644	Klljnp32.exe	84
PID 4644 wrote to memory of 3628	4644	Klljnp32.exe	84
PID 4644 wrote to memory of 3628	4644	Klljnp32.exe	84
PID 3628 wrote to memory of 548	3628	Kfankifm.exe	85
PID 3628 wrote to memory of 548	3628	Kfankifm.exe	85
PID 3628 wrote to memory of 548	3628	Kfankifm.exe	85
PID 548 wrote to memory of 3856	548	Kmkfhc32.exe	86
PID 548 wrote to memory of 3856	548	Kmkfhc32.exe	86
PID 548 wrote to memory of 3856	548	Kmkfhc32.exe	86
PID 3856 wrote to memory of 4808	3856	Kdeoemeg.exe	88
PID 3856 wrote to memory of 4808	3856	Kdeoemeg.exe	88
PID 3856 wrote to memory of 4808	3856	Kdeoemeg.exe	88
PID 4808 wrote to memory of 1660	4808	Kefkme32.exe	89
PID 4808 wrote to memory of 1660	4808	Kefkme32.exe	89
PID 4808 wrote to memory of 1660	4808	Kefkme32.exe	89
PID 1660 wrote to memory of 2000	1660	Kplpjn32.exe	90
PID 1660 wrote to memory of 2000	1660	Kplpjn32.exe	90
PID 1660 wrote to memory of 2000	1660	Kplpjn32.exe	90
PID 2000 wrote to memory of 2408	2000	Lbjlfi32.exe	91
PID 2000 wrote to memory of 2408	2000	Lbjlfi32.exe	91
PID 2000 wrote to memory of 2408	2000	Lbjlfi32.exe	91
PID 2408 wrote to memory of 2004	2408	Leihbeib.exe	92
PID 2408 wrote to memory of 2004	2408	Leihbeib.exe	92
PID 2408 wrote to memory of 2004	2408	Leihbeib.exe	92
PID 2004 wrote to memory of 5024	2004	Lpnlpnih.exe	93
PID 2004 wrote to memory of 5024	2004	Lpnlpnih.exe	93
PID 2004 wrote to memory of 5024	2004	Lpnlpnih.exe	93
PID 5024 wrote to memory of 1748	5024	Lbmhlihl.exe	94
PID 5024 wrote to memory of 1748	5024	Lbmhlihl.exe	94
PID 5024 wrote to memory of 1748	5024	Lbmhlihl.exe	94
PID 1748 wrote to memory of 3432	1748	Lmbmibhb.exe	96
PID 1748 wrote to memory of 3432	1748	Lmbmibhb.exe	96
PID 1748 wrote to memory of 3432	1748	Lmbmibhb.exe	96
PID 3432 wrote to memory of 3520	3432	Lboeaifi.exe	97
PID 3432 wrote to memory of 3520	3432	Lboeaifi.exe	97
PID 3432 wrote to memory of 3520	3432	Lboeaifi.exe	97
PID 3520 wrote to memory of 3328	3520	Liimncmf.exe	98
PID 3520 wrote to memory of 3328	3520	Liimncmf.exe	98
PID 3520 wrote to memory of 3328	3520	Liimncmf.exe	98
PID 3328 wrote to memory of 3596	3328	Ldoaklml.exe	99
PID 3328 wrote to memory of 3596	3328	Ldoaklml.exe	99
PID 3328 wrote to memory of 3596	3328	Ldoaklml.exe	99
PID 3596 wrote to memory of 1752	3596	Lepncd32.exe	100
PID 3596 wrote to memory of 1752	3596	Lepncd32.exe	100
PID 3596 wrote to memory of 1752	3596	Lepncd32.exe	100
PID 1752 wrote to memory of 1604	1752	Lljfpnjg.exe	102
PID 1752 wrote to memory of 1604	1752	Lljfpnjg.exe	102
PID 1752 wrote to memory of 1604	1752	Lljfpnjg.exe	102
PID 1604 wrote to memory of 3156	1604	Lgokmgjm.exe	103
PID 1604 wrote to memory of 3156	1604	Lgokmgjm.exe	103
PID 1604 wrote to memory of 3156	1604	Lgokmgjm.exe	103
PID 3156 wrote to memory of 740	3156	Lingibiq.exe	104
PID 3156 wrote to memory of 740	3156	Lingibiq.exe	104
PID 3156 wrote to memory of 740	3156	Lingibiq.exe	104
PID 740 wrote to memory of 2084	740	Lphoelqn.exe	105
PID 740 wrote to memory of 2084	740	Lphoelqn.exe	105
PID 740 wrote to memory of 2084	740	Lphoelqn.exe	105
PID 2084 wrote to memory of 4576	2084	Medgncoe.exe	106
PID 2084 wrote to memory of 4576	2084	Medgncoe.exe	106
PID 2084 wrote to memory of 4576	2084	Medgncoe.exe	106
PID 4576 wrote to memory of 372	4576	Mpjlklok.exe	107

C:\Users\Admin\AppData\Local\Temp\3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe
"C:\Users\Admin\AppData\Local\Temp\3d6fc2eb152caffbf81e7b9d5514269d5f2a8f5a77cc38ec0ea1e6916a45e9cbN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Klljnp32.exe
  C:\Windows\system32\Klljnp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\Kfankifm.exe
    C:\Windows\system32\Kfankifm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\Kmkfhc32.exe
      C:\Windows\system32\Kmkfhc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        27⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        34⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        40⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        41⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        44⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        47⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        50⤵
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        58⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3652
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        79⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        80⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        84⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        93⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        102⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        117⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        129⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        131⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 396
        132⤵
        Program crash
        
        PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5128 -ip 5128
1⤵
PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aminee32.exe

Filesize
76KB

MD5
acaf670213ce804691450ea45fd3bbdf

SHA1
3bc33f2f95e43898209b8cfa4b284572b6c1f7d7

SHA256
e6ce3d800da88410ee1b9f8a545b5f47ec25cf5b290d7e7bdf6c2059ad9d961a

SHA512
bae6ddce19010621b7260b94baf7adb07defdb2f32c92c49e16c0aac1cea2b1894ba384e30419eb3ec67a5d10bd4688ef1a396b04be714633a7dbb96c84cfdc2

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
76KB

MD5
daa74510f44be45228c753a9c46a0d8e

SHA1
a985147494dad89b6ae9b974d1e321d2a39ff1b7

SHA256
b905bc5b3f167d9b43be109ba269a75e0d98c95e944c39fdd6f2fccafaee5d35

SHA512
2d591a1f79fd140856f99c2afbfe7f6250df6e9a400f16f378a5d9c8bf8e3f9cc754436e82064fe46e2496bfb1681fa01e27161b953519ebf5d7136f6761d423

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
76KB

MD5
88be5a5271f588efd67d24a269401c23

SHA1
38bf6f9560817a1275410ea3f8fc9d40bf9862f4

SHA256
e4d8abbd12253f323f3d3bf642832de1a90c5a5538e34f68c86241967ad40eb3

SHA512
2bdcc67bd5073b6b6777301676916ebc09b6dfbe5a34dd95f8b06b8d288a70631d28be4a543844da799e8f5549b3214c72dfe5f64d8d04148a4f95811ea8c2c3

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
76KB

MD5
49d5c75c61c6623d3a090226861f6b8b

SHA1
71a912fa5e13d0ad9d930519520e31f54516fe03

SHA256
5603457717b854c423c9651d95f77de7db208816a92f1178bc1487bb4db0a0ee

SHA512
40c9c797ad57b66b38923ab946d829f32dc05cc01d2d0fbf6f35754255ef6c626044c8cfd71df10a014c78350c0acddb0c357852ea1b436904a965fee03122da

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
76KB

MD5
2f150973cd7ba42e5d4525de9a6f788c

SHA1
a4b403974363e4f67c420780893136295a7bf347

SHA256
69e8076a65015c331b537734d09253da203bafbfbd896f5bb20d224f725d92f3

SHA512
c14592aece0c2c8a2e7f15a843619b56d38a357a7b74daaf2958fe606698c03c85171d6ddedcb994166e261e7ac9c16f6cf0cd4850478b14361a335d9ed7ec58

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
76KB

MD5
703e21899a43b9df51e1a649090f8d0b

SHA1
07799e0635d93b8e192cd7c86b673343b115ad75

SHA256
77a4a5d1f1aeaf3decc2e6f549062c3c5554c57b76efb7db0b2ce6d0735448a7

SHA512
054f01d326ad38b90e1e80cdea7265f2db2b49157ec4c4c533b8011886d2a57019603f26ed10d475bb3d90d00ca3e70f9296cb845fcd94b76560631dacbb23d9

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
76KB

MD5
b468d398070ebfd7a734a70e1d8e2b3d

SHA1
3055428054d7296b852fda558cb01f437da96f68

SHA256
7e44f9cd15a413ab02301d9166585e5af1bfe5ccc8bd0309b7e2dc28b5fa1434

SHA512
ef75e04205573d3974c6fde7a33c01457ff9b18b4d5ae4d33a682f314016166b4c57bc2ea1ff9c1d7495b65777078ccf6c6ebf5508398cac35cd8cd5607a0f6a

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
76KB

MD5
cc50b0b7a439b105e29dd55cc531738c

SHA1
757afe7c8dd36a612349cce1d74dba6bef5ace0e

SHA256
db2b3882e5252e66c99de0befd90ab7ed3ab94eec6c026b264f89ea4105a2199

SHA512
107dbb635c72d8ce1154a2fe70b13c9ecefc7a1bb6f1a4383b9cf0137dd210219539e812c613683129aac332dc70c293d96360193a99c51de3d8965d63ed2d52

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
76KB

MD5
f46bca364f41d6b3d66f2bcfc0ee1e09

SHA1
82aa70f932ff7e70a184e8619080cd4b816de723

SHA256
885e0d19e3fb2c5b8eeaf6b653f3944c63192887a6126be0e4265477672aa509

SHA512
29d6d86d8dbfc086ed38c1588d60e967fae382fd01980c4dc6c7b343132e69b791ab395ca7a717614ff456bad95982b271ab201991d535c93d953f76f4caed10

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
76KB

MD5
6e8dab5853b3890eef72ba644b11d88f

SHA1
288f5f41365c9156c04b0f2df2a9abbec070b506

SHA256
e95769d59d167bc4b91f759e4cedcb39a69f2f0735fa611164f1553a895f0df6

SHA512
9c96c37d35452035894bbc8fa65a1666c3357d47d16655a33c4d8ad34b70af6f4b481f56fa63079daeecc26a42dcf7e1deb7d5c2b7bcb47b4951109c42f580de

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
76KB

MD5
91442f8c8d854e7c683b941ec04f75e6

SHA1
12bf95171653989dcbb090c723f68e3942a66111

SHA256
c6bbdb03eb99e8334221d2a43d87ac6aa160a09c0936cd9169fe0524c0a9c802

SHA512
897ddd2d14392be9ca3497d97093a5b893ed06b48488d13583454975d5cf698d86da6082bbeeefd940c07193072b6081174f8c8d765cb120ea34a2b9b8caaa09

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
76KB

MD5
b3b4db9f9b50ca419309b4223cb98944

SHA1
b0648bf6671f913d1b490ed764f2fc453c963e25

SHA256
6b94a3a052a747f1a39d0dbcc4acfd29dfdc6502922b0933bd6071a7b97af34b

SHA512
534748ec67fbfc782062264c6abeb5caa174de9cd490c911f2fb007ee62d35a940cfd6c5a72745c6a145803d603d547c8ceddda6e814425dc300c05cb9eb95c8

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
76KB

MD5
8f9183b86d4acb2c92c6e7c6328f8388

SHA1
f755f5e37004bf14f174138c6a9ffb5f040acad0

SHA256
bca667199be69a3c0ce34bde71d4c6e58c63fa528e5f1ddb930c08026258acfe

SHA512
acf6c9b60c5d42c8705fc9e8e88b5193250749c50c25c9d714006adfd87923d7deab13d063c001859c25f86a5d9b66efb5ddc6550d2a6316807af8dfe2626cd9

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
76KB

MD5
89e584447792af1b3f30976bee50bb3a

SHA1
971ba7ad6319ede55793ae3a512a0402a800cdfb

SHA256
9f144f197be44f45ea0556798feba219382fbfb37b58b6d9d21c8eb825e2bac3

SHA512
e68fb61812f2c8fca46136d5d203b6ca3a97ce6f75f69920adb39046ebea1c8e4bf843fa877f747d8fbae6c36bafeb706505a8024bb7de21a5358a24c156a54e

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
76KB

MD5
3ee483901ff567e123ac5aee053772b7

SHA1
37d7697d86ad69610ead76a09648da5685d4be1a

SHA256
8cb4c7570d2924d2d69f4b21fa380d841eb8e728f2b072d060c3b39992a3153f

SHA512
42af9b93b13e0f4fc493065f123e73301a706bb084a7602af89cb2eadae5c253c80aa417887d959e2a6b1f04ffb438d69f78a33f5e12e9dc63ff5db369f588c8

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
76KB

MD5
09863a74d726e0a685dbc05e848723bc

SHA1
88bf768dcdeca119a66575f8326f4e729e1cd47f

SHA256
a1f91a711b8f1d1099f3869b27880c50b49e67731198c1d791bb068c12b42c2f

SHA512
2a5d9695e51a78552891c8f54ec59fc160576c36f4bcc0379c3bb456aada7b1a5ea888d793b20349d04e230c1829fe8cecb6f954c2ea197f4f31e5c82a66b746

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
76KB

MD5
88c84754f4a84ae36da8c9897deec30a

SHA1
0fcbfc3cd1515250e7d6fdbba0ca743217120508

SHA256
fc5563d68c494557ff903a1e16d053b8776eba0b7eff17304e59d323f4256461

SHA512
1df809f3436c40adae8d3ec3766c315a86f752f8eb334ba72f696e3f4c4b7a08fbfbfb550f0b79878b6f5b9b460bc61ac7067e133472c6a08993a0540754a010

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
76KB

MD5
81465cf5ce0f24d23e5f344461a1bbaf

SHA1
8d45fb61fbe9cb5d082be172c6543b21c7e2e6b7

SHA256
a4d01530abac709029c8539c551e49f72895689f33cb2c304d2ac307701f3af3

SHA512
9f552d96b110f5be6b6b72d20f623dfe445219872a5a384c0799801d27736bdd3fb5831e25f68a7e18578695facf428a452e8ddc60f80ab6f3b1eed5b1f7e632

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
76KB

MD5
c5ee071b79dd4c2d78f2e924e7d0b7a2

SHA1
8860993b58f00cb05abb8d47c1ca1818de384172

SHA256
aafb6ef1e310d48e18318513608179bdacfc0a232f4be9d48a0ea76d01f02dc2

SHA512
a83e8143a771df1b0749af74db0ba175d07196f557a4f3cccac4bfb6a25531b197fd97fccb222604f98b7e1c2b74a7abc7bca56b7a091082e00d0212da52cc2d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
76KB

MD5
51503b3ec92007d9aabd1eecf62fe506

SHA1
0c69809bfafb0463c1dd40927b25d0fb1c9c6dd5

SHA256
e466aa5547118ce1fc51c97fb6b32ba7118a81eedf5c863a40d922760ad591a8

SHA512
a0b2a83bfdb686fa9939597849dad3227e681185c9367afa139f5dbb4b27b3c1b280074c45d7185f312d58247ab4774e5b385e492f097e7df65d4038cc51a2d7

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
76KB

MD5
a23694082cc9abd9d11cea96a90dfa93

SHA1
34de1b93a09b857145264383e3227007f8a23fd9

SHA256
c04280d7c29404b6ace7f7a3e9f28f3bd24a6c44b87652c5e49f9c67f32237a7

SHA512
557a7940309d445d6c0fd5c9363bf0816f5da42f89c5fc84413fb4cad3fc658900ef49f5e1327599fb34b75de7395bd93a344b6fb1cb3ce1d7cf156b7fbfbcba

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
76KB

MD5
f3e1c77d7bf12e21dadbc9714e102f0c

SHA1
4f133ba28ddbea68311956c98c157156c115b962

SHA256
ee065bc96625ba60e9e72df2c3f222750e53791c96a21640a8781607801bd1df

SHA512
cf118f645d0e0274c59e0b7087f99f120512d487ca82b0a2ea20111977169bf5de194fcbe490907e96f9b59dd8999a40e20492a2593556d80e5f697703fc25b2

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
76KB

MD5
c7f1178611f8282c6ca759a5bd33f76d

SHA1
723f4449bacb388c27ceb792ae16d4d440d010be

SHA256
c03ef7c5d84112f3a3c6213e2dc9a313151af049684bdb3b636cc109f8a647ef

SHA512
5ee9cc75199be7907053cb6f4833ab591041b40041242436798d10834d18d1a84b9953afd84de4084f9873b005347406e13f48a402e5b5851286f32b43dac1e7

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
76KB

MD5
1fce1ea103cfdf3fb6a0fadf01e2f0a8

SHA1
f03365772d5433890a12712e61aac85789b84254

SHA256
a85b23589087c850d2f976e1b354307e40848bb393cb886b12743ae1f54e7d6d

SHA512
eaf57f342f1026206f027b0c95edde2fc68f0c17998b4f75ad55db07a0dfce7a05b8a510ba0757b0995ddf835c7c5cd5f9d91cfb1f72e6701c129f0895109460

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
76KB

MD5
3c42f08e1dcaeb87b19f252aa82ce87f

SHA1
35a7d71d83ae2c3d54fb84fcffacba8f58f1e2db

SHA256
08bb8b9cef7e394e7a96a8b811af6e1d523ae44a0476f5fca16d6d80926f2bae

SHA512
d77db1eb9d4e0f71af3809f6fd9dcb667d9d63adc3bdf404528f8e8bab23ec234522db597001575f1c2dc1646b0fc6039a6e84b359baca810301ca697e5f9b88

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
76KB

MD5
7ae00e6336b3c1a95088b56c83318ebe

SHA1
60d61948a96ba9ed7367d95f811ce61d99c23685

SHA256
f8eae7937053dca39d0e59b760185cce6a21c1bef6b6db94b309ba8b327fb400

SHA512
96fd897945ac9cd4733ca5015346b1d37663e6e51146fbbbaf83426e3eafcfe5a2751845547030a6c90ec4a225788c762c970a20e0936dd315beb8d8fd3edcb4

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
76KB

MD5
522c871ae9e1aa5e69c73fff97868ae5

SHA1
e9ab8f26e64f8524c8fb497cfee21ba65d718de5

SHA256
11849f8343c5bacb26605b8fd66ab6a0c07e06022fb7dd90f2df226da4946f04

SHA512
c6f45527581bf2efd2cc7383ab4bf893d8f910bfc3687541ca97e9124dd11dffc28223630f951cffd43caa6d43f4dda48d8fd3908dc1293a4fa73fc83ebc3ec4

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
76KB

MD5
9ff51866e7c99b76d4b2bc9c75eaba77

SHA1
22b8bbdc037b4592f1611e0be3745ba3c26f7710

SHA256
f706411ba81e1a35bd39af4d3dc2952f4bb3dfb1331b6d49b0e67868563d22db

SHA512
f5634ec2dbd7733760a7b31405a138d48be4310053de683f8c04e853d7df08efefb5ee2f950e165a619fd016c3a4070ac136e5eac7963029f9affd6af5c41bb8

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
76KB

MD5
5963dd95743d28197e68f2da3ba4670b

SHA1
597120f21f9e69b4b8174ce1f1f46a4906e43dc4

SHA256
f5237d9fa272542f330d15cbef680236585125581869b0501774122c56663e3a

SHA512
027dc04db3c9934154b32d0d67c6033f4678e41aa27c726517083a223ffa592c05f24526f42ed9ed431c23fdcfe61dc161165bd82504faf5b08e93e10dc9054c

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
76KB

MD5
cfbba1fe56576b8c106ae94f931f4588

SHA1
8b2b0f9ae2f29ddf5529e0d2edad7d1ca456bda7

SHA256
edae70e16fb55b78f552cfafa34c7c157b450ab4d6e066db7ade1aa976a0a042

SHA512
1cbc83b56ad3f0309979d618f12da7450508b460cef7b65f1269b370cf47cb076a4a71615fd95499c263d46a1dfaf844c5179d6535692b88302684933124cb14

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
76KB

MD5
f7e01c63e016e83f1d62bc0d0834a4fb

SHA1
517013f011d80dbc14d260d3e6b523321c872d3d

SHA256
a7da5f117f40bc3b8931c7f88f673f32460e9fd873693edb1968140fc4c7bf19

SHA512
5b424f0496cf36fdefd43ecc810987f8a7c47640fc9db48352cf5f02cd91bacf56997475132ef8444a0b5ee32df3ba301428461d8a38cb5bdd8e8e4f6a2384f3

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
76KB

MD5
8bb6708d8cae7a9a60240a9a9b7e0a5b

SHA1
5e90e98e0495808f0186772b401e75d5cac25e50

SHA256
66c4f5770b0eb3d7eac4845dbaa8b2f24926213926ce87d105ba2719539082a2

SHA512
ef931da23712cc386b92b8ede74350d27d4ca4d8649dcb8a504e1d03d1b69c33421a219b35d71bfc2820b76b6af6c010eea320ae90c55794292d38d56f282fd9

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
76KB

MD5
5129b2487a1bf5437cbfdfd885dbeb87

SHA1
171a869d44efe7c49d92e394516f611770aa8b9b

SHA256
d81232d5578e3ac142a2fbaf6642155cd018e7858c0b6dd74b5e46adb091ee50

SHA512
8fb16153cdb5b7de9ceb85a85e914430e086641f77c123ba38bd9b51ea5fada4af7ca2d383782fa4ed342c0416969228cb4442e56a3bb458b12e4ad057cd8e91

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
76KB

MD5
30d4d61bf02ad87aae5505b7f9868dfb

SHA1
3fd134ab9a9c1b0f23b97c1050f37ebc1872bea4

SHA256
3ec06778e2c7daa656a54f2ae3b03bc14647082ae56d2af78fef461c24ec1b65

SHA512
9426713554ac1e8ecc578fa3ab3ff7e0e4728783df172f3c211dc89a3a3c1be7e1fbe886778e15a75f52f4bfe5166ee5fcc9d417835d346888f835249ebbef8f

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
76KB

MD5
304495331cb63c60558273bf8d247a48

SHA1
09de9528217ee83475a0de268a5547c6905a4b33

SHA256
44d37c999472364215ce431a8eea1a04832c92b5ce57774d06bf069f6da57dec

SHA512
446996979ada05e17f2a3b08f8737b9d00d0064af74208a101f047240632f62d1a8c43efd9b858987d8c3d1d26cff632eec962d24c852d67f36f28259b75be14

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
76KB

MD5
595bd29528986c57af2429a099d03ae7

SHA1
40a69b3163f1e34ff04678b8c185b45fe989c89c

SHA256
f5792e02c405571dfd68fd20c8e4e07fa6c40e4b8fb190e41c2b9ff50066b5b4

SHA512
cf4e22dd1d1e3ab7b0db1aab5351533093e8cdbd015b91d6057129c2882e28079f0b106bdf81e2905139cb7eb001e3ef8adac63668b27b5a1c9fb7ea0db0ea95

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
76KB

MD5
76b6539fc64d1467432d88bd4b6a4c6c

SHA1
f76fd4a0df3acfdd2a9321375574a149f132e854

SHA256
4f5ea1cd4afe50ca33f6f25dd6dc432586bb1f60b13086ca34bdb7c21e96a104

SHA512
174ee100fe429152a073a5f2e1b43906273699ceffecb5bab23d7529d02cbbc573cb4c372e870f9298ec010db7a2ab09b0214042e6d8fde13aaa62e531b91ca1

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
76KB

MD5
44129f39252d1833b66aa169a4eafe7b

SHA1
02439ace16e2aede86fdf3ba205435fd20aaaa04

SHA256
849b6a8c417ef5af2736d595b438256f677cd6371566b0fea3e28213290ca2d2

SHA512
de16434725885a424ddb7f15ed8e5a32d403bae656171634249f2fed410596e0a36fb4b321cd6dca3000ff4a6fa208d86958fe993f2112202e0ea9301ebdd9ac

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
76KB

MD5
f336d4680e2707a659d8ebb295751487

SHA1
ee00ccf442fc703795a48ff303c5bafb1c54a8aa

SHA256
650916871468a6a575f8810cbe2f99ca001a1d8439a8a413288ffa2f87248226

SHA512
cfccea4b4e0522cd45e28645004f67d5c74ce9c3b0b5b3e4598463147c52a9d75a9ce16bb6fce318a72939e2e99662c1126510199a47631c8a8a221d46f8495f

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
76KB

MD5
ba4b59dfe8f564a6778cb0546f49b129

SHA1
e0aa36b7ab9b12262d09c6489791db76061b154d

SHA256
b617174205217505d68cfea9563787feefea721224438ac4a3ea27b193fd9b95

SHA512
7a22409a66bb39a45b6a164c6bffebe6a2cc535cf9d8d23df82967ff5dc645015a4e23872057ec282c835676db9b121d1c5f9fbd7f52b60d648dc709382eeefc

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
76KB

MD5
985e3e170b30600b8db32b98e00ca43e

SHA1
9fe727c2d1161f9abc72a6149a33f09efb860c51

SHA256
1764bb66c8cbbb28c1fa32b7b05a0c92d536e67514be30bd1c9596f61081a5a8

SHA512
a96c9a4e516fc6e1ead990bf3080fb1ceec026d232d54b6e00f57ece5991bbb92606ab56b04d2e4fc63f364c35ec5e782a49396834e7f97d546dbd07f1dd3be7

Download Submit
memory/32-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/372-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1100-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1752-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2880-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3520-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3580-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3596-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3808-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3884-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-531-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4644-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads