berbew | d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe
Size

93KB
MD5

54f45fc654ca36d95716ba6723c9735c
SHA1

eb0389568748e205d1210df616fd0f103de46c02
SHA256

d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec
SHA512

1df01651f95a42af56086ee16aae2a9a3fadab8096f54d8497a8d5b4704fa24e7e8bfc7b31f887a6c807b5415282741ac9d32fac15d158bc6a6714eb00d9cd17
SSDEEP

1536:edn044ZwIbNbEKR0OR8DftnqWla2UeK2iwsRQkRkRLJzeLD9N0iQGRNQR8RyV+3e:2t4ZwIZbPKq8Dfc0a+6ekSJdEN0s4WEP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2572	Leihbeib.exe
3288	Liddbc32.exe
4580	Lpnlpnih.exe
2752	Lfhdlh32.exe
4712	Lmbmibhb.exe
4196	Ldleel32.exe
2656	Lfkaag32.exe
3228	Llgjjnlj.exe
4844	Lbabgh32.exe
1632	Likjcbkc.exe
2280	Lljfpnjg.exe
548	Ldanqkki.exe
3592	Lebkhc32.exe
4840	Lingibiq.exe
2888	Mdckfk32.exe
4316	Medgncoe.exe
3880	Mmlpoqpg.exe
1756	Mdehlk32.exe
1020	Mgddhf32.exe
2900	Mplhql32.exe
1940	Mgfqmfde.exe
1092	Miemjaci.exe
3208	Mdjagjco.exe
2976	Migjoaaf.exe
2296	Mpablkhc.exe
3428	Mnebeogl.exe
4112	Ngmgne32.exe
1772	Npfkgjdn.exe
3696	Njnpppkn.exe
4864	Ngbpidjh.exe
696	Nnlhfn32.exe
4744	Ncianepl.exe
4448	Nnneknob.exe
544	Nckndeni.exe
1892	Nnqbanmo.exe
4828	Ocnjidkf.exe
1168	Oncofm32.exe
184	Ocpgod32.exe
1220	Ojjolnaq.exe
3132	Oneklm32.exe
3256	Odocigqg.exe
2520	Ojllan32.exe
3220	Onhhamgg.exe
4856	Odapnf32.exe
4260	Onjegled.exe
4516	Oqhacgdh.exe
5040	Ojaelm32.exe
640	Pqknig32.exe
1596	Pjcbbmif.exe
4524	Pqmjog32.exe
3716	Pggbkagp.exe
3964	Pnakhkol.exe
3316	Pdkcde32.exe
1300	Pflplnlg.exe
5020	Pncgmkmj.exe
4804	Pdmpje32.exe
4028	Pgllfp32.exe
2036	Pnfdcjkg.exe
5036	Pqdqof32.exe
4432	Pgnilpah.exe
3424	Pjmehkqk.exe
3556	Qmkadgpo.exe
1528	Qceiaa32.exe
1816	Qfcfml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Lfhdlh32.exe	Lpnlpnih.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5868	5596	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2572	436	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe	82
PID 436 wrote to memory of 2572	436	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe	82
PID 436 wrote to memory of 2572	436	d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe	82
PID 2572 wrote to memory of 3288	2572	Leihbeib.exe	83
PID 2572 wrote to memory of 3288	2572	Leihbeib.exe	83
PID 2572 wrote to memory of 3288	2572	Leihbeib.exe	83
PID 3288 wrote to memory of 4580	3288	Liddbc32.exe	84
PID 3288 wrote to memory of 4580	3288	Liddbc32.exe	84
PID 3288 wrote to memory of 4580	3288	Liddbc32.exe	84
PID 4580 wrote to memory of 2752	4580	Lpnlpnih.exe	85
PID 4580 wrote to memory of 2752	4580	Lpnlpnih.exe	85
PID 4580 wrote to memory of 2752	4580	Lpnlpnih.exe	85
PID 2752 wrote to memory of 4712	2752	Lfhdlh32.exe	86
PID 2752 wrote to memory of 4712	2752	Lfhdlh32.exe	86
PID 2752 wrote to memory of 4712	2752	Lfhdlh32.exe	86
PID 4712 wrote to memory of 4196	4712	Lmbmibhb.exe	87
PID 4712 wrote to memory of 4196	4712	Lmbmibhb.exe	87
PID 4712 wrote to memory of 4196	4712	Lmbmibhb.exe	87
PID 4196 wrote to memory of 2656	4196	Ldleel32.exe	88
PID 4196 wrote to memory of 2656	4196	Ldleel32.exe	88
PID 4196 wrote to memory of 2656	4196	Ldleel32.exe	88
PID 2656 wrote to memory of 3228	2656	Lfkaag32.exe	89
PID 2656 wrote to memory of 3228	2656	Lfkaag32.exe	89
PID 2656 wrote to memory of 3228	2656	Lfkaag32.exe	89
PID 3228 wrote to memory of 4844	3228	Llgjjnlj.exe	90
PID 3228 wrote to memory of 4844	3228	Llgjjnlj.exe	90
PID 3228 wrote to memory of 4844	3228	Llgjjnlj.exe	90
PID 4844 wrote to memory of 1632	4844	Lbabgh32.exe	91
PID 4844 wrote to memory of 1632	4844	Lbabgh32.exe	91
PID 4844 wrote to memory of 1632	4844	Lbabgh32.exe	91
PID 1632 wrote to memory of 2280	1632	Likjcbkc.exe	92
PID 1632 wrote to memory of 2280	1632	Likjcbkc.exe	92
PID 1632 wrote to memory of 2280	1632	Likjcbkc.exe	92
PID 2280 wrote to memory of 548	2280	Lljfpnjg.exe	93
PID 2280 wrote to memory of 548	2280	Lljfpnjg.exe	93
PID 2280 wrote to memory of 548	2280	Lljfpnjg.exe	93
PID 548 wrote to memory of 3592	548	Ldanqkki.exe	94
PID 548 wrote to memory of 3592	548	Ldanqkki.exe	94
PID 548 wrote to memory of 3592	548	Ldanqkki.exe	94
PID 3592 wrote to memory of 4840	3592	Lebkhc32.exe	95
PID 3592 wrote to memory of 4840	3592	Lebkhc32.exe	95
PID 3592 wrote to memory of 4840	3592	Lebkhc32.exe	95
PID 4840 wrote to memory of 2888	4840	Lingibiq.exe	96
PID 4840 wrote to memory of 2888	4840	Lingibiq.exe	96
PID 4840 wrote to memory of 2888	4840	Lingibiq.exe	96
PID 2888 wrote to memory of 4316	2888	Mdckfk32.exe	97
PID 2888 wrote to memory of 4316	2888	Mdckfk32.exe	97
PID 2888 wrote to memory of 4316	2888	Mdckfk32.exe	97
PID 4316 wrote to memory of 3880	4316	Medgncoe.exe	98
PID 4316 wrote to memory of 3880	4316	Medgncoe.exe	98
PID 4316 wrote to memory of 3880	4316	Medgncoe.exe	98
PID 3880 wrote to memory of 1756	3880	Mmlpoqpg.exe	99
PID 3880 wrote to memory of 1756	3880	Mmlpoqpg.exe	99
PID 3880 wrote to memory of 1756	3880	Mmlpoqpg.exe	99
PID 1756 wrote to memory of 1020	1756	Mdehlk32.exe	100
PID 1756 wrote to memory of 1020	1756	Mdehlk32.exe	100
PID 1756 wrote to memory of 1020	1756	Mdehlk32.exe	100
PID 1020 wrote to memory of 2900	1020	Mgddhf32.exe	101
PID 1020 wrote to memory of 2900	1020	Mgddhf32.exe	101
PID 1020 wrote to memory of 2900	1020	Mgddhf32.exe	101
PID 2900 wrote to memory of 1940	2900	Mplhql32.exe	102
PID 2900 wrote to memory of 1940	2900	Mplhql32.exe	102
PID 2900 wrote to memory of 1940	2900	Mplhql32.exe	102
PID 1940 wrote to memory of 1092	1940	Mgfqmfde.exe	103

C:\Users\Admin\AppData\Local\Temp\d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe
"C:\Users\Admin\AppData\Local\Temp\d6ec2c4877527f3649042394d84312abf78fe347512de10bb2bcb8f28f17beec.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\SysWOW64\Leihbeib.exe
  C:\Windows\system32\Leihbeib.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\Liddbc32.exe
    C:\Windows\system32\Liddbc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\Lpnlpnih.exe
      C:\Windows\system32\Lpnlpnih.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        27⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        48⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        49⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        52⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        67⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        70⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        77⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        78⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        82⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3156
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        93⤵
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        100⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        107⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        113⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        118⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        121⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        125⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        126⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        130⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        131⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        132⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        135⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        136⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        137⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 416
        138⤵
        Program crash
        
        PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5596 -ip 5596
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Allebf32.dll

Filesize
7KB

MD5
97f4b708b16441f6437d95aa2c679f5d

SHA1
c01b2bce7b183244571727787910092ce7be291b

SHA256
fd8150d29f7f704c30361c577131d2872b352de0eec26b3c19c0d763888c9edb

SHA512
23ce309f9d543f9ba72986c4fcd2655926a0c93d7406c99a3059828e91e8106549f7ded598b1c5a0501adee775c57cc8cb638930f2f79228981902e55a31bb78

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
ac5932775e1eb9bd36d0c355753469e6

SHA1
f9e8c9cd5f34dea3cd1112e3cc3cfb486fe57858

SHA256
99d2ac1ee999fa5591db628b7aeb4e877d906b69ddaca20fae44a650cc721083

SHA512
7561d204cc37f6c58db5bc2a671b74754a861773475ee9e2542f3c4f965a8ae06d3980e4ea2d35afc05073abe5779dd02e86d44dfa67845f8d6961a9889cd580

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
93KB

MD5
63a639db3a60cfd00e13a5e3e1f6f1af

SHA1
bbbf37463ef5e8449a6791dc31154cfd7edcb182

SHA256
fe5c3092171af193822f4e5035f31dd7074f1b71a83b222dfd85e3800d25d08d

SHA512
3f5fee835ac8ff3345ad9cd26d9073d99baece46157358f673bde91d5594a23bb16d33e0e8e0f1e3b2fa9c190fc703b05e8d8c869428db24c0ef295c1fc3dd7f

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
93KB

MD5
34e2ad415fe7e57b24e0c34baee02944

SHA1
c595678c557c9fcf2c09a327dfe101ff30debc24

SHA256
e5a15d6c758588df22a5eb3ab7436ec52f19a6ba44fd29903dae707ff67e3812

SHA512
4f719d912ee219eebe4960f3d7872510baa5dfabaed3997538e8b065ebaf704c6181867bf4becb368ac5784efd73dd0695a4a153a9034840a116c2bee10cf13e

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
dbbc6aa24074037f92f0c0598abadd93

SHA1
39280e47c95206ab37bc2f2a90eda7f10a3d9f01

SHA256
ca1317a23f6fecb6f661aa7b700d0128b8bc9f5cc43717af3e3e0ae9cbefb893

SHA512
fbbcbe92efcdc078b89bb0dd1e9be921ac4b0c82d980c3a32fedded92d7e64b51ffa10eb6f479d844125279ff4ee9c0ac9f4479f90d9dad21ef48074c9c5004c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
93KB

MD5
50352ac2b7b13f814aece8e7b7b0c681

SHA1
a54c000680d2fafdc81d42db9f1b79f43fe789f9

SHA256
f90e30661fbd5c3b39833cf9447c3143e0d0a5c49ad6411bda5f06c0edfb4aa2

SHA512
9740884d72dd181b868ead48262ef29839684894e9c951c5957d03ef853593a7237d68086c8b10fa0805e521685e4dadeed34be06382782b3145d3547c594178

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
1a2a39e787e0018539b938daa3bf25aa

SHA1
f0e2e1b0e2c2010a04f173139a728f614c7d1a1f

SHA256
7b8974bdc6bdde591e39baf2e0c587f9134249661ff212a0d23de14783a9a448

SHA512
fee65e4587039c7eb7e46152a05f48d55fe0f967e221e71d1b749e533952e561a90dec6d690df8155a90ab375e1a448a0c943beac1c2509eb4dd3b5331f2f092

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
244cad125439e327a1ac61dcf6a7ea65

SHA1
3ed9ca1371f456e9d485e4e2b66ba01b52ec9960

SHA256
b1902714e1c3d6a7a93500421cf15a99a1d4cf92ab993778ca6f5b82fedd053c

SHA512
0437fb6c0e6b08262fb9a54dc8d19944300ed1a98ea07081136d294f4d93e47c3f9b7c447662b443dc2c6b867650998c00931dab965b3dfdd88aa9e8967b17ea

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
683b0942912d00d78cdcee7233c8ebc5

SHA1
ac183da2fe3e07adec5332220a0327dcea6249bc

SHA256
f54b85d561015db21058f04c1433c430ed3eec2e5e3bad6098d773cf1dcb00e7

SHA512
4765c5824c5f8c68fe94a1980e1cd6c2528f727f0165e0d09835d413b45e450c87dfceef5574bcc8e58286be5383b5a5256d698475e44fe63db433635eec291b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
09a491ad63887552012b9dd3cc668a4e

SHA1
9dc45a5a439f6f94ef4733eecc39c7d2151baeb9

SHA256
8af104dc5330692c544633b8173904d5c21c39a5c74c1823ec49f19d51b441b3

SHA512
eed1d1d4d19b0df97e49b23af3a0a04e86bdea60acdd69cc70be3db61e8c377197b19081ce682af90f37e02dc1352f376c9ade41ac215f059193bb99f12b78cc

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
3bba7e987b57d164a2c1997500ae8444

SHA1
26dac795fc5328c99f62ff9d3226a9ff454490ee

SHA256
0a7de8ea4e6bedd739ab051c5b64f699314cc8a75ce9ebb21e78afbdf2d449a0

SHA512
39c014c8b2e5940decb8144a0e2868da76bacac4464a594d33f98391208edd05d2870a8ad14ccc06f237405b02896b50cbe65b3e11c319448381a9831d79a23c

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
93KB

MD5
fb6569f84cc4f0efe832b50806d22005

SHA1
ead6225254c930212d9f1d273eebe5082b9d0966

SHA256
89116447d2fa7b294f9d0afa952a11649047fb0576e9c35c1d4a682ed6ec611e

SHA512
b226c75e24a0e061c42eb2f63e491fc09ab5eda2968470e4cb652759b86ba673cf52574d657a97b815efed49f4c1a2223a4aba0b0735ed6407ffc366c0196fdc

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
b2eb4a6555e76d6879bf24134ad2581f

SHA1
dfd35d90c2941306c674b73eda1060c72b323de1

SHA256
b59cb643115db5ca2fab9e3e22e33785afde19ae724bc7b7a7c35f0d71bcf268

SHA512
2bc95448d74e8ef6e46fbbca04b407f22a70917bff82ad9afebcf62103953baf15c05ca9537dff57254df1cca912ca7d7d41adbae2da954763a048ae258164a1

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
93KB

MD5
de45572666c00ad22c54eddc50c2ceec

SHA1
eb683bac8162cd79b46f11187cf3defaf059d745

SHA256
241c3b9fd36a740e3eeabd313c8457e6cc047cb2d03b40fb335632e9c5ec864d

SHA512
c5c0f84129593b5d20a141a2a5268b072aca012d56777157fdf1b44afa2c65c040e3deb5897224d6c78d9df8af430fb65dc8d79d16cce370f5c23b207a131c15

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
93KB

MD5
1ab0c7aae3b1c14ae1bd612f77f222c9

SHA1
e4512f26c677a47e28fcb325574dae2e90b07c29

SHA256
47b5358787cd67f7dfd250180f7084c550b3bfa5ed4b7b7a3af26fae1b40abdc

SHA512
08b3ae5e93bad3766ed552b37f579d5d07ec2be719f419da6b7fbd277c7ecae5fb140dd5b2c7636a1b5358dbd04f1aa2bda43f9925ab52c2a2906fab0e3c3378

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
93KB

MD5
0a78e133bbdbfce055f3b34df6d5a0a9

SHA1
a75b7325f5aa8f10c13b8c9941f7dc3854c59c03

SHA256
9c35bed9b71d00f502a7527f16a330ad06166736840045f96982bf19c083cf58

SHA512
69811d78c01b5e227b260e1294f68fb31fdab5d39cdcd5c6ab1a2af76af490afb6b14b2f2a8fdc39fca9e5d0c2d4546f7e950830912cd5e1d26c994b273375e8

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
93KB

MD5
d4e064d32b232c0efd5dc6cab4f76aaa

SHA1
50ae9e93a5488cba81b38e95cb99bebb80065c45

SHA256
3ed7ee87b8041a86f0fb86095defe5097f75814e3d4c01fb61c052f77e840daa

SHA512
062de28a462f3f4d2d0a17010f195ddcd6371d06aace20c4d45c5d6d5a3d3b36d7a5c9f4414f4ea6712c68e05a137a74394ca767140af036d8993a4a1c8206a6

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
93KB

MD5
cc619e0a947f7b4105f30594afa95cab

SHA1
4cc05c8ff9cdc6502fe3759f939a4290a04b9410

SHA256
a5a9eb3ad66962df9dfacf54feb20df5e605f82e889f44e07f633b974c358d25

SHA512
dd77ef35e13e69aac154419670047a98fe6859d05486463a81d82681cb2d6d9d3cd0a50afe7b33def25e19bba04a8cbdf99197703e5aa6a222836d49a1868364

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
93KB

MD5
9749b55da2b2233289f1f00143332d8a

SHA1
8210febf4986bfdaa1502fbfc75194a9f25f9661

SHA256
8df35e612896bdc62ad24a7709a75eb1b155be90a7d7206f1a3ef24a3f0e1f65

SHA512
8ee59cb8814964d792571de9d10234e3b653c6a1045b320800eb305a69175156e9f2dcdaa4d248040eb6a599c4036baee7b6da846615922f3dfe61f1a9cdd3e0

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
93KB

MD5
9fa6d1c210e6ad0a084389831616adb2

SHA1
79b75f25e1eac3511a2115e7646c3a3c8e4cb94c

SHA256
e1e1acf4ff866ad015e104dc4b2cc43a64875c9c545f879783540ace10c67406

SHA512
bdf5d77389c4ccdcc3c27efe8c7bb9ba8da445e86c15adee3dcef6fd1e17f491656693c8b9d135bcb587477e9e861abe1133f0756fa0f26df29e816a5fb626d6

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
93KB

MD5
38f397fc25df10772aefd2e250c70feb

SHA1
8b15280f12d0d8276e33769ff7c114b9b112aaf1

SHA256
d617d41678eb8d6b7b07cebeeb30d89e827800cfb724cb3374bac02c0a897637

SHA512
c20b728727ad9d2a6b3e8ff2847233709b170fac16b4a2d603780054e6aebe28070937ff3c52992192c6a1278a9b1143f9d58649e9b5378b26ed2ed9813ba91b

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
93KB

MD5
a2260ed7b909531d1a3ac71d388b66d5

SHA1
850c03b9303beb8b976729de04768f5b9f31416b

SHA256
36077aa7cccd93755536582290f925d5c2e24ff055436d540b1731e2576a7905

SHA512
236a3ef95d1df13fb260afc1fcfef9cb0a1fc3a567f14a8fc51add3a4529b88ec6ed1c5e66de5bd225aa033da8d5b80a59930a663a3192ea9f486edf89fe170d

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
93KB

MD5
53ee2b42a1fb27f28a26086676e00815

SHA1
71041c270f12a677bd4177a747d5222f129d09d4

SHA256
7e97f5ae56d8df67a945091a6e4244d44c3d47a8088795db81e84f57f4ed7c66

SHA512
efe0d86f467d316aacaedec68c840950bd04fb6847ab053dffdbbbaa49924149c3c15d2dd84dc95b48c173c82ee1848ed7a33d020651e206f3fb092fa58eca27

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
93KB

MD5
482604de9964f5117206d4acd73b98ee

SHA1
a353f883ae19a5cbfeb80cf47e07e7bd5f29ac37

SHA256
ec8f7bc7e1cab73c86d6b71aac88344d93596170c2c2555905ca8feb6a24d0f0

SHA512
27e81b35578ecb2671de2b596c0b7f3b62beb066301c7d0ebf9871e9ed78b45e5b18706c9754a89c5743571428ddbc1b797677e7430f6d0a6850ae3413aacc0f

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
93KB

MD5
1c0b8edf2fdfb92f9526f7fdf763b327

SHA1
f7ed5fbb63b216db262c6dcb44fb473ba32cdbb3

SHA256
4e65635aeedb1ee7728c2c1896952d7f82cc1b97185cb5974e8418f5ad973b76

SHA512
ea31a1f39e4ad254de11740e858eaf2944ecbe03da759784185dbb9a08f968fe491bd4a83491b5dd22ab29b084a30f5c059335ad408e02e9382bfef199872e08

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
93KB

MD5
5d33e7aea6526b7d1113c3e51a2e7455

SHA1
783e0ad701481df87e2d9b5e4968df18a8ef6514

SHA256
26553b96e94308c36ca94a8ea162a0cacbd168faf1b451fa4dc1583ef17d0265

SHA512
9476dc5c46e1940afad1f91268a41904c695ddd3c02ec93d2cf4f2b00602647a1048f5a1c5b77231fabd0c39aafe11c6eea12ba5b34136b6b8293e2d3e663620

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
93KB

MD5
10d489b05525afd7857c5f52e2358510

SHA1
84cd4fa05a3d2bf626f59ed9ad01fa88f7e79e45

SHA256
3887d57905c397e0b21ce0c4af28f2c625cb31165d40df7e55be7274681d1ff6

SHA512
c1e8a02829f245595162652205a95c2fd3ed84e580d8f8d0cf3f40b19f6b487dc2fa2575771eec18e152416a37a90749bc9d005080bc791981bf87f9fe58f43c

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
93KB

MD5
365d7891d221559c5aa5ffcfbe0eed21

SHA1
d0c731d327bc78d69c31f9bba77860bb584094ea

SHA256
46aeec5951c3a8e9c55e66fb2f4d288f6debba5ecded60468bc25bc61afeb855

SHA512
c6e65797d27716feaac3aa4794b6da37af8f76ab33d55aaf2ef1e6b79c9596afcb5db64d43d46429a25c58e4a7767a0722934e9775da42562fe13c2fe1f57e84

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
93KB

MD5
cf2a9c57d428d144a1be1966a3147731

SHA1
efd33f986ab65718e07cb32337a8bff7d4b1425f

SHA256
18076c038cf54e25af36197ab65ea42909cbff7b0ff5ab9e42f8ff91f95fc6e5

SHA512
b99b391ccb4b6af0a56420176c5a9944622a3f2d65066297e6c4d271134c90f286e14a16ca1092769d799af5a6ecb6ca9f2009da063b92db63ae40c747d69f75

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
93KB

MD5
3b901c7e9bd77afffaf1fb4dbb51b8a9

SHA1
2053d3f5421ccbdec87ec46e09368b6c64078590

SHA256
091b48c73bd3a002b5cd69fecbef4aac242faf4177637f60f5a213968861333a

SHA512
0aa766658bad6e9377706968ba55ddeee7f257e84373c20edc90a03547e9cda3ef8ba9e97681ca54074cbfd681f300c551914f4494c3af24c01eb5429b8f125a

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
93KB

MD5
0f5f36d3beb8e14a4d990c70ac90ea3e

SHA1
7772890deb457022d4c21cdf4801daa95bd5e18a

SHA256
24f26a8de441fff58c0b2b90605739947372b138ae54230f2efe095149d78bec

SHA512
18e1e2b8f0438c2ba921ff462b3f65d9c16a6b6b830414ef40d17dcbe51e0712f728990c15c29a5f2181e57d1e6e33be18184b4490896f9ae54004d2a55c26bf

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
93KB

MD5
ec30cd66a8e15be32988be3530c07a97

SHA1
2468ffdce336037bcfe5701806eb7f7e510a4b7d

SHA256
9dc16332d1cb01b60a07b4f6b751dea8ba49cac47f735736edabadb2cf45f02f

SHA512
4787cb6492ae102da6ef744a20bc8cdf783aedbb6ceb4005c267b6fedbe7b66267728f615776dd6847cf708e580c7692507671c26bbb78c9de73549c9cf05e59

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
93KB

MD5
a9e2b47ceec9037c8f7436ad328f23bd

SHA1
7df3fa646a3bf2fe0530ca3ac9c60ef375189440

SHA256
79019e1b72979f1fb2939a14ae9bc45654ee88ac3af28ae0c4325bd4c7d64a54

SHA512
88b288a075f50156ab6b646e73ba84b0676dd48abf0f2f3d1202056703457f4adbdb388192878175ca45104370fda3965afcfab77abfcb121837077832117845

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
93KB

MD5
01ec6415b10567cabd514ae2a7eda3c8

SHA1
90c0ba98ce7c09289442ecf579e7fd4c7321fffd

SHA256
f43741f9292fa8a0c242f53a63e1eae60c680d8f52480593a63ca062c12883fa

SHA512
e308c0a883412ca820dc56745142748a84371bcf4f8b47381aa5003af7389fb40beb70c84be5edaebb03278b717c61d897ca421bd5346fd906cb29b7a05b3417

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
93KB

MD5
84dad4d0e08a6c7e134e30e954b57320

SHA1
1da96c597b6e1b841c426469b6626c02744b3bd3

SHA256
6739004e056902daa312d01770d5f2d6e3a3c20237c78ff2a987e4079864e9bb

SHA512
4e3fdbd79bde29a73f3ffd6cb8a7d60f5a75a8b2859b244d1993eb163e888ff2b8d8bc6951c86c4876a4e0b155ec3b1bbd13dbe5abace5f5c12416c420b8f194

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
93KB

MD5
ddba1768eab0ad8aae7d0dd16c46e757

SHA1
5ef95a84515db5684f28c231d9e914f728322b16

SHA256
4e325942d20c6db7f0f0e8a693af3dba9ec92ffc8d5f05dd10ddce04d5b37afb

SHA512
697a054679fd8175dd1f5210e1ba5018dbb7575951e71cefa3c314f080686b0cf3a369a39ca7250cd2220e8f7f451b472017d4b1c333bc6865ef04fb2eb8a80e

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
93KB

MD5
ad9d036bf22d4272dbfb5d44b19c6fe1

SHA1
71b6a27a6dd520a57629e33d3a96545dd555c980

SHA256
5e8bf1223bdc6d0eed0f41c7dfc02c7d84b1e8ee37bb030028925989004823b1

SHA512
0f9b013f3eb7bc69a715a67584bf1084b6fe9256d5d0b0ac905ed6cb9b1575a61e09b8c3a6eb5fac773d0461a767fbb07300d9eaad18fb079950c3a9435cbe62

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
93KB

MD5
9f67e7b8cace22a885312afa083f4db3

SHA1
a44854f088ae87ee81ffcaa15c5e7254488dcf51

SHA256
0ab96823184200a90fcffbc6e0607793b3fec985f3a40ef3a439065bc821cd86

SHA512
c9c29a7b80197b3e3c9b14c2bbc9ee199296999ae37c796227cb5cc2a3e5defaa1a0e33b9b7f4e4963933ad6fc455f60d231485a27d51b7eeb5f93ac7a0e5751

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
9449796ed54eea0ebf1efda125789543

SHA1
c5b62e869fcb906b7c0482251984aeda6071d869

SHA256
a7c2b794620f82ba28bb17cf2a87c2bd9a975701e9989b821932a048123300e3

SHA512
18e696d177972f5f44c6c1a56b75dcb8bdc78a914cc990e00c263ca4ab86c374c8069dd716b5b5ecdc36317f453de919002b7e08f4b1fbcf7747aab76fd6f1c9

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
93KB

MD5
36853438c6c4bd6cfa34f2a7339b102d

SHA1
1b72ffe080a711f30c00d942a354f0d1b6db9cdb

SHA256
d7829a63b5f21751e8b615f6d71443c9cbc47da1a526f5d9f3f360dcb9435974

SHA512
9e67ee0a4c688fbf9952147715ec28945342dcca6aedaba54e93fd05a63d3091d462751a5a341ba482e6c862d18cbbf6c5e03247912dadd195929e6d2814e6c5

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
93KB

MD5
438ba4864d783d09b3e15df943eef1ea

SHA1
ff35f0eb42491667698abaa50a2a0d4d8f02bd40

SHA256
e313315a5362281e19502d19cccaf026c2daf54e1e18c7897c52587657787632

SHA512
3660962bdeb8cd97ac94694f5d66d94d183f5678a661edcc9215e040349405b049e0148b1bda1bc50988cc8570df7431a3234fcf91e11a499768371fb5ecd55d

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
93KB

MD5
17369632d4ef7b78dcc6caca1b8b09d1

SHA1
69f553ffa218ec08dd9555fd4e571a2251c04a50

SHA256
77399924a1f416b2e206196c9701e5d2b24d4858cdfdb2347c93d36ac839ed44

SHA512
1760439a2ecff756a57f0141eea83b5d0b3eaf80e760db4c236d0ddaab24ef0d1f32b4f97e7d14485a6e7223bb69db8f1cc03a33cdc76a4eda0a858e6954b4c3

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
cc320df9eae905278529c9d8bc0d5ba8

SHA1
6b3e375ac1e7af571875dea9e28c69da8651e50e

SHA256
adde9fb8ab7b5d4612bc5bd06e7dc69cd884813788662404d26d2530075cfdaa

SHA512
f31c06fe31581481a24851905839bd6b2a1c3137236c7a9dddcbcbbb1d358db1a9bb19175edeec3700aebe8636f45930e40d107a2183ec60f7c32ecc58a7d013

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
93KB

MD5
2bbae05185225138c08c4ef2df4e549f

SHA1
19306a61a7482e048534d09271aed1aecd3001ee

SHA256
1d55c24cc5d9bf169314cac671d1a0e8af73b760882c80e4305514cf6fdcedc6

SHA512
de82f0c201bdc2cb57ad6c3c853bc07f22484eb4dab7a0e37c9d7f7be0e127d7df59f97f8053ba8e8d171a728fda90451060fe504bfc4dcaf337407fc0895d2f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
93KB

MD5
4beca9af780143cdea58d94e280405ab

SHA1
d86ad7dab5309cfdd1d205dd74fa58af9c0b5e97

SHA256
fe0f3b14188f6349a503ee932f916ce5b982fa8311b1db11e878a8ea84c53721

SHA512
6d906b429a7365faeac2d76fb03d6aa3bee0e5ee8e92ba7771d463695078e5efc1b718a52d4e8992e38edaec32164b4ea7d5fa1ac41a7c7f83b68e506b1ce54e

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
93KB

MD5
bb8f8e35d5bad9bee73dab29cb680041

SHA1
14e1c83fa567cf74f00305fa4301a9f0bbc9827e

SHA256
ada53251b17a9c3667dc217b188341f54390b5603a1680538c1c6879123366fd

SHA512
4b891bff087ff48a0a3971f9048cb543086ea5feeefaa48207a42ec286cb1769c5254f8e4664ef052c7096995f6fd073dc90e8878dd3186688aba7bac487a1df

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
f890afa9092ea7c1e43bf954575df78a

SHA1
85cafd1462bb4a531548e999263a5567f8c7d4f8

SHA256
13c489feb3c4749e0293f4a19b937fbf7795843c3e0d1e3bfd18e1c3f5510548

SHA512
2f825fa82a25561255b4e94a936804cfa979ccb91b311793a22580efaf8fc13a9916bc00cabf0a326683707fdc4271c3483a979f727d3d2d4e2b70ec09132e90

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
93KB

MD5
1c0f2a266eb840f5740e6e41a2683cb1

SHA1
eaceced1a5f8654175fe9c7675e6cc5b34db92a7

SHA256
8f000a37b3c59a0f7f7b12060e4d066db370cd633454442473d88d6ea5eebf37

SHA512
7a5c0749a03e586321971a00f0b07da4d5f65ba85f9353d0c408d39bbeeaf9f25c5aecbd627f151c45081ea5439b6b5b1549bdd22e0aa9c0e4d5020bfc9bb13c

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
93KB

MD5
02485d06d7b3e1ac605bbd4f184af53a

SHA1
d4dafee870f0243e2c6cfba905930647d31455ee

SHA256
7ff8c579e4679ce29ae8feed6f98456fdeedc7497b21fafdf69b796834996b1c

SHA512
da2c1e882983cc1eb89426f0b840f61d0a38efa43a98d82ac5e5006039defdcac98d16f7e2480cc4ed1271d7e65aa8d334d018e931071ca2c522d2a5f7c1d115

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
93KB

MD5
c8b1f430ea7a7e95042d9452ae8697c7

SHA1
27a0a6f5d3594283d6c4dc5eb849c9dc26e2ef06

SHA256
1bda51d3dc12627e754d5bbaa57a692290af593d751f6851cf7c23d465c8a31e

SHA512
e93659fe0bb4b773d3e8ddd0f5be725a55f5475528314a82ca7b81a961c0e7b70e301158230f6a0b98e02050a41669be43a591929414e0add54bd9bf7b8afaaa

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
3c945895aa39549ff65b47a994bf7df6

SHA1
381dfa054f0a9f6ff8a8fbcd527f5a780e66cd6b

SHA256
a2fd5f1920ad4a13127e8c86717e6b501670c0b336f7426d86340c950bb2694a

SHA512
cfab43e5b3720a7463b032d52662030e2ec95e1c858b4028e0acc4ce3ef93ce6aeccaeef2ae45ba5453b974283202d3b83d4a3650b7160574a9b22d1cf1967af

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
93KB

MD5
68e24c86056ebfffa91b53f1f34a0c05

SHA1
9b08634f7766489dea659f6890853bcd7b38c5d1

SHA256
1a17bd78c5ee24701186ec7fddf7f2cdc595e0da079f4e7b6f4db85fe0be31cf

SHA512
b47060f63968212a317a38a5b1d6ab83864b7739e9c19581ec2944bc616647de15d451f0971e5e1c58cb0aff2a9a7930ef834b5f2f6dac6947dcb410b6b7b012

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
d7b59bbdc9b439c202fc263919aa3158

SHA1
66f9981f4cecf0563fed1ed038f7b4722fc3ac40

SHA256
59fd37edcecf20c5dad03ccecc60813b4a57acfd557e9f8fda0d170299d49b21

SHA512
1635d19288df61fb9e2ee078a33d01bcc264af85f2db43fab382aa074571cc8aeceec3ea96febabd7446d421cdbbf5ae9b188e9a480893d903846dc0b1a48a77

Download Submit
memory/184-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/184-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/696-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/696-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1756-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2296-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2572-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3208-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3220-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3256-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads