berbew | 2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
Size

207KB
MD5

c51deea9b0fb5d808d608ae24fd0dfd2
SHA1

b9a831caabf1270f88217864774005d39bb3b356
SHA256

2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918
SHA512

bb855468c87812a0c22d47bb7c6689e3d1b6d42942a82b9cb993f142a75608bbfde4f8e6631eec4daad32ba10a46aefb735040ff7b22a83fe5d672bcf93375e0
SSDEEP

3072:Lt+R2H1n9ARjhlRKsVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:R+GAthysVjj+VPj92d62ASOwj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2796	Lekehdgp.exe
540	Lpqiemge.exe
3964	Lfkaag32.exe
940	Lmdina32.exe
4612	Lbabgh32.exe
3188	Lepncd32.exe
3260	Lljfpnjg.exe
2112	Lbdolh32.exe
3692	Lgokmgjm.exe
3220	Lmiciaaj.exe
4208	Mgagbf32.exe
5052	Mlopkm32.exe
1992	Mgddhf32.exe
3176	Mdhdajea.exe
4352	Mgfqmfde.exe
3432	Miemjaci.exe
852	Mcmabg32.exe
3280	Migjoaaf.exe
2104	Mlefklpj.exe
744	Mdmnlj32.exe
4076	Miifeq32.exe
4584	Npcoakfp.exe
3536	Ncbknfed.exe
4212	Nngokoej.exe
2384	Npfkgjdn.exe
1468	Ncdgcf32.exe
5040	Njnpppkn.exe
4572	Nphhmj32.exe
3896	Ncfdie32.exe
4980	Neeqea32.exe
2060	Nloiakho.exe
2884	Ngdmod32.exe
2916	Njciko32.exe
4936	Nlaegk32.exe
2340	Nggjdc32.exe
2472	Njefqo32.exe
4304	Ocnjidkf.exe
2320	Ojgbfocc.exe
2684	Ocpgod32.exe
2768	Ojjolnaq.exe
4028	Olhlhjpd.exe
2800	Onhhamgg.exe
1616	Odapnf32.exe
2176	Ofcmfodb.exe
1496	Oqhacgdh.exe
3068	Ojaelm32.exe
3600	Pqknig32.exe
1708	Pcijeb32.exe
4952	Pnonbk32.exe
60	Pjeoglgc.exe
4544	Pqpgdfnp.exe
3948	Pdkcde32.exe
2052	Pflplnlg.exe
936	Pqbdjfln.exe
2120	Pfolbmje.exe
1236	Pjjhbl32.exe
1656	Pmidog32.exe
2976	Pcbmka32.exe
3448	Pjmehkqk.exe
3680	Qqfmde32.exe
2792	Qfcfml32.exe
2844	Qmmnjfnl.exe
4920	Qqijje32.exe
1076	Qgcbgo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Miifeq32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6040	5952	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2796	2204	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe	82
PID 2204 wrote to memory of 2796	2204	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe	82
PID 2204 wrote to memory of 2796	2204	2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe	82
PID 2796 wrote to memory of 540	2796	Lekehdgp.exe	83
PID 2796 wrote to memory of 540	2796	Lekehdgp.exe	83
PID 2796 wrote to memory of 540	2796	Lekehdgp.exe	83
PID 540 wrote to memory of 3964	540	Lpqiemge.exe	84
PID 540 wrote to memory of 3964	540	Lpqiemge.exe	84
PID 540 wrote to memory of 3964	540	Lpqiemge.exe	84
PID 3964 wrote to memory of 940	3964	Lfkaag32.exe	85
PID 3964 wrote to memory of 940	3964	Lfkaag32.exe	85
PID 3964 wrote to memory of 940	3964	Lfkaag32.exe	85
PID 940 wrote to memory of 4612	940	Lmdina32.exe	86
PID 940 wrote to memory of 4612	940	Lmdina32.exe	86
PID 940 wrote to memory of 4612	940	Lmdina32.exe	86
PID 4612 wrote to memory of 3188	4612	Lbabgh32.exe	87
PID 4612 wrote to memory of 3188	4612	Lbabgh32.exe	87
PID 4612 wrote to memory of 3188	4612	Lbabgh32.exe	87
PID 3188 wrote to memory of 3260	3188	Lepncd32.exe	88
PID 3188 wrote to memory of 3260	3188	Lepncd32.exe	88
PID 3188 wrote to memory of 3260	3188	Lepncd32.exe	88
PID 3260 wrote to memory of 2112	3260	Lljfpnjg.exe	89
PID 3260 wrote to memory of 2112	3260	Lljfpnjg.exe	89
PID 3260 wrote to memory of 2112	3260	Lljfpnjg.exe	89
PID 2112 wrote to memory of 3692	2112	Lbdolh32.exe	90
PID 2112 wrote to memory of 3692	2112	Lbdolh32.exe	90
PID 2112 wrote to memory of 3692	2112	Lbdolh32.exe	90
PID 3692 wrote to memory of 3220	3692	Lgokmgjm.exe	91
PID 3692 wrote to memory of 3220	3692	Lgokmgjm.exe	91
PID 3692 wrote to memory of 3220	3692	Lgokmgjm.exe	91
PID 3220 wrote to memory of 4208	3220	Lmiciaaj.exe	92
PID 3220 wrote to memory of 4208	3220	Lmiciaaj.exe	92
PID 3220 wrote to memory of 4208	3220	Lmiciaaj.exe	92
PID 4208 wrote to memory of 5052	4208	Mgagbf32.exe	93
PID 4208 wrote to memory of 5052	4208	Mgagbf32.exe	93
PID 4208 wrote to memory of 5052	4208	Mgagbf32.exe	93
PID 5052 wrote to memory of 1992	5052	Mlopkm32.exe	94
PID 5052 wrote to memory of 1992	5052	Mlopkm32.exe	94
PID 5052 wrote to memory of 1992	5052	Mlopkm32.exe	94
PID 1992 wrote to memory of 3176	1992	Mgddhf32.exe	95
PID 1992 wrote to memory of 3176	1992	Mgddhf32.exe	95
PID 1992 wrote to memory of 3176	1992	Mgddhf32.exe	95
PID 3176 wrote to memory of 4352	3176	Mdhdajea.exe	96
PID 3176 wrote to memory of 4352	3176	Mdhdajea.exe	96
PID 3176 wrote to memory of 4352	3176	Mdhdajea.exe	96
PID 4352 wrote to memory of 3432	4352	Mgfqmfde.exe	97
PID 4352 wrote to memory of 3432	4352	Mgfqmfde.exe	97
PID 4352 wrote to memory of 3432	4352	Mgfqmfde.exe	97
PID 3432 wrote to memory of 852	3432	Miemjaci.exe	98
PID 3432 wrote to memory of 852	3432	Miemjaci.exe	98
PID 3432 wrote to memory of 852	3432	Miemjaci.exe	98
PID 852 wrote to memory of 3280	852	Mcmabg32.exe	99
PID 852 wrote to memory of 3280	852	Mcmabg32.exe	99
PID 852 wrote to memory of 3280	852	Mcmabg32.exe	99
PID 3280 wrote to memory of 2104	3280	Migjoaaf.exe	100
PID 3280 wrote to memory of 2104	3280	Migjoaaf.exe	100
PID 3280 wrote to memory of 2104	3280	Migjoaaf.exe	100
PID 2104 wrote to memory of 744	2104	Mlefklpj.exe	101
PID 2104 wrote to memory of 744	2104	Mlefklpj.exe	101
PID 2104 wrote to memory of 744	2104	Mlefklpj.exe	101
PID 744 wrote to memory of 4076	744	Mdmnlj32.exe	102
PID 744 wrote to memory of 4076	744	Mdmnlj32.exe	102
PID 744 wrote to memory of 4076	744	Mdmnlj32.exe	102
PID 4076 wrote to memory of 4584	4076	Miifeq32.exe	103

C:\Users\Admin\AppData\Local\Temp\2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe
"C:\Users\Admin\AppData\Local\Temp\2455f62a6a7c9eebf902953f2b8e5b6defb48a2e8a66f0795a7aef82a7e28918.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\Lekehdgp.exe
  C:\Windows\system32\Lekehdgp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\Lfkaag32.exe
      C:\Windows\system32\Lfkaag32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        23⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        60⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        71⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        72⤵
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1348
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        75⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2648
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        80⤵
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        83⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        86⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        88⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        100⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        102⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        107⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        108⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        116⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 416
        118⤵
        Program crash
        
        PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5952 -ip 5952
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
207KB

MD5
3f13a34d753384485bd4870780e7a2fc

SHA1
e32d37c6dfbd05907f021240175443f0aa00762a

SHA256
66182124832895b5aa7a8326e6e820f7d31a12aea5f3bd447722a227048373d0

SHA512
e95ca180d1032d20809f9a0c8feb7ae623f7dcc29b036bea4500d9091af3ffae7c5de40fc2f6ab66c94902fa42e8eb1d62cfc913a7ac4aeb196ed9e0ec76ca4b

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
207KB

MD5
bdf559e04bc720cf2ace71bc53299971

SHA1
efc30ce4386248e7ae4a966bf2a7dab6a4585cc2

SHA256
086c86ff249346f7e5c3702a61fa6f7b9f3349529be691d17bfbba535a5134d1

SHA512
ee8c1d152ec005e637626ff677dc8a92db3115f790a85a4af9429dcc7dfd24cfba286dd996a16ea2be40d0287b78cc1760d80500a8ccaa2c89ef9b3ba946932f

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
207KB

MD5
12c72650fe1a12aa5e79629c0065026b

SHA1
e77b0aefbdd8906d9a82e5d1a3aa9664ec3d6c78

SHA256
ae0227d16fc17f2df50f3dbec0f1c8753411e772c2e35f60550a3b0e07f360b2

SHA512
0a9bf85280216bdccd6cc38f88866b5fd75b285a37fb4c820df16b782608a0ad6a48a8c9c332cb6b4174ce8e329a5b4a81aaf8bc7c335514ee65cdd7fe66363e

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
207KB

MD5
25542aaf9c006a9e28415851b1de7859

SHA1
aac1b1170889717773926c8798d6e343fc5a1479

SHA256
77a4412817e38c71b033d6ba21e67787e87e6e31507d015d2a1135ceb6620ff0

SHA512
c43f9f3dd6b4007d7c57b08c32c5154de9d96c283126c6fa586564279127788131ee409c8a58ae2b121f4fff58bacbbfe586954dc7394ce5cb533a5eceb8b4bc

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
207KB

MD5
7bc46092b8beceab8f3318ba6cdf8a1a

SHA1
58a9d1737c36ddc3167864cbf8d96b3333983fac

SHA256
7e6bfd982b085dd8abbaa5473ee106a0acd94524662ee4cf36a037eb756f3e00

SHA512
f1ee0e4f69d2e5a5e13f174ffd36614616979f122b37fa424fd541a4ff149f86feb19e1aab3cd177b3babc1d7512245f9542c36d6532a24d3928e53e258f240e

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
207KB

MD5
1ba027f23b04004995dca86625b79f8e

SHA1
6ccf44d85d4ef2b96cc392bd14380cdb9d96f753

SHA256
a3f87c4c399c0af8c0863ff351e4f4b5ae053dfd21b518bd93288f55385481ba

SHA512
8ea412870423ddd091b968bdfb2e514e71392ff81c45e7a1bc749893f35b6979ba6a5c7a6c03c4f298c4f1dfc7b69265722bbed4b295b31cb9cdc4ae8fa0e4ab

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
207KB

MD5
43c2585d09fe1a883372e4671c3ae48f

SHA1
c33be4123035d6d7f0e4339b2bff4c212fa56bdc

SHA256
9d7a087f49f88645eb5af4989a4e1d0bcb57da9644b658f3376f6079d071772f

SHA512
32162fe69553d8719eaf92214a769347d66a6da91cf07b4f87cfff1678f769da12ca0003e3de9391b7eb768feb32083042d7f809d1ed66e6868d0c0c8638f877

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
207KB

MD5
3972b6a5c761c5e79df65e747f19840e

SHA1
c7791b822185018d723b9c4d9a3359df4cda9e21

SHA256
1d55251f92f3b516e8f84b9c2f32469696d1391466b7624924cca4bb21010c91

SHA512
65b935bd94bf46d13713c3deb23e3293f5bdcf79f1e69cb074fd6e893c15a25e1c9ed67b2c718d9d166719cb96c69f040d951129c7a5b2157bc6bd934e103d6d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
207KB

MD5
3ec6d6abfc22135d60ad221eb3e5c146

SHA1
fe4de26be9e32041a08bc48c07b44b5f24ee6e57

SHA256
ca5226233d81080dfc808c0fc057d4e3e315c2f9e39ef025e3d47024afc57e25

SHA512
40950d74d76ac1faca654b8924c29e83ae2954b7b70417c2d87e6dd3d79e24e24c330b6aa89b5a40ba6254260f8aa5a017f8673d726e8247816b1beea48a58a7

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
207KB

MD5
921c6bd72cdfc87f2c187937d75cfcc3

SHA1
f2be11b3764334e2c2fed5c169bc258d8a7e2012

SHA256
50152d3fdc190491c4eaf6921126ecf9fb65a46506447d6eb1da13dd8ed6d210

SHA512
78557881d862952aace021e564b726a4c192a1170313b97288de5970aaa9f86ee83d2b7720aa223d3d988fd423bf21114707cfa0aaceaa65dd93bb37fd4ff9ab

Download Submit
C:\Windows\SysWOW64\Jphopllo.dll

Filesize
7KB

MD5
39da27cc48b14ea5be24db5bcd363169

SHA1
5fa5182469fd4565a734b5fdb48512329a34bd81

SHA256
111852375c04cd188acd284fdd5488ef2cc5cba7c2d9b83ee61e83ca59f301fc

SHA512
cdf171205ec781e3576b8dbb9fc63bdb27ab48dd800ac1901d97db1650c3c50ee931587e5e3a0d23276b538736ffcb92272b8d2c0b8d1a9ac61603c9ad5dc774

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
207KB

MD5
4fa7634c536f3cd121b51ccad0280102

SHA1
6fa1d597cbf543a54c834cb6ba18933971aeb609

SHA256
4b3b99034c3a51aa45ce1c2b061562a741370fc86ba27d6dab0dda8d8775a6b3

SHA512
a162cee52ee8f6d7f8ab904bc0673b4a671fbe4995af388995d7afd7e44aa5ffa66d34f8a7eb76112dbcd9f11dee3a93cd0c1c924ead1678d3f376fcc7d1fdba

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
207KB

MD5
75fee043324a6898a229ab18a7dacec1

SHA1
68d818d68def19924484fb8e15961ce9f4477c36

SHA256
bd52a1edcd512c41175a68feae2f888e892fc21891c10584d6b151a163ebd5a6

SHA512
3ad3c4ba720d131fb6577c8b890825cf356527c81af2ca38b9294ed0ccab6ac53b6b35729345b4ec650247481df39ebcebd063bebcbddb60a26edc46b995431b

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
207KB

MD5
23213202ee83f5aeb793d2f0694da1c2

SHA1
019598fcaaeacd3be526b5c4bd971b682213e0e4

SHA256
10aeac545eb7dc9f628b84e7518bbb54cc4b8c977ef807f476df66c71ee82f6a

SHA512
776325e20487779b801b69a1e317950e1e4a69f1c4937508750e87b62e5900256c42eb4b421efcd1a1e446c49527441913082b85b5ad25d86c4d105a6dffbaab

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
207KB

MD5
443e88b4479d117b96a157e5dc58ff25

SHA1
acd244d504c2787d910e9b6a6fe0e1f99dc5e6f0

SHA256
8e43fdb0dfbef5bdbf453766eeddc962744453608516dcf6906f221fd12db76e

SHA512
d0bb3e28438e74ef5f7696dcdd7aab3c789f0ec62a1bcb98eb1ece509c88fe6ce078baa0c5ca6cf5504fe6a01ee262d794058f9ebcfb8803a0fa06def39e9f25

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
207KB

MD5
1c1f2ab04568dcd0c63d81d2934501e0

SHA1
38844bfd5c37a8201503f66901f0b33eb4b73341

SHA256
f45fc12e8c8665e27bddf96b5761cbb90fee3e9a5bd41718262e85483d2fc9c2

SHA512
b90cbe0b663323224d26cc28f08e831bef60e30519392603f11a926d40728ee6b4c443a4c320269cb0102df4d614ce088722ee8e4e6e68a670763978e79cff28

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
207KB

MD5
875e2147bce8db1dd82110641ff55d11

SHA1
8b30a4840f6bddad8e4683065a6c460578c01b0f

SHA256
a8ed99a83e4760a2090391b1b42890623dbc5c436521b8d073da64052f5c47fe

SHA512
af8b8c847e2f0733d1d5356c6a06b03bd1f7987eb0faf5b849cfd190d90b3ea6283aaadf089256c57534c7ff7f7cd2624e1f45ba45ba0f70faf00eaa4bc113ac

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
207KB

MD5
9a0b7c0f41781bcab1f025c307592426

SHA1
d5f77321edde09b298b6d227dd2c43518b889702

SHA256
e736366e958108167261798e21fade1d04d5fe542002809b977c0a53ea3956d8

SHA512
bee569fbd34a6ee1074588f1bc5ecd3d4974e50f5430bd6c5fb09e38faef27561613f9367134d97a295457bf713d74939dc59cfab7147f8ee8e8f6bd4b12528a

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
207KB

MD5
98e4242dcd3839b5d800c94161fc1949

SHA1
98292a2d33094a9690c83fc0c9622cc6a0bc1f20

SHA256
c5de61326241deadd62089d95e1e5a65515f72537469d5a6be4b7ec2aa85b6d7

SHA512
ecc8bd2d34a7640eaa004b8895301fe31fd11f56d22fd2a376fe7ed33f7d32064e23699f0d3f64a1cd48f812b33959b7eb0d90470c0f006417053646199a004c

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
207KB

MD5
245e0b6509fcf0fadec66c5a1cefb60f

SHA1
76b92ec82e587697a9f02dcf89ca5dea00ec89bc

SHA256
3e24ba4461e2a693e3536f3dea723206eae48248e32de67d4baf44f01e7c8010

SHA512
20da43ef8250ab5660a00fea2adda56dcd1082df8402c63ddacdcf5bc3904a23d25f50649542822685c42ad632858038b7f4b43b5986c4d17e3c0da785b15eaa

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
207KB

MD5
dac136771bce839bb84fd6d64b8f5c46

SHA1
878a249ec3b508a9ff5e3d9388360d246af53c6a

SHA256
5838f3a078eb9764c4a5e9245919664f1a198a6e882ceee7b72b36d646ed8f0c

SHA512
54a72f684e067d79d7db31aaec6a57b8477cd98b99d7759d9949a46e2ee7e42c247d17f6a5bfe8d878ebcf0512bd2d6a155043eca7ff5f6e3609b1419c2fc682

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
207KB

MD5
17ca24aaa0b581e914c2fd33cf346baa

SHA1
8c943057c2f43dc77881a988ca9351eb8659b697

SHA256
a0f5511d980a69be337c57c1a26ae0771c21feaf03caf44be9e0ab808785d2ad

SHA512
fa5aab9300777e760ea041f8354475a769584ec25cc8dbf4abd11c47077c4bb0b9f7b8c06a9e0506e1e2d20188ac49b66822b43946a67649479212d22f29df68

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
207KB

MD5
acc139f2649bf8a506f238e3b54dc734

SHA1
c7cd6d20d97d55d030973e2b506b79e742af6534

SHA256
0e74818565667a4693c2438b258cf4d9afda4274509c8004e8591bd5668af1dd

SHA512
a2153eba05a7dedb664feb0aeec8ed3bc68bfb5a76e546a289227d26cd14f4d8a5a59fcba5e54298f567994c4cec2b998c360ec0af8e0ebfe7218c6378f652cb

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
207KB

MD5
cc91c53369a12d9ad405cc0038c0245f

SHA1
9e656be3d56ba9538d9011ad0f129324ca0f949c

SHA256
cbdfc70532687579504bb65e126c03161fbe5aa084d3ec27b15a62095722168e

SHA512
5b10e33c3bf671aa777fd6644ee6c9ba23eb9fe85815567b332af36978b1d67824fdef03fcd8e434452615ce5b1075ad190870f7d5eb66aaca4d51350f49bea0

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
207KB

MD5
ab15ffaf30bdf963a6bf2d86c0f4b498

SHA1
c04dc5b0cc2b9f707c7861915a8091e68660cf9f

SHA256
221f60fa158411ac58eabf51fec922ecd736783090100d307045f0d8cba014ca

SHA512
ffa65d29e4f489d8461a1fce01b1ca95cc09c41890f9ab418173b670847425df88b998fede64054ee19a0838ff3a94e5f45667e3c8c1d87ba436872a608f4ddf

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
207KB

MD5
2150716fc3772497c3fbdb4f7e4937cf

SHA1
c37a05b4d4af5b59f1a517007de10395ee616bff

SHA256
ce7c189a89d24cde3ecb62aa741909412e780d00521f9582c3a19399eee35654

SHA512
bc66dd636b471b0b5662050be3aced82576523d54d28a66466fc8b41a241dbd7890702e684cbcb069abcc4754aea4f57a50f16036c2ebf62cc60758374318d6e

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
207KB

MD5
59e4285282afbae5076f5638b2aa05a0

SHA1
4ecb2356600bd9563fc5a4d0c1313c7416f77c13

SHA256
ed8be358aec2e6af18936f8ba9e4cf37fc6ba70412e17d6a7b2da767936c5b74

SHA512
a5091d72e3b8247e06e8576a37b87abe8f9c14223859826d137db9581438d5f0330e0780f86b838e9c23fb9c45777db3c5e9a4cab1c97482dab7fa11a5870830

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
207KB

MD5
a5b6ac71d2ddf7c49969632be045fd25

SHA1
84033e5f6599adc9f88741bf341df20cd970e3d1

SHA256
d334337d3f672a1bc9cc638fbc7397a32fc1a5eeab2ca0cb29ea58c3e16fd8a6

SHA512
07dcbc768afb8fd00817cfe619065f2954233e11b273db347271b71f81072f7003f71516a1572d5687098830aa6185802c997781b9c63877d322430cc3377986

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
207KB

MD5
292477ef3d12785494494676acaa7379

SHA1
8f9d00ae46d914d4b60fbf6b582fba771e315f5d

SHA256
5715b2e905312bffbb84df060e5225c1d1456ed6f28721855e4debf5c1942df2

SHA512
9f04efb6ca5b4d1f2e84dfd9b64b15b3bb1a138b6eb1844bf794d16ccd1b7f6aa7ebb26ff8e5cc50eb4d2e3de857cd323fab0c1abdb76d617ceb6f983acd5c21

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
207KB

MD5
3c48f93d0a7c6e3bbe8d5896a8bd145e

SHA1
a9d9c9f9533898f8b13beb37c286b6e932ff9946

SHA256
e7ae5e32eee386edefd8efac69cae9dc499aa512b3e2c37a883fa19b5810e1c0

SHA512
8e743e9210c6c76157d2cf376ccb1d3584a398b6f5ef941cfe55ecd8f06a24e6720174bab22d35bb4f64c90440d4f29ccb4e50ba1f785df19577f70f55af2677

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
207KB

MD5
7a1bec963982b0b8258c47a9be2f8751

SHA1
89a32f4cb2649e093d754a65a99b1f486382377b

SHA256
88c4547a3b70b0dfee648ef74512ed8766bdcfc4208320426aebfe2269b75635

SHA512
0c691c7ed14d8ad2902b03681695ddbd6ec7af3d69d2e36fa069bbd88397efd5e28584e104a9a82430ddd255a2b9ed039e22f5ae1d34811ccf31134336dd3312

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
207KB

MD5
e7d68041cb2eb60a47f6f8748a25fbc9

SHA1
3657d9e5c7eb51d344ffb02a9384f6d5be4fb339

SHA256
f205cd4b94bc3241a377b16b27f86632476df5e46b53823511b1071955b877a8

SHA512
0728a069790fa45e38768de70931d26e4a810d0113ea55f0704af8bfc194bab493ec687d7670d0b814fc6f621bee6e8cbf79e6463a809892c2b40cac7c11816e

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
207KB

MD5
eba25cd47720f03f2dbc6eb78c67470a

SHA1
a205b643bdcba05da3d7b8d6f9a20915e545ed8f

SHA256
a64cc481f6c8a72a2bc2dd602dc5887faddc1ddb28494ce7bd14a45cf3dc320f

SHA512
5287ba374233e86ce9a8d0549a49fd73a36c49eb2a09da8a9464afe0990ad6aedf948f62b6cc076e0065aac55910cc957a61ddf35481278f63836bba0c2b14e8

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
207KB

MD5
6a9a8ba6804c0a29d546cf81113badb6

SHA1
12883442111b12f96c7bd9f8e0e25e2317fe320d

SHA256
feeecf18d648cde45e8dbb4c3aa70d7bde9174ab41edea54119ea418119fba37

SHA512
2cb823fcf430dd844dd1bed93bc8bf87c87151dfd955ddd0539322e859c056bc48008d7782ad8386b829b30c51a4557f0e3bc5279a0676ed320fc95edd698198

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
207KB

MD5
463d57f78d56f1a4d8a80c662df8de07

SHA1
b79966ec1aa1baf9325ced12e99952850e32074d

SHA256
98782cdbb26e383a4590f59c338fde06ea71147df46f5da88b831956ea910add

SHA512
bce39d373282ef53323efb4d0be45a4c0ac761ef40b2335e2f908f47171c0a53defa654262b9ab48197c8a2e434276f6dd2489dfe9e4e9e0714fbe533af4bcef

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
207KB

MD5
95cf682ea8f5964ee6512c91344a19da

SHA1
ff4a9295ebe7682956eb4a16f95b965eb189b93b

SHA256
f520a52228c3632eaf8a09d3bf65c2fa9eabb253ebbbfbafe14f8e93b2005ca1

SHA512
2b8aff50e472438edb97345ad64c74d49c3e3c1e4e05a01bced915da9c4c837df710d885ce21c3b2519619dc97f495168801c653fda5141ece7c904070be4160

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
207KB

MD5
d5a972a5f87bff0a6fcf2304e08ffea6

SHA1
a1508b76f61d4f3709f3b66e70d0ac4601228cc5

SHA256
cf02b66c881e4da59aa780875436772f2ead75c9b7c4756a1c5ca601619e464f

SHA512
6a23ed7525bb4fb400250d18cec372faf854efe75408ed618575cbfa14ea4492ce14434dfde7428a8af823a85b6adcb2003e0d03097731a51888d229bf4d83d6

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
207KB

MD5
19c4d1f3f124bc5018b02398c7f5903f

SHA1
251b44ee2130bde3afb9cbe4a93480d8ff0d5539

SHA256
36206e1963b179ef8c260d10496cf35f85df1bb5a8aaeadda5977f8d9032617b

SHA512
16b9645822321d0c89c8aa391406bafcb371ebe09d190dd605c26482105280b16605c3ab57321a8439c353b06da4f901b2114b7d59e3f76fc70c6e6b2fbcf14e

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
207KB

MD5
462535e538a67f8bcaccbe96961429d8

SHA1
7115853dac69415b3e4a190a742bfd01982c53d9

SHA256
24ba56432e8a472f9cb0a71f08da616637d5452c3f782cd302fb94cc2b3d8b53

SHA512
93f209ecdd78a08e0319a959a5c5de74263e5ee8040ae5cdd7f7b34bb1295190725c4a747e05df9a3d7cf824cd466fc4e1ce9d350b6b14ddc9b1e1a8cb4a9fd1

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
207KB

MD5
a65951cfa422f8f182f241b609431beb

SHA1
a7c66a0ca11512cae6ef2a139658b5ebb7c8cb0e

SHA256
0fafa464d336ec4309186d9ec50f7f5ab0fa487b7ea2fcad6a7a23146f5c4a02

SHA512
a2a2323220af2fab12ebf1545afbd7db304a1ffe9bb83ca77c38fbba80e9294fa410b99b82d9b7f36718150cd759143ed7b59065fef6456c9a00771bfdc93305

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
207KB

MD5
04e07c80b4e1f9fc821c3c0d49977704

SHA1
1de2c6803208b2dfacd5d9f39397d162c4a1bc97

SHA256
b1c8ba1e9b7daf303bf8822375561fb06cbd17116d43e98cc1a1d7018202cf07

SHA512
7165f36d20d85719a075cc28ee53db89a5b66b31ba3d03a67c26d4c682d436fb3bb67b2f1714f38d41ff42a69a8e1bfc3834f4c92df7b7f44c64442c2a2c4e82

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
207KB

MD5
7e891f33d30c594d98c282f72ef252ee

SHA1
6614a66f5ed56541eb0e21d37767249abc926856

SHA256
950738cb73778323d1393602d25fd34f33642224c9fe4951291c8751a6b4c515

SHA512
57fb3d0224029d46923d1d9763d33a54c5a79b84a0f9c9a4735c890a476da86f29f028ebc21d76b390b7fed5569d926a285327e3220eb8f6df2c0e0c13036199

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
207KB

MD5
845df49a11902362229b07facbd51ac7

SHA1
b21e6247893a3808d19a775925dfc5fd37e38762

SHA256
57411f8105cdbf76437d11f49b1a15c9a98e304dbf2c3e0283ea2001e1ddc3c3

SHA512
f4e88e5c699129e146de80cfada621f901f44108a3c8973fb3a30da49e595c92e3615ec9882e9b207eac33bbe9d8a9472e1c4b91198d9e7771fc3b33041086b1

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
207KB

MD5
b125f4e0c5d4c5e0e7e097e62fd3ee44

SHA1
bb5de2dac7cd2fb2c182f049e4f9ab7adfe641b4

SHA256
910cc75c4763dcac6c37de3d1cd44fd76670934a964e6d4c93af215d2c5ed00a

SHA512
cbad508725c2e79754a46c2466f52e741d3b51ca4de00d9f51c463f69919de86d255001e9250a33171fb1b6875a37bb184e9b8b85e10d1ff108161809a1f79cd

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
207KB

MD5
9163bad87b6145c628a02a4dbf352932

SHA1
a414846a83a6e75864dfcb7c90dafe47a5617cba

SHA256
54ebb6efa2c13764fea6c15877e576957a3658f974dac33e70a94ba56f596743

SHA512
957ddb2eb0fafb390ebcc1f61a100f8a0da6e07cd24ced2bac874c7b0aea6dc639e875a8997bcc077a70d651a1d3b8c886c0a0377b63702e3fe0a7d42210e55b

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
207KB

MD5
69a9db9688233b3fa5c2d5288e17dcb3

SHA1
dac08a7f3e9da1ad447b84f2b9b73b304af75f36

SHA256
2a15a24499138b20841549c6bd745b2583d92c450821e7e5c620678285774868

SHA512
a7109e5585f989a2a04b38d2d315be2c8c9e68317668dab7d39fde8ce5e2433af9a68438272a0b5bf4b5be4d88fcadabb8356545546d62382ed487b8acf996f6

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
207KB

MD5
e6d0628f690a5276d322f847eb96fdc4

SHA1
880026d765fa82efd34651b4b8011c39600dc829

SHA256
86285b94ebf0d74a52198bd1453074f1ebdb11c4723de0acf0b580ccd94c1880

SHA512
c3c86043687c818ed9bb882e1c15e624da56fe0737df99194db677c95aa26174f93c87c5d19c50e3de17d61a09702a3ffd9be1df10153a9a281b6b2f1c261749

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
207KB

MD5
cf3ff8da7f4503f8242f701c0cf97414

SHA1
7520cfedb5259aefb85084ce647236adb861ffe8

SHA256
dcf1e23393ac6c957492718a20e32ac6bff3add0514f8ef412122e596da684bf

SHA512
86a2aca0c9da9d540485291abccb3e5eaebc49fbf49be5f97ebfea1f50a70f90323329484b5b02b99f36ea719acc5239b6bf806a297c9a96ec8bb06a0124c94b

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
207KB

MD5
dea73ddabafcd0563a44b5cd608bffc8

SHA1
c929e8bb6efb90dd612819a3917b4fcf9f144a03

SHA256
f63f8cf2cc49a4d4634b96a3940be774a27c270980f279d8f6739cb1e9f8ec06

SHA512
5528f8b04f28556ec8921134f8ac020ab3226191fd5c43e3931103c276267f877c462cb30c8bce880e40b831d26a6b5c43c38a43caaeae47bd38109f49d955fb

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
207KB

MD5
da07f0d3fe6d9e80f2f05f86607941a8

SHA1
c961db8a9fc57635c77925fd4555b89139aaf583

SHA256
866ac93ebb7e786422d74912631894614b2411c2a0f6bd35abe9ef94554f0be9

SHA512
d4d8dd5f9d81ac0aa3601172f0e49adc84703451fe547f5bb80a15524e4357096a77bf078f42d059af0b85509645aa261bbbd48f73ca0520fd91faec9eedc745

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
207KB

MD5
8415cacbecc6a1a395808c65d4b1a1f0

SHA1
3d3cdaa798cd52afab36322f952ae42bee8c86ee

SHA256
744c77e2d98b1952ed257fdc95364491dc39d0cf65f6a146a0235924408ca544

SHA512
16adb2848b95935f90fe7123283562e608b4cb73e240f2f4cf2fe319b911d90fd2f22c35a891f48e26a2a586a8022f210f89b78849c869d40a70b087911bf5bc

Download Submit
memory/60-363-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/540-557-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/540-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/640-565-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/744-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/852-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/920-873-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/920-507-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/936-387-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/940-31-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/940-571-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/956-471-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1076-447-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1236-399-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1348-501-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1356-519-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1384-579-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1468-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1496-333-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1616-321-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1656-405-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1696-477-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1708-351-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1920-593-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1992-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2052-381-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2060-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2104-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2112-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2112-599-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2120-393-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2176-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-543-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2204-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2320-291-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2340-273-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2380-513-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2384-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2388-495-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2436-465-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2472-279-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2648-531-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2656-572-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2668-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2684-297-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2768-303-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-429-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2796-550-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2796-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2800-315-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2844-435-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-259-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2900-544-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2916-265-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2976-411-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-339-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3176-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3188-585-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3188-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-79-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3240-542-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3260-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3260-592-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3280-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3280-986-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3412-483-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3432-127-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3448-417-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3460-551-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3536-183-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3600-345-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3680-423-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3692-72-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3896-236-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3948-375-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3964-23-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3964-564-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4028-309-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4076-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4208-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4212-191-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4220-489-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4300-558-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4300-857-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4304-285-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4316-459-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4352-119-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4444-586-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4544-369-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4572-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4584-176-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4612-578-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4612-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4616-525-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4920-441-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4936-267-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4952-357-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5040-216-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5052-95-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads