berbew | 0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe
Size

96KB
MD5

b823e9846b3585347656037bc6458fd5
SHA1

2413270e70fa6e6261b2f03a5fd4281e4afb57ca
SHA256

0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0
SHA512

a8c555678b9c89b5f7f23d94188b51abfbc4fc7c2686cbbc9345d7d285cbf3cfd0d1478546a80b4d9a371dd22217d3c852cf5cbcf2d5c87dae36a5d494274c73
SSDEEP

1536:yYtyQFIh8qvzJf9d6uOV2fwm/wrQ2LEO7RZObZUUWaegPYAW:yKyQFImcl1d6uOKqrB9ClUUWaeF

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cd4-771.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
1064	Ldleel32.exe
3048	Lenamdem.exe
4828	Lpcfkm32.exe
4868	Lgmngglp.exe
4612	Lpebpm32.exe
3188	Lbdolh32.exe
2748	Lingibiq.exe
5064	Mdckfk32.exe
1980	Mgagbf32.exe
2132	Mipcob32.exe
1496	Mpjlklok.exe
2232	Mgddhf32.exe
1384	Mplhql32.exe
3640	Meiaib32.exe
1432	Mlcifmbl.exe
1568	Mcmabg32.exe
1904	Migjoaaf.exe
2208	Mpablkhc.exe
1324	Menjdbgj.exe
1204	Npcoakfp.exe
2576	Ngmgne32.exe
3264	Nngokoej.exe
1608	Ndaggimg.exe
832	Nebdoa32.exe
4992	Nlmllkja.exe
3004	Neeqea32.exe
1940	Nloiakho.exe
4060	Ngdmod32.exe
3308	Nnneknob.exe
5084	Nckndeni.exe
4236	Njefqo32.exe
1168	Oponmilc.exe
3008	Oflgep32.exe
4880	Oncofm32.exe
2472	Opakbi32.exe
2508	Ocpgod32.exe
4768	Oneklm32.exe
4304	Opdghh32.exe
368	Ognpebpj.exe
2436	Ofqpqo32.exe
3648	Oqfdnhfk.exe
4580	Ocdqjceo.exe
4148	Ojoign32.exe
2744	Oqhacgdh.exe
3020	Ogbipa32.exe
3408	Pnlaml32.exe
1056	Pdfjifjo.exe
4092	Pcijeb32.exe
3496	Pjcbbmif.exe
5088	Pfjcgn32.exe
3768	Pmdkch32.exe
3140	Pcncpbmd.exe
5000	Pflplnlg.exe
4524	Pncgmkmj.exe
3164	Pdmpje32.exe
2120	Pjjhbl32.exe
512	Pdpmpdbd.exe
3104	Pjmehkqk.exe
2976	Qqfmde32.exe
1392	Qgqeappe.exe
2304	Qjoankoi.exe
4928	Qddfkd32.exe
440	Qcgffqei.exe
924	Qffbbldm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5704	5620	WerFault.exe	204

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mipcob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1064	3852	0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe	82
PID 3852 wrote to memory of 1064	3852	0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe	82
PID 3852 wrote to memory of 1064	3852	0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe	82
PID 1064 wrote to memory of 3048	1064	Ldleel32.exe	83
PID 1064 wrote to memory of 3048	1064	Ldleel32.exe	83
PID 1064 wrote to memory of 3048	1064	Ldleel32.exe	83
PID 3048 wrote to memory of 4828	3048	Lenamdem.exe	84
PID 3048 wrote to memory of 4828	3048	Lenamdem.exe	84
PID 3048 wrote to memory of 4828	3048	Lenamdem.exe	84
PID 4828 wrote to memory of 4868	4828	Lpcfkm32.exe	85
PID 4828 wrote to memory of 4868	4828	Lpcfkm32.exe	85
PID 4828 wrote to memory of 4868	4828	Lpcfkm32.exe	85
PID 4868 wrote to memory of 4612	4868	Lgmngglp.exe	86
PID 4868 wrote to memory of 4612	4868	Lgmngglp.exe	86
PID 4868 wrote to memory of 4612	4868	Lgmngglp.exe	86
PID 4612 wrote to memory of 3188	4612	Lpebpm32.exe	87
PID 4612 wrote to memory of 3188	4612	Lpebpm32.exe	87
PID 4612 wrote to memory of 3188	4612	Lpebpm32.exe	87
PID 3188 wrote to memory of 2748	3188	Lbdolh32.exe	88
PID 3188 wrote to memory of 2748	3188	Lbdolh32.exe	88
PID 3188 wrote to memory of 2748	3188	Lbdolh32.exe	88
PID 2748 wrote to memory of 5064	2748	Lingibiq.exe	89
PID 2748 wrote to memory of 5064	2748	Lingibiq.exe	89
PID 2748 wrote to memory of 5064	2748	Lingibiq.exe	89
PID 5064 wrote to memory of 1980	5064	Mdckfk32.exe	90
PID 5064 wrote to memory of 1980	5064	Mdckfk32.exe	90
PID 5064 wrote to memory of 1980	5064	Mdckfk32.exe	90
PID 1980 wrote to memory of 2132	1980	Mgagbf32.exe	91
PID 1980 wrote to memory of 2132	1980	Mgagbf32.exe	91
PID 1980 wrote to memory of 2132	1980	Mgagbf32.exe	91
PID 2132 wrote to memory of 1496	2132	Mipcob32.exe	92
PID 2132 wrote to memory of 1496	2132	Mipcob32.exe	92
PID 2132 wrote to memory of 1496	2132	Mipcob32.exe	92
PID 1496 wrote to memory of 2232	1496	Mpjlklok.exe	93
PID 1496 wrote to memory of 2232	1496	Mpjlklok.exe	93
PID 1496 wrote to memory of 2232	1496	Mpjlklok.exe	93
PID 2232 wrote to memory of 1384	2232	Mgddhf32.exe	94
PID 2232 wrote to memory of 1384	2232	Mgddhf32.exe	94
PID 2232 wrote to memory of 1384	2232	Mgddhf32.exe	94
PID 1384 wrote to memory of 3640	1384	Mplhql32.exe	95
PID 1384 wrote to memory of 3640	1384	Mplhql32.exe	95
PID 1384 wrote to memory of 3640	1384	Mplhql32.exe	95
PID 3640 wrote to memory of 1432	3640	Meiaib32.exe	96
PID 3640 wrote to memory of 1432	3640	Meiaib32.exe	96
PID 3640 wrote to memory of 1432	3640	Meiaib32.exe	96
PID 1432 wrote to memory of 1568	1432	Mlcifmbl.exe	97
PID 1432 wrote to memory of 1568	1432	Mlcifmbl.exe	97
PID 1432 wrote to memory of 1568	1432	Mlcifmbl.exe	97
PID 1568 wrote to memory of 1904	1568	Mcmabg32.exe	98
PID 1568 wrote to memory of 1904	1568	Mcmabg32.exe	98
PID 1568 wrote to memory of 1904	1568	Mcmabg32.exe	98
PID 1904 wrote to memory of 2208	1904	Migjoaaf.exe	99
PID 1904 wrote to memory of 2208	1904	Migjoaaf.exe	99
PID 1904 wrote to memory of 2208	1904	Migjoaaf.exe	99
PID 2208 wrote to memory of 1324	2208	Mpablkhc.exe	100
PID 2208 wrote to memory of 1324	2208	Mpablkhc.exe	100
PID 2208 wrote to memory of 1324	2208	Mpablkhc.exe	100
PID 1324 wrote to memory of 1204	1324	Menjdbgj.exe	101
PID 1324 wrote to memory of 1204	1324	Menjdbgj.exe	101
PID 1324 wrote to memory of 1204	1324	Menjdbgj.exe	101
PID 1204 wrote to memory of 2576	1204	Npcoakfp.exe	102
PID 1204 wrote to memory of 2576	1204	Npcoakfp.exe	102
PID 1204 wrote to memory of 2576	1204	Npcoakfp.exe	102
PID 2576 wrote to memory of 3264	2576	Ngmgne32.exe	103

C:\Users\Admin\AppData\Local\Temp\0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe
"C:\Users\Admin\AppData\Local\Temp\0516c2a8e3a19b059c23fcd74ba879cd49e4aaa6b765c7175a0cc84a604d19b0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Ldleel32.exe
  C:\Windows\system32\Ldleel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\Lenamdem.exe
    C:\Windows\system32\Lenamdem.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Lpcfkm32.exe
      C:\Windows\system32\Lpcfkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        29⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        36⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        38⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        41⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        71⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        74⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        75⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        84⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        87⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        88⤵
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        90⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        92⤵
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        97⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        100⤵
        Drops file in System32 directory
        
        PID:904
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4216
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2836
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        105⤵
        
        PID:100
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3660
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        114⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        122⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        124⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 396
        125⤵
        Program crash
        
        PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5620 -ip 5620
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
7ea43eaccc008e7c12cf83617f4e127e

SHA1
8a2f433928fc1165aa5f197492f120851a36eb01

SHA256
d81b673fbba7205d36e32ef65d26844cba0523b23379de6875463d090321fc48

SHA512
01fcf083069943438cca6f3e22477c40a03529a66d49925ce37af06f46fbd47208e7c6e2b42ae9d6dcb8234c88ee54be1503bf4746b72b01ef1b2d1f06948512

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
aa5cc71d5da71762385004dfa2003230

SHA1
5114225ad79cfa3709eca1ccb6d989527a296f9c

SHA256
70f86555bf722e7169c88edf32a9abb5296614e3580c31dcad172b182e9877b0

SHA512
9083d58a4c53ec3e11d1c6a2d5eb8f668b6d045feacff1e3a397a9ec91d18d635f9ae97f321d3cc5509e8c085631f7afbc695eda1904aaf016470b0f9e19d25c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
a304c4aa17f881f4a4bb48c25bb3a65d

SHA1
71a564ec6faa8de3cbff66ce24d866d4f769bfc5

SHA256
b81e5e3fb2340484374b29b474fb7e56e4003018f4373e4e69db1cc45a548d62

SHA512
d4f98e51cb3de019ee3db0ee6b51c45fb4b54eb543b87f8a2e89db252d07689fdaa34f29ebfabf76bf779540f060ee2c1387bc4dc2a7627411ab853147bd21b1

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
7ddee090332f3bf45780ee0cafe9842f

SHA1
1f1f209dd17bb647828bdea1a21e1383df9280d1

SHA256
e0bdbb9fdc2626d610601bdb2599202ffd893bd23fe4fc3dec36eaf25a1fe920

SHA512
a4be084b4e1af0cead7cf08ca70692b97ec6cfb1687f9380421d623bf0a0364ef1132028a15ef516098ed0594c2b09ee7207d67d547f79e11a01d01bda70a70d

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
a9d0efd80311c72e9a06b58e47118828

SHA1
7ab781404f7fb2950368c9c7e68e35964286216a

SHA256
351ce77072875768dd2039bfc290e26db4ef064fb1ca0fd1f327175402a68877

SHA512
ad66e2ba9fb6e07621c124fdbe15affbd363d9b22a2ec3d298fca5a4142481c7ab9eaaac7d24b68763b2e45259a622a2851cab8821aae689b3814055144231f5

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
4e9a20d1f31cc1362448d90ba3ea25ad

SHA1
8ee98f1d14fc91d2d88731ef3a8d4a5719425fce

SHA256
534ec624a172143413fa05ed76bc1f26ae3b77b5bd9c012a653149c17675b7ea

SHA512
1d2943bbba9890cf6dd1c29698572ce07b54a0c9b7f24d9b363f813b8edfc4c7e2d184b2dc40751d6206a5d5a787e267ea18778fd9ef1084edcabb95e44c7cba

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
adf9da02afe1da6c2bd05bd9d124385e

SHA1
8b06a43c2d352ff487cec2ea632aaa0213c07f29

SHA256
fb852a57cf197d5a7cac29088c336f1e060adf99a397a1be68b06ebd2b6449c7

SHA512
0def2a9dbf2a1520d6f50a0e4bd70f3af8df6ea858880f713ef56e088dd98a3fa47b2cd437d855044d7df7939dd5181e3dba3fc23bec8509c35e91ce74dc2a7c

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
17fc0f6f6015d51cbac5a54b0bec72dd

SHA1
0bed5f6cb924d2a9df462ff87a7dc94c747d28c4

SHA256
f92b4e243ecc0ae90fdeff8868391b0ff87bf7118919b2be12cafcd9943a4a5d

SHA512
ec92a702c0515e37bcb35125dfab560a77046428200ab18d38c1f8f3cbff258e784a9218e7039e223349bf95c8a3fefa74bce00f5a879bc2c6dd040e4e4935ee

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
dc9bcab94b29b1ab73d73fd7da977441

SHA1
a927805029a53ca5b333f56e3f97ee4b67ab8128

SHA256
43241f33f275ab4bbb12587432d18321ccd1eb52666a1ab4fe841af1658c6f15

SHA512
d8a8ce456eb4e13b4404c5dfb76a3ec152491e42c6e5a77ebac22576b7ba708909288ed4e9f082954807e50ca4db29afca60adc0c7cd4862f9fe11d653fe6b08

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
3725130e955ba839a5028d194b54a949

SHA1
f35e97a6228a6b465c116d9547c51aad9a4a230b

SHA256
c9ce7c7c992cc26ce7b09fd64273ad8cae06db99f2404824d280bd14908775b8

SHA512
970829a958265cdfff438f069793b00599ec2c7ec94a4d7b1fc71582e7f51ebae8fcf8c1792ef5fd492662d911ec9d62f50cb929b43cc9933cd921fce1ac1775

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
d86f95df277833cc5ed2543932b0872f

SHA1
5f105c31f3ea103df9443b71f0799b899cad25a0

SHA256
675cdcfb51d6980b75ca168f0a376c3aeb1148c4af82f725a9a36005c7fe6b6b

SHA512
5c3334997a3b1f6e640db5d5c7b94a9f5f8c78b51fd2ea2898e3b51e34917d93242d8fa30df6cf1f0336134275fe9f5a89dad0e74c4900ac1496ef7ad16042ee

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
39cc50dc7ba10ae43ca13578021d2a3c

SHA1
33cd70cd47c97963f03a5665733e593a63713848

SHA256
f6a241dd95f0553844b7ba308e8d18702d6d7fdb29bf03dcfcda9ba6e6eacd7a

SHA512
6d6080eff5f63d28a7677c33ba67c9391d03a5b05efc7f33ebfd0f257b6aa47d0e0183cca568b4bd80a82ede9b8debeab964289687db6d6782b27e9932d98d56

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
96KB

MD5
98a2536c6cee3c421dfb20c815d6daaa

SHA1
90032a82819297e096a26d804f130f7149901d03

SHA256
1d9b3f06da2346dfc6313b72e2c977a7699b60692ee9d1da08e51edebf3274dd

SHA512
380cfeb27e62cb51f4220259dc64e9b99d9e6c5f65fe2a50f2ec2d68ade0559727a00122efb085543c585423358b9588214ee0315c0b0d8e3204da560b7bb780

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
dc57eca7914e98fed86c7d7f95ecfca8

SHA1
355f069173edc6342f7f4f648c0b67569758c725

SHA256
b143c5fd3c498a348595fcddf4b897d617f6021d355cbf0b52a6078c95e19305

SHA512
b8da01d56157553728bd15067312c33f7287cc569f8eea799050ee4c084e99eca0c638817dc11a8e40d0307cece718635826a7d02bc182fde8367e7e12c0b81c

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
b1f69ad5a30cabd2161e311f0f719a8e

SHA1
c7a13f4f9d9454a6392e3213ef687b937f0fbb47

SHA256
652156f57b61bf972dfef08469786bd79e743ff3889414359fa006a93df0fc30

SHA512
727e0e1908747345553d6b2f948b2b1a15db901ab410761f23ba9ccd13cf38610454e5e21be7341ba9e76bf5e6929d530b79632260c968c55b33231345bbe014

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
9032d841790e92e9742a4bebd28f8644

SHA1
36c1ed45455b5e1ea8230b1292211d296e2b586b

SHA256
9a00244b38ecb4f63b9de4a7a439569e83203b62c775bc4c31715ad4ba9d6617

SHA512
50aa13cf5f513527755f4d0e8f0d78e6a6120a7df2f4615aa78d969e40fbf49ba5f70fadd59460185d036c9978ea7d8fe3d713929727c1403e5f4fda1d7bca44

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
96KB

MD5
ff2bafc749ca1775b51a1b602f3ad670

SHA1
e95f0aaf3d66504ca291286b777cdd9784146c12

SHA256
15a73b312515a624d33c736f2d9834c0cfdaf23cff1e8d3e3d7b1b5698a50b0c

SHA512
cbb3ee78c18c27c51418b7047397d0fb194a759f3671263bef4e8bcb8f799852ff87d52b852691c656474fc8de4d19c20b2da1ca0484a3ce50a1fa4aba9c1cde

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
3adb559d530df418c1e5e564f34be5a7

SHA1
482383333d87fa6722663055d7c73869a9e228f1

SHA256
de564804efdef58dec81c430284c822e289f8aabf0b79a4174d2a77130f44e28

SHA512
961d1bd8b1df029bc0765d32eda5c1696fe7220938f1e957df9ac59d973562112812f0992ffc8350b315cf856816c9d67594c2d1b0ac949b96afefe6a1bc98c0

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
085cd1c0c1b321c78088d4143cb2a85e

SHA1
f60738c6492efb907a528aac55529ff10263f4cd

SHA256
8f66119f53572cf03f346bb500b26e4e8cdcebb3b252b6b016bf1a56ddda545a

SHA512
24a80715e500b81dc8e6b5580915bc58712f5610193acb20a636c73245610fc882d4ce32633fd37a54f0691ff9670e68559b8dc53bc51904e1552aa86a9a359a

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
392ed1a1d97f65bcecc3d46ca001cf5c

SHA1
e9a99062bf868b540cdaefd5eb01b7212b1d658b

SHA256
e0d41b738ed3b12e12fd1479d18e5eb9998f7e6ddc307b791b0d995ebbf9411c

SHA512
9d29c13b93128f4a4a9a7129b854f39715febd740f62c577adda75d3a0ea0aa8a3eca201ce771898560e5a329b3c3801e69ea115429ffa0c6454c7b06e008b48

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
7a243239556143618609e4c1dd7f5bfd

SHA1
e1736fd1ed447f63982cf85f398b6b933d43a10f

SHA256
38f2cdc4ce54521895ea7285407dd6a02b0670275f4bb3082cb5e0d6b28ebc69

SHA512
ac87889d0abccefcf241e8828b88e61c88dd14ca3a57323f49fbb6264bfc96350b4ff98dadf79af5506cacbdab790557294d294a67f822b866d212a47ecc40d9

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
202c578a851e2dfd947cd5c6ef079ece

SHA1
454994d7aee55f6b806f461c35b7c890c5ab1bdb

SHA256
b2df32bdc76096e9a7c548290809543f2f87107e2f71a14efe081c7dad5167c5

SHA512
d5c96fe2b924ad651827d982d2351e952b518761311125ac391cecd0cde36e85b9db60ceb1a1798dce46e177bbe62773f4fe738507dc051a36815c9d960143ae

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
effe74408c38cd0766c3569947ae10c3

SHA1
fad3b3413e29a81cae12603542071cbb4cecc39b

SHA256
1ac8967077c76e68d711687a7c9d94ca1b3a80f533fc40e205eca6a6387d8526

SHA512
ae3375e0b031e25b3ff7e5c397952668614ea5be5cd51fc0ecc5d4982d404526f88d063cf1652ddde988ea8ae050282c979d300e2e34db9605d077d9ab3b2a0f

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
524301ba21bb2feccc6e026d16e7a445

SHA1
9e44ee0d9f5c827ec5a7e5a85c24adeea59a10a6

SHA256
db6c09fe141ea17bf65189a4cc2597d80fcd335d72933902faa5c07b44cdb628

SHA512
7d4c9b9e0152373cc6078e48692fd289ce2552aab12aa97cce3715dcb8ef16b38e8d357d57c6afe8a9d6fde1d4d347ddeeb6b22a5e9065e56c1757a53e70b308

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
969249abcbdee14f20c7c161331718de

SHA1
01ad9054744fbf9e3f9126e589dae56fcaa61c4d

SHA256
5ef1e3cdfc536b9c1c0b684848b3cd4db60776bde7a32ebc8f7122968707f759

SHA512
d16a1a8a6a3ea4bfe06d1f03a7606de09de889e7b727c4c3a510752a07fb77fb84b105936dbb6aeab1c007344f154f40ea81af97a36726487d8b03cfc7f75569

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
a2c9a607f3197e790a1a071deeadcb8a

SHA1
3de3b098d2cbf638ad6a41f3f6c33b32be9ef896

SHA256
db8a3cd2d6b4d60e66a22635f6c0d0712f0a9b1009d285f700873b0994cbc590

SHA512
a6b2686a91a4a5796cee2c334d5187b1fbb8c8e1bcaf49b5865c89373d841cb51126fbcea0f90fff63413d74894b17d1c363a7ab6b72fdb1dc90d356f059e851

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
3c17000a4d5ad4caa34ac67f655890fb

SHA1
9a4e3e9335a54b20eff3a43800c7b7bb4c672749

SHA256
83a77161c2c396920a3cd9dc92d95503ac8a05292c1caef939a1a28bc3d1e82a

SHA512
9467b9d1786d101a910d2ca18731fb7e03e99e32b2c0b20e3ec60267a64d92d002d69c6e6b11d9a55ff5ed7a166fb48cfcad90e002f0f7a9b61ce0d572f3ce9d

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
f17df3c2ce4a92c335d50b7952d7ab30

SHA1
f60a92aa19f6c4ee76f6956c98ea805671cc01c5

SHA256
7177dee3f2f0eb8daa7227c24878ced75ab9d226098fc32e9c7353ea6cd15ae2

SHA512
2142debfae408dca31597509f3b97e55065bd2cfa08c4815f253b2d9657e6a0a793511dd8943b667afe6e3172c241620965451e7846c5f3f2f800b2b4761eed4

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
d560aa4a8431ae8077a268360cea514f

SHA1
d70a2b97e03cd8dda401a271a6449c601f68e4e0

SHA256
ec1603540190e81ce375213e531288f35bcb4af6117e1c93718a96ce530a012c

SHA512
8a61204bcb9569c9d033b30f5a9abfcd302aa6c4dd0b5738b2022a477c230063a082571bd44c06d928ab2de9bdbeeeaa406b43b70146df28f637e0443f2783a2

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
1aeef921bc6dbf48ebcbfa5a2bc2a097

SHA1
8a432f89243179abe40380dd2fe4c6514753f827

SHA256
ed49764cfe3ec972879d26efa74ee1eb9edaed9b5b194249e74c40de7ee893f7

SHA512
2e9ceca38c15e3d0780b3285678b180a754faf1001d2010f6b382e0fe89016e52e4e647883c43762cdcf3f2e001910725b270d9ebb7561314651cb2aa2c0eb12

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
72d8439865e5db8b6f9a05b9cc17b9c5

SHA1
60603a3ba1105575f05740d18d7804afa1d6ca11

SHA256
04d5468f53733e96a828de02466e7d12de50ce316ac7f2c3d5f843c93b8318f2

SHA512
9cfb940ac6da204653b5dd5c214aa7adcd60eb635f3a5613d8421a54de9cf4dbdd0d31ece37fe00d4076cda6a0167d7e9ef2182aa2b0fc617288d435273e0068

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
28a26b82bc737b40a77cae1d76769767

SHA1
94170004ec3a772adbcc391edc906c1a12b2d797

SHA256
ea579f9ad70387d6bba26febef42033e61ec0261cc028b6c8ada64879a941c3c

SHA512
aa185f631445969ce2e68dc9a84c262f99b81f6d3747fa7d59f1408ae7986c8cc3853db32c21dd5c5e17b1134a976a03ab5fc3354d79f9492453826db3299813

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
c840a3b60342754c57b2f5727deb76ce

SHA1
8fa27f35315a31664e46fd040790d8748cd379af

SHA256
378ccc20f50e9f72d4467072b3b2d892c423f0822d29504c8534e64602a2a5f6

SHA512
c15280dfb118ce0442efe6bd6cd16ca2e1de969794f47efc8f8aedcf4a0887c068194f8fb25bdbac030f8b508ac9418f6cfb0d01804f3dfcf5a3e11e29e3fc31

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
dbefed867382bea8ef84e16710ebc86b

SHA1
51cf97f838a9fafc82b7c192987437a60091df41

SHA256
2d55ee5adb76c7a9d29c09e30819459e2ceec8cb4544ff642bf7382609ab937d

SHA512
519265185e58c2a42bbe9dcc73f336ddef0125b8804c5223e00cc581d87e10a7b7006dfec909e48b2b6f427320c291059234a55b8159a4580b9a7d2a2692bea8

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
96KB

MD5
f7fba3849ea8e2d6532ea0e88f07ab74

SHA1
885de5dacf4edc607951e659366851076eeff86f

SHA256
52661af2be0c946e90bd1906ff846c31efe2b9b52f8e0824ec1832346b842402

SHA512
9345b91826f652a46929bdce6dc6d8d63c723a4c5b0f6d637a8a66669f911d4986eecca9a869173adcc8d57794c2915d3a96fc75922497e9909e6c1eddd196ff

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
96784ab06310e11781c132096f2d2084

SHA1
7ba906bc79122e72ed9edcca7ff2a6cdafc21325

SHA256
3127e6773510adc4290c73503e01d171033d4e24fd2664460e43a8bdc8ec3cf8

SHA512
f5fae219372b77b468cae6415ac06ad78bd1f84da61b9524c0337b303a7f4e5bd49baa16edad115fede84fe94ef64697c1fefb9e49f0d6961ad73fff0b93f911

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
b2534c2309c2cc7776ce72b305995a23

SHA1
6e09b433e1a35362a9505e9ffcd5f6f10434e38f

SHA256
98e5ff0e1d14203c1e1d579ddbf140ca75cafabd7c29d1db4efa415535ec07e9

SHA512
88aeb6406fbeec9656e956395f14ccd84cab8f24837e112cc1a24f97badcbc4d1ef51385619be34b361ad60e64f18fa5e0463883ae2e8c495779cd66c41d0c31

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
96KB

MD5
907e07273f96bfd9d6e3b5416cd25772

SHA1
d4126fb701be4c944df5fca3f9cbfcaefe43fc81

SHA256
71a87dc58b594c0b8ddfcc34bc0d1e71bd634c45cbe1929929b117d3e8243d97

SHA512
90ee9d1a3807a8d7b8df5125df055e218a2fc6be59d1f92ab5b1fceaf51d01fee7aecf46361cdc53b54af365b862aa9d48cefe26529d0393577df7844591c021

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
ea81972d2de3edebd86608dcb314cbe6

SHA1
b4c0293c2f4f1cfdad54d0e486d075177c7159df

SHA256
e613648df330fa3fe55d3594c91fef304a84b551a1d467947fa8bb3112482792

SHA512
477f69affb0267f87f3871e660b8fa97a0a417382d47a01ca3cfb57df860133a25c6b035e8b26fe938b3f84a3977938a3b2e9fd4e8ce262031fdcd4cbf9cc92f

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
e9a44069e34f64cd6245add964fba6ad

SHA1
241f431a0700708602618d3efe61cc8db3d5f056

SHA256
4904684e964d34b3ec1e6a81238dcafe1f8163d2dcd2f19064235370d3dcb43f

SHA512
9c005cd4aadb0a99f3c5224269004d8b6d4a3a15498054a9065f606ffdbc30631ac015a6ef661b3d61b4627a7afe4856cf969420eeaa9d4965bc5a2bfb711001

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
aead210fd84f535da9c15b74825573aa

SHA1
10a54faa29e76f66c92a4520266654ee2a7fb4a6

SHA256
64e908e5f420d81e0805d4aace3582265bd2c0d859539ca973182a8eb01275c5

SHA512
148ea6060a0fc9822229c7a435d41e6a00bfb7e1e5e72485f42264844cfafbe1c35d156dfa4fa7917201a9955abd3dd375e1b624f0502e958c26fce0b9551dca

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
744e433e7c89b3fc5153047c6e0430d1

SHA1
d184e61d3773c40186b02f5ec3005a45e5f3cc4b

SHA256
8abca2d67e33a4f88d015cfb602b1634901c9f4962243786d70f241c29fb3bb9

SHA512
30a89843ce7c2270983db218fe74b0664cd754197b9268ca91e7c402b1387b45ea40ce7a2058a0e880bac4eddf5402f2877248285fafb5e215295cfd27765440

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
a1ca074e4ade439d50e0b42dfc9b3b41

SHA1
58213bb8c6bd257f05022581654521a05016cb75

SHA256
5dfd07bfb633d3e470bdaa5a3436fba4032c6bf9cd39bd9749409d808deb4d1e

SHA512
3f7255fa2234c8cf5fcc982f2e81284b62a8dbfc954846551c800a47a984d59ef953cc133876d0da5d97e812593038a32f013cf9f9b8b2c088037f3bbe4d7199

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
e83b391ece9aeedf8ede0ca9f5268fe2

SHA1
e611068c94ca943ece1552aed65258f52965863b

SHA256
eb3a8bbcb9ce22510468af5eecb3e407c16f7e9fb0943f5645342082cd9a6449

SHA512
205535b66a3ec9b2d45ea24f136db369440c3534e9c60c97499600b49fe25f22a14a3874a601f6200c9512783e6699e387ddfb14d1fd9c58e9479f4c2616434e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
d82bab07e11252b217ec7c75a3330eb8

SHA1
b174fadcbbfb8f32085485a7d60d4f3fe5d39f03

SHA256
8e3c08c4da1fcaf9dbb895ec735a0428b0029c4829c3a86359f76e63e54ee1e0

SHA512
e96f4dbcbefb471bce3ab4a29ba370333c4f58df32be4de4e0ce8e662f42f4c32e93c174e65939c8f0b7e38c26f289f67a0408b3555cbcf48d5bcb9b8bb72508

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
8a06b97742081c7f5d4e27bab6245ca7

SHA1
a79ddda2e4273f95ebabc870e233eb3813e16978

SHA256
bca6faa7b2ce45359aa8855fea645052194e766bb050dec407c240c2c72fc76e

SHA512
bbd302ade87964e64498c9001f309547f555781da07cf83772768b32403ccdd548518e50a6859b58537ae5b7f72f16d937fc287066665783a72807b4d00f8c1b

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
efbc30c7279c5b48ab01b8f8e69de824

SHA1
445b9b0243b9a6bfe28d69724357edea3185f55d

SHA256
908035b45c99f52c167128c29072b59a9508478254092a394ff94ac8487690f0

SHA512
6ab5e48858dae1492fce6d39e45f4630052d8cb91408dc67347b04b6eb2744b62b904f9ff65c9b3c9de11700ae5da559b9e85c3880a76152e7cdd7564bdba6b9

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
1575489cbc4b4f0458d31dec830503a6

SHA1
9275d8a41839fa8ddce81f78696e1b324e2efaa7

SHA256
17131c22c67b783bd15c74047cf020da798f8dea458d268709ccb8dccb81d651

SHA512
093bc92fd457c7853c6856be73a386763ec9151d9418dacd42ae5dfaa66a8a69ded4ad4c417afa8d850eae1e6e7efe7bcd3bf74d98fedc1b9ead8ed0db91f82a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
7baf46fe7e9be76897c85caebb1b1202

SHA1
757cc31a5bf836eb802b92f86817d49592b452d9

SHA256
307f091a4f9d4bc9e8cec29b54af05e112fc24e9269e5a93894e74bd734141bb

SHA512
a7e2f8c9702090f4e60a3c71f3ac6480153725845cc81f748969dca2fc088f05ea9d7ce485e6b5726f7ef2b676c112b6e8582a80aa592b7b4017cc87644f6b03

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
e1805d7d64d7653f7561f618f5ac771e

SHA1
d5289706af25412bb3e7d98a106a57cc0ebef6ee

SHA256
b7284799561523c2fa6de4cd37a46e0b981448fc6ef5d0c17c353295a442acaa

SHA512
bd4f46776284399737dd36828418fef1ce67e8236dd1ab00a1bd29209d0d813218ac0e45eb7eeb970d195cbddf66700eee2ab4fd62024e5d39188a94674e7851

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
a3278f94224c4355585ac893a5f72e02

SHA1
2047d23ec4c2a99873a3060d4f2932d9ba14172b

SHA256
324cc8ccb3e60774c11cce1e01e412da9125154518ded8566816e935028269a8

SHA512
d2971bd769385fe7be7b49391078e548bdde03f7a89cf11d6499439348a6bbc5d61aea9b299e5195bc8ba0f7a1547451282ba0563f8888414e3ba77682baa6f0

Download Submit
memory/368-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-879-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-940-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3852-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5352-861-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads