berbew | 8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe
Size

96KB
MD5

4510d962b0b1c6a67714847c1792e3a0
SHA1

6e4cc6482523c6f234da28203f184e7bf601878a
SHA256

8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190
SHA512

ad1c07f28f220350fa8da30b00daed4ce1276b6012dfb410b0ed1ce71d29e091542a846603d824b9723502c57b1a4edad992742d6d3d7311ee4b86656f9c96d2
SSDEEP

1536:8wtu/DVOJy+Xqaj8OYySh2LyZS/FCb4noaJSNzJO/:/tUDVOU+n/YyXyZSs4noakXO/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2976	Lfkaag32.exe
2252	Liimncmf.exe
4960	Lpcfkm32.exe
1124	Lgmngglp.exe
2132	Lmgfda32.exe
3484	Lpebpm32.exe
3884	Lgokmgjm.exe
3116	Lingibiq.exe
1464	Lllcen32.exe
4616	Mdckfk32.exe
1648	Medgncoe.exe
1076	Mipcob32.exe
1584	Mlopkm32.exe
5048	Mdehlk32.exe
2800	Mgddhf32.exe
2428	Mmnldp32.exe
2168	Mplhql32.exe
796	Mdhdajea.exe
5012	Miemjaci.exe
2960	Mlcifmbl.exe
648	Mdjagjco.exe
2756	Melnob32.exe
1924	Mlefklpj.exe
3856	Mcpnhfhf.exe
3316	Miifeq32.exe
3460	Mlhbal32.exe
4648	Ncbknfed.exe
4976	Nilcjp32.exe
4696	Nljofl32.exe
4816	Ndaggimg.exe
2460	Ncdgcf32.exe
3932	Njnpppkn.exe
4048	Nlmllkja.exe
4412	Ndcdmikd.exe
1244	Ncfdie32.exe
4992	Njqmepik.exe
4920	Nloiakho.exe
1164	Ncianepl.exe
1240	Njciko32.exe
4880	Nnneknob.exe
968	Npmagine.exe
3492	Nckndeni.exe
4928	Nggjdc32.exe
3324	Olcbmj32.exe
1944	Odkjng32.exe
2760	Oflgep32.exe
3600	Oncofm32.exe
1960	Opakbi32.exe
4576	Ocpgod32.exe
3092	Ojjolnaq.exe
4924	Odocigqg.exe
2900	Ofqpqo32.exe
1800	Onhhamgg.exe
2336	Ocdqjceo.exe
4052	Ogbipa32.exe
4284	Pnlaml32.exe
1844	Pjcbbmif.exe
2536	Pmannhhj.exe
1236	Pggbkagp.exe
4672	Pnakhkol.exe
2968	Pqpgdfnp.exe
4392	Pcncpbmd.exe
744	Pjhlml32.exe
2984	Pdmpje32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6088	5904	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2976	1644	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe	83
PID 1644 wrote to memory of 2976	1644	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe	83
PID 1644 wrote to memory of 2976	1644	8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe	83
PID 2976 wrote to memory of 2252	2976	Lfkaag32.exe	84
PID 2976 wrote to memory of 2252	2976	Lfkaag32.exe	84
PID 2976 wrote to memory of 2252	2976	Lfkaag32.exe	84
PID 2252 wrote to memory of 4960	2252	Liimncmf.exe	85
PID 2252 wrote to memory of 4960	2252	Liimncmf.exe	85
PID 2252 wrote to memory of 4960	2252	Liimncmf.exe	85
PID 4960 wrote to memory of 1124	4960	Lpcfkm32.exe	86
PID 4960 wrote to memory of 1124	4960	Lpcfkm32.exe	86
PID 4960 wrote to memory of 1124	4960	Lpcfkm32.exe	86
PID 1124 wrote to memory of 2132	1124	Lgmngglp.exe	87
PID 1124 wrote to memory of 2132	1124	Lgmngglp.exe	87
PID 1124 wrote to memory of 2132	1124	Lgmngglp.exe	87
PID 2132 wrote to memory of 3484	2132	Lmgfda32.exe	88
PID 2132 wrote to memory of 3484	2132	Lmgfda32.exe	88
PID 2132 wrote to memory of 3484	2132	Lmgfda32.exe	88
PID 3484 wrote to memory of 3884	3484	Lpebpm32.exe	89
PID 3484 wrote to memory of 3884	3484	Lpebpm32.exe	89
PID 3484 wrote to memory of 3884	3484	Lpebpm32.exe	89
PID 3884 wrote to memory of 3116	3884	Lgokmgjm.exe	90
PID 3884 wrote to memory of 3116	3884	Lgokmgjm.exe	90
PID 3884 wrote to memory of 3116	3884	Lgokmgjm.exe	90
PID 3116 wrote to memory of 1464	3116	Lingibiq.exe	91
PID 3116 wrote to memory of 1464	3116	Lingibiq.exe	91
PID 3116 wrote to memory of 1464	3116	Lingibiq.exe	91
PID 1464 wrote to memory of 4616	1464	Lllcen32.exe	92
PID 1464 wrote to memory of 4616	1464	Lllcen32.exe	92
PID 1464 wrote to memory of 4616	1464	Lllcen32.exe	92
PID 4616 wrote to memory of 1648	4616	Mdckfk32.exe	93
PID 4616 wrote to memory of 1648	4616	Mdckfk32.exe	93
PID 4616 wrote to memory of 1648	4616	Mdckfk32.exe	93
PID 1648 wrote to memory of 1076	1648	Medgncoe.exe	94
PID 1648 wrote to memory of 1076	1648	Medgncoe.exe	94
PID 1648 wrote to memory of 1076	1648	Medgncoe.exe	94
PID 1076 wrote to memory of 1584	1076	Mipcob32.exe	95
PID 1076 wrote to memory of 1584	1076	Mipcob32.exe	95
PID 1076 wrote to memory of 1584	1076	Mipcob32.exe	95
PID 1584 wrote to memory of 5048	1584	Mlopkm32.exe	96
PID 1584 wrote to memory of 5048	1584	Mlopkm32.exe	96
PID 1584 wrote to memory of 5048	1584	Mlopkm32.exe	96
PID 5048 wrote to memory of 2800	5048	Mdehlk32.exe	97
PID 5048 wrote to memory of 2800	5048	Mdehlk32.exe	97
PID 5048 wrote to memory of 2800	5048	Mdehlk32.exe	97
PID 2800 wrote to memory of 2428	2800	Mgddhf32.exe	98
PID 2800 wrote to memory of 2428	2800	Mgddhf32.exe	98
PID 2800 wrote to memory of 2428	2800	Mgddhf32.exe	98
PID 2428 wrote to memory of 2168	2428	Mmnldp32.exe	99
PID 2428 wrote to memory of 2168	2428	Mmnldp32.exe	99
PID 2428 wrote to memory of 2168	2428	Mmnldp32.exe	99
PID 2168 wrote to memory of 796	2168	Mplhql32.exe	100
PID 2168 wrote to memory of 796	2168	Mplhql32.exe	100
PID 2168 wrote to memory of 796	2168	Mplhql32.exe	100
PID 796 wrote to memory of 5012	796	Mdhdajea.exe	101
PID 796 wrote to memory of 5012	796	Mdhdajea.exe	101
PID 796 wrote to memory of 5012	796	Mdhdajea.exe	101
PID 5012 wrote to memory of 2960	5012	Miemjaci.exe	102
PID 5012 wrote to memory of 2960	5012	Miemjaci.exe	102
PID 5012 wrote to memory of 2960	5012	Miemjaci.exe	102
PID 2960 wrote to memory of 648	2960	Mlcifmbl.exe	103
PID 2960 wrote to memory of 648	2960	Mlcifmbl.exe	103
PID 2960 wrote to memory of 648	2960	Mlcifmbl.exe	103
PID 648 wrote to memory of 2756	648	Mdjagjco.exe	104

C:\Users\Admin\AppData\Local\Temp\8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe
"C:\Users\Admin\AppData\Local\Temp\8493719cb9a754a006dea1c685d05d432433cd275db4731bfcbeb2913237e190N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\Lfkaag32.exe
  C:\Windows\system32\Lfkaag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\Liimncmf.exe
    C:\Windows\system32\Liimncmf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\Lpcfkm32.exe
      C:\Windows\system32\Lpcfkm32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
      - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        24⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        27⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        57⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        62⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        66⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        68⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3824
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        74⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        85⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        87⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        88⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        89⤵
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        98⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        99⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        100⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        102⤵
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        104⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        111⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        113⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        117⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        118⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        119⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        123⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        126⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        127⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        128⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        138⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        140⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 400
        141⤵
        Program crash
        
        PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5904 -ip 5904
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
fd72ad5387dda1eca2d0674642a1e98f

SHA1
132985cf7b6c9aaab16d1e6b70695d6ba92beb74

SHA256
d3b8999dbf8e353476c9521e6f92719f11916012c43d63db9d89dc602ff80230

SHA512
859dfd88d8efb6d7709bf5484aef400f3fdd1a495c56ff40d49b2db0e94369f8ab366dcfb25eec17967eaa581d54b09ecddb32cd83dbe9637a68a2ee2b972dfe

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
6c32d59782cac78562e57c10dc03b3d6

SHA1
bb509b1740966355eb7f2d521e787aebc77b4757

SHA256
6ffc73a6226c7c778c2f9740a9f1b2a4d951bbf74b876a4899912d6c63ace1b2

SHA512
97ed3d3e9093e4cd51a1c912695583f77453ec67e15121994a696617c03a4ba3edfd578c98a5273e1ec24cb166f14902c94358c4d7fcd022723caacb3a2ec034

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
19e58b420dc6af36d40576e22cea457d

SHA1
2d5e4541340b9d206a0ebbb74f89dd8080deff1f

SHA256
9630ae13da5211f73a382ce2a69035d49cb2b86d88279df03a72960183abd27e

SHA512
2a5b039fb3c2a03a774029451e1f4d6dbec87e8e6f578425023766a760f113b81a937676c7f6419de7353d0c756a99b4595cb688f3d1fdc0c248cc5988c5edd6

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
603539509c35c81b991f1268165d5559

SHA1
8525f745552785396671247134287854cc4d05db

SHA256
e19a4375cc693db3a2eb2bd09e3d0eeaf233a54c30a543237bb2e960186e7467

SHA512
3030ea581cef9228f498ede1144d937344ccf6d30039cdafa7e421c4db097323a6e561745d86c36935fcec98cedee697a22621885517f0eff5020a47867ce273

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
16c0d6b2c2df01615f5ff3595e5e30ef

SHA1
8031a67cfd7a3b54cb97aae192c4fc11e535d8e3

SHA256
37d8391d7875197468574024f93827f2b8ec3f417731eea693e55bf2910e6d35

SHA512
3b787a7e8d9baa0a4ec7514994081020e8ac08e489d8bdbbb9c4eb896bc1e3b374d9aa2d8429dcd8cacab337f05a379950f401a392a3472215aa83bdfe0c8e3b

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
3f8d408abdfe0885cecb61bb9f3ef6e1

SHA1
db75b7136bb179060ee61989f3347fa45abd3539

SHA256
6f7166e5e7706f86a727c4a7f13cad3f575a9145fd40b0c3a3ccf1842ee26d4d

SHA512
86ee99a718da2340bea7ed16506664431d6a383840dfdefba284ed204319759825317d2c7f89205d282977afc86692500eba665d2fa0db2f02ea5a8dff505043

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
6d40607e13bd2a37d63056ba6ab1fb23

SHA1
bea89ac02015846a5787502f5c1a91ea4052a2a0

SHA256
af92828403c544e6d82364732975355867dd2ff65b03373bd42db92e083f321a

SHA512
e8e6f36eba29a1c688cb0c93b7824ef5aad9cd60de0cfafc04194fa8e752ec9e69d8a04941231624bacc87c0014cdacabec3c4e5153085c97013e5470809d03f

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
46260aa5430a0de8ddcb911e2e746ad1

SHA1
a75db0803621cd2bf3b5c0d2ca9b8b86b2b1de2a

SHA256
a8f7701e38acc4ee2c17472c99de524c4483ad44f198f02586a601e2686f7bb1

SHA512
0abdff8ec6639594cd1cb835fa2e3212385e03190574f7ffe48d7308a8c2af9b80e60d8e57eb2f83343786d7fa4441d70b9ce92ced935745e85ac6d3c0d80c3f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
ed8d46884060560dfe622c3fd481e5b6

SHA1
e931f5a7eb58cd502375fc6ba619dc12480fdac6

SHA256
177f543bbbff352cf2d07d72f7adc9a5f3559fbe83fe9d8609576f188a913b88

SHA512
af7f4ddf4d31e4a52828016f23900f2cd4a2bb76cc509f23266565d56ecb3333b53a214c76c9a27495bfd9af620e41f55be104835a1f0eb25257d7f977334c7b

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
a3d5e3672b459fc607bda920a6983011

SHA1
f2f8e26b5cfee45e50a8363c95370c72924f9afa

SHA256
94a1a86cf514057412305e1a236d93f94034ee5cd52388fc8f6599f353dc13c9

SHA512
7bb499c3c65f887ff644106dadac6dd8b15d0740ab2678d7e3fe209b81f972551649a08147f7b3e51f03a44399532300f11f34519c65490405c13ab9cf5a2b03

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
6459c5c57210c4fd9ecafe13366e9b70

SHA1
3910497a5f3420eeb3e64af7affbe9a26875029f

SHA256
b3082f2926b0c71f8ab498df36e76667a7743b0c76387fe30d4f322c939376c2

SHA512
7614cb43b46fd00042fcecaf439c0b0867157822e6ce04602e05df62d3326ddc3b814ab8fa0d7e76ed72e22721d9f0d28675af3a910d3c0e897d42e6d4f26947

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
798635478d066f6082ac51f836681107

SHA1
9407f33c47bc4d421639c736ebaebaf46522bc37

SHA256
cb14792acf8e4bf9662d5df66e16249330d0c7dc6075eaeee4e3ac415196af64

SHA512
32703ac63634ec059a75173c6d20cd39b5ea08f7fd4fe4154912ca6e18df50dbfb557a09d59dd76a654f9aab0dc7bdb2d7046155f83e24b8ed2809e1dccf284f

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
4c306f46ce9096efae99007eaec44233

SHA1
23f2596c41dc210e699bd66a5016852a6ed9b264

SHA256
e5447a5390eaff6778c614bc11bb1bb5656d8fb946511ea253e48e3907d221cf

SHA512
b6bb83e0240797eb9d2c8c45097130bb52686c78ae5e0ec510bb0bce134e39c3d88a8836673ce143257ac7448f082d7b7959702f72c3d0b320618a6a7dddbb33

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
7a5b2d589e7d872e90edb4f79359aaff

SHA1
9a5727c3993d20087d8dcde5932cbcfde30c17c0

SHA256
ee90c658bd8ce6853f5a8d66a703cab9c96fee262f277f75d5de1d59f56c4b53

SHA512
6f30299ed37bfaeea0a1fe719498f661dbb0fface820727d2ff0ad539df2247ae457b34d0f67fb4a7fbba9408bcee49146e2dac9d9193813e8ea5d3dd936f54c

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
8c97bd21475084a7def8f528485d3eaf

SHA1
0d85203ec344f5fc51acd423c7d254c0aa1a1b5b

SHA256
f5769ff0a38b7eae887d48e06b00d8c832c445fb55ecb7b905abc09d84f98048

SHA512
38b4778a65e5eea988e34c18b46b98ff826ba8016b685f8d9892318059553069945a69d8d1b055c087da86d4d2b76a28b043dbdfdc7256c3ef7cb4925f6555c0

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
f283581ffd08e483edcad6c3c8eebb7c

SHA1
0c3cbbc4d077aa759dcce6dec81f8ab71b1e8a2f

SHA256
915661a89e10fd58844d21b7beb54395be85e73e533606ed520ed7b037386ca7

SHA512
04b62280b648e12840b88d3308d4a9d963e525febd491432bdc844094fb4291a5ec4738145fe27f48879c7d386b552c3bb36a37afd9111fedeaf0222c03d4d95

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
b6079aef6ca84f9a0ab03f0ce120f267

SHA1
aa7b94e7167a46a34924f726db8e477b72a2af09

SHA256
3a6fc58dd7e224c6ae35bffc852a3032381aa47fbeeb5c964cc50995dc9137e0

SHA512
601ed54c6286702be926cd387e4c5aa356132a12343ead739996efb1e6c25f8cb378d9212c60a3c52bbf2d180b0770bb635b3c4bb2fd6421b3b9db936c12ad33

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
dbfad5baabe5c1aea34211e535f20038

SHA1
80cd605146c310ce26df39914407f43456c11fca

SHA256
56bdf424dfbefd7ca5a1ef8192ee1f63d49a89c85178db5ec4ab624cb5339818

SHA512
92b42bb21ecf460cc715e1cb69e0faedd603ad2b5b21a33cda039ec9a7a235e4315b61d810c1ca277247d40cc2089ee2d1618d14581e25b64d4e97b48a5c8e91

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
0a08a6831f6e5a3492156bb53a63528f

SHA1
449035acb1394677e85cacb80ab5690aea51a030

SHA256
95f4e9a5a9e5088304f7091ebf412a871310c12a11be88f5bdb697e16b5f7d37

SHA512
7a6521e174080932e707ef0d744459fc9e017a97ed32abfd281656af0241773216c14235c53cbea6930b6ac9eedc321ac753f2f3d2f50e7e31bf67e87e52175a

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
0014c8df16cbf10bfcb49b3369710e3c

SHA1
eddd8fa0e717c8a2979f7f966530a1e50a4ef855

SHA256
84ab993f9a28dd4046f63e78fc12a866fded0df07b345a3ab00d002377355f0b

SHA512
c992ba60836bcb560f6b3a6b927d2e9b18a9b6423336c871f57dcbe946aa5de5519125d288792bc1624fcd4e5eee369bc54ab399718cf4eb33c8f28e0f61e440

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
fc96a90b194d63919450d088e1dd33d2

SHA1
3f91f70ff10875d6e110a009db60acfc45a48644

SHA256
43eca064ae7a005699ba2260c70958ddb0620fdfcbed32424864691e3def170c

SHA512
b39d10e42850da46c03d2a2f25aa680c78f9808ec723b4bc1854cdd125a9f7dbfa08477662301d3e27484ae21319241033ccdbc29d5eeaa9c5adbd9656c2d365

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
10d961e7bbfb1c93ab09108c166fa3f8

SHA1
61d1544fd7acc9603668bf563cca01d6fa4892cb

SHA256
375ab9bde2746eed9d8b12bd894911c002ef2d155c50ed711f3981a43788b8ef

SHA512
b2efd255c37b2089943a48f07a78c77ee955416880a00a480db037132adf526ae77d4ab765aec05443f2dc96adecedeb62493794440e0b375c3b635c8505e84c

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
96KB

MD5
b61f03590034a98f9ceddfce5729760a

SHA1
f8af3401c63dad9e903052d4eda0531c44fa2319

SHA256
296244774aeaa5e209c3154eb06e7512eb33ef37e315bdea765e061bd41c78bc

SHA512
a702a5ef37b90f349c1155a84fd0d64aa072fd01de04abfeb99337738480b4b50f218396869adf696e3185f59a5c2b9dd7aab894ffa233761104fc826730e038

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
82ce2a117e1c94f9510b7182e6e36d11

SHA1
a5b4522c98b919fbdf97dd45444b129d93e0ec9c

SHA256
f881a7b16ba2bcaa9cdaa23307c3de1fbbbb27dce11e4e7b6a1e9f9807936ab9

SHA512
7b0b6ce00a62f503656e00411cfe78cc87d7d6d62b7b2767275f6cc4697048eac7a47199c13e732246e6cedd538bbe2b9a165a2dd887bba984c5f6ed8e743901

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
b02f4c75fff584892ec3c3721ea32553

SHA1
46dd3edbcdb99a728373af30add8038e1320e540

SHA256
2675b91cc5182c8e5ede841de2553ca2c301872ca20e7b13b5efb2bf25428d9f

SHA512
1baf12b36b1b65fe26f738e7e8a8c013d4867ac9f90261df3e8e7293bee28cd17ef5c1b02bcbbdb7754ea3c1182f25266f6618dca842ca2a260fc26b49205c79

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
665267be1ecd2d14a613feb90e5e17e5

SHA1
05f1eff4c51bf2d5d31db48f080128fecd0d1d04

SHA256
eb77c23005aac01e6aa4faf1a1a4967019ec9a02ec5ee9fc476232870b60c7e1

SHA512
9a49b92852a1ef0cec388a839b95f992997054a4c2df6ba243fd3eb0f0fd6e0d395c497532b40a1a6046891a125c866950137836a773b165b3837bdae6c97a94

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
69ed059305e1d75f362f941819f43005

SHA1
5e91ac51f26fa9a05318152336669b02776802f4

SHA256
a7f002a440ef5892395fb388ab5848b0ffa5db0ae635f2f90375e2153c85d7d3

SHA512
69dc03ece347f3e1a1cfa1977028c7de598f34b47db3a5c567a63dcb7815123412c181bda17cf57ccbe4d746ec70257cc5693cb7c1eba4c6c192dc0ee795bb38

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
8ee797e6a96dc1ea9a525dee0ac8e1f6

SHA1
8da8dff07d83f00421cd58a04d1f3763cbbddab4

SHA256
eed886aa62d4dc8ab6db189d1d3a59176d4ac305bfe26733022eb09b74811fee

SHA512
30032397c65037a571202a3cb01e4e9e571db78b6275e01b65eab79a4d4aa485be26941b30d1e4bfacc2f794f10d67aa67443c5ec37345bd9c9a19246892d5fc

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
4dbf78aa238d420c97fbcaa2cab61834

SHA1
75501f337b434e7780bff3cc10b542fa9ae104da

SHA256
dec980030ea1685200415afe8feeebc9476483c739d7f31d5d22e9e925344ee5

SHA512
0e3ec47b94ffe3d5272b39fa5fc5619aa798aefa5f6b6c69de2e0f74ceb1e24fed962f1a97da1b1efb35b182256b21685b024b40e80fe499e701900c789947b4

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
00a33f2f83857d6b49e7e480eef33a82

SHA1
238c859bba79fb64229191700e55da2fd73cc347

SHA256
7c97936f3534326c7856f48ddf48615b2a6e0032b79da9750cbe956672c16498

SHA512
d002cf936aa4b9897a7d62e6da2314f59a3a6800389d94fd36d8b347764488dbc20e2ec62c097fb3ff457ec9da3a33f21e61a6d0a6a0e4e95cc14d71e9974d10

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
96KB

MD5
5a2c23f2597f424f2ce15bf548956ba2

SHA1
ca527f413b46dca94be590845d19aa9d4933691e

SHA256
835ef8e377e7ddb20f3d6899fdf5ea49036236c45ac3f69090a6fab1eed8b664

SHA512
734e868a837a4be7332a986a509aa420633e2e015b1fa87a9e37c59ea4d0da7c931202839ee09456842e5e44ddae039f819a87acd4f7014978d97403c2973aac

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
6ac8079c084885afdb814fd6b62ddf59

SHA1
ff54a6f07960e46ac6ba434317ed2b40bad7f680

SHA256
b5a7c60c8f4f9fdec2bbbd31b7d8c0029cf7f0aa17098e0f73c8c153b911ea5e

SHA512
51ad4cbe7a041970c395aadba34221f168961f2762878aeadf32a6e335c2a63e967ead2e7944bfbd5590c3bf07e19b31ceafa44351bd27a6e80f63be85d4f1b7

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
6cd6589ad371878380a2c05399809cce

SHA1
169719d5ff195ffe3a6174f3ebacb7952e62a098

SHA256
5d36eed117c9c37a4c35d9724f19a080a28b8b2a6bff80680c546d22100d45b9

SHA512
d50d980e1447e1e995c6ad604bd635bacdba605e501b103faa6b8299329423315f6b127e4df7ea8420243a751f211f4fb422add24f905a2595f40cc6227ab2c0

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
33a5b6b62beed10218562308790de876

SHA1
f4e530d17d292014f1cc502d9c55ac989f228bdb

SHA256
6015a821b8f5fc61f04785a0dc5fb0b3a59e8cadaf1589f69534c4511d5f4563

SHA512
8352581b6e1f75f38d2a09156fec77924bc86af284127b546f351b6b6890f4a9072ce98e6e8f0ec6dd7107d19d860f0b122e45ce06959353f09c1cc491253565

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
1b72159a9211620e3dea94d6d501f7b6

SHA1
f2e79853c774bec6fad8f6c1619ad7284bb3c8d0

SHA256
b0f1f18182eeca70c77df7e39e67b457dbadfdbbb51272f1a362ae936c182dc8

SHA512
128d3ebd2a9f74e4250ba419969c07cbe6be8f6ed079bd73e56c372291b7c0f3df6088ef56b6773b75f5e5320187d612d3213aea157a213bd6728d01e3426cd7

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
bd86de684194cca564f1cbd19649ce45

SHA1
deb05628739f56516477a56a4bc58945d5068195

SHA256
8f6397f6998ab84fe6582f0372b97805d0c805a0317d2bffd2a34b5fa4cdddd2

SHA512
22b309437590b98900f00379ab698a4fd42beb834d42ca9a3d4d548daf87b452a25cd5d9313832344f8c950dd208a75526063ccc4b841dd268c66e9fdfda8633

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
8bc3076909eee089169b9f7d95e75c03

SHA1
6fa1095f6d1a319b3d05c7ca521be5392f5f4080

SHA256
0df6121853be9697ea5344dcc5464b5e8e24d0cf1b6a94943e13ed8c64aed006

SHA512
ba484eeae8e5fecb7743a36e99533727249e4fa08bf8e42539b1803cbe24a2006c0efc414c1fcc95d2e006d358f2267776f42b6d7865de7f7d03bb3c50004697

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
6b0436705bbcf2081bf4bc12364806fe

SHA1
7f0fe6f7af64f6bf15f21d9b63a7b6e0cad6ac71

SHA256
bc239271256e48ac6fa9dddda62d9148a342d878a5ee863caea96915b30b7bc0

SHA512
75e87e3f267937e8a88c08b9afe76af089ed6615072d3012ca5cfb1dc965136d81ab78823667189a4daf2ef615b2ec01de5131aacef25c052a2374086160ef0f

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
925cb9db2683a97700de1dfd45d8d429

SHA1
938f1626d56e5fb1778ec2730e30371a9759847e

SHA256
dd31fb60ba5c9fec8ae8e504be3cb98975e84e979e967e1c2adf948c0cf30bf4

SHA512
aa112f930d3953f1ac61a9e770c01696a5df6d13d923c53a74fa6630bb8d48a670770ec8966056fc3fdeae59a0ea3c705ed611ed75d906acabe9da3d1e211f10

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
f39dacc0aa035037ad4391ec47e059de

SHA1
6309186c2ba42406367a16f60cfabbe7b76e4cd1

SHA256
717a2f2cd0ca5369f4f29e7ec743914ed2eee1bd15a722e2e2acae736fc12d5f

SHA512
2194d13eaf72b424f82a7135a4e5d2a5a0ae1fb7c86cc401f8f9cd0283c9fab55922cba6e5ab3c6eacaa18d8bdd34d27b5828729945679677499eeb17f6e9a4e

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
c5aecf6a51e6f7163bb62694408fb37d

SHA1
f9c0ea5478b4287af8206ed9b99a84e0ee0d6d2e

SHA256
144aac09869e769906d34172773f715ce81a3c3038973bd3dbf17e68c507e61a

SHA512
e8d5be5509d2bad3b54dda2e4f0e3bcf1425313339e498f5143c938e041c87872b234d3809575d9b660066d3d64cca30c2b07ed7c58d379a0ac5a575365978ea

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
803658d28646c87c59a1921028e8f1d0

SHA1
54b35eabe1bd5ca95ab7b2cb15f69a551fdf9678

SHA256
b69bdb4976ab5f14abb15ed8394455ee27d81d41426cb2336e82def1b5ba5710

SHA512
92a4ecf3f30c36dda642eb12b3e4eeba46f36625edc3ce85706e09c4b6ca8680b9a433fc8344bd92a45473a8318bb6026ee4ee42808f2f9cb88643ce2e3031f9

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
cd0683e60c18b6f439aba355a017ed7f

SHA1
9162c9cc07464f12518d0366ebabed7db4d7cce4

SHA256
cc9945342c10b764fd2a7dc3da012e28270199e3d7c8c092e84b02a5dde1b085

SHA512
13794cb302732a0ccddc738241d9f3332b7ba91f6456ae1b2432eebb3305615cf33a88839558241911a8e2e06fbcdbe5fecda3482cc6b49db11e5b83fcb075de

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
33bc0e4da2d6597cea4cb335c8fe99cd

SHA1
a43d2ba65bb35e7eceb2cf9c3b630194a605af6a

SHA256
aaa447a20a69d8656c852c393430690eb8feabcfc5807faa1c957b69595a808d

SHA512
06fb7f0e9cec0fb03c0ec41696a7a33cc21acb0d89742d8d920c5c1b6512499fe731b5343fc82c6fe7ad44f926bedda8743bec741148883f02e6df426d8d50f8

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
96KB

MD5
499e420249b87102d94a375fcf146c31

SHA1
b58fc4c8e91fc4abc71381a8df4128fd76c6e4c3

SHA256
2539a609f4db6a1d95fa7380fa2a56f43e67b1167cc9a9702db3830c3e608b9a

SHA512
1b4c19ee97dcedab1e272cb328cacc09b7b8e926eb71595e00709de0b9cb6d895ed0c6c4c20ab3a920df2a2f93850d4b2a5ae36ff0933ec7a8164b2538d5c036

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
ef763442022d003f28fdbb015187f742

SHA1
795f6212b3e5a5d0ba7362777ea65fe09593cef8

SHA256
05d6122218fc4b57912567ffe8552857f57f3aacfc9271847326047868c275f0

SHA512
dbc3db2b8e461e1cdbf1b2ee75f90a5a89eb80f84e82bb3c87e8869188289c409823823a7a7a6d9b77a8dfcb38beb9e6e45e534e1bc2612885819df0a72adacf

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
57e641f56091bc3a742f986ebb74fcf2

SHA1
c87edc66e291047088a8423af223ae450b9cf001

SHA256
36cdba66f1585f3c12bdac860a86a07905f5f1c09c3d7a2ac2c3bf3a986f80f2

SHA512
33e61c1a5d4fde1e7d015f6b5c893a31897941f6994b1d24d606e9ace2c70f2a3031c578af15cce591bd525ca345fdd8292818be917c6178e34884a52069fb12

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
ea093436d965c96d7f54002a37855bb5

SHA1
149371b60772d8a07ea52f26ede9507543c2395a

SHA256
3c0351a2a1feb13d465e201555fbea24bedf82d44d05d3bc357ea4cb3c611ddc

SHA512
658918018d17725710e1d36e176d5e1b71486d6caa108787c16884fede7293f02366a38a033e41b8c316272e89c93e2ab5d332d872daa76d9a577de1f958b20d

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
f370c2fc362f7aef03e9a5567a810d77

SHA1
462a9114b1cbe1a74b0fdde72f0fce38c4b07290

SHA256
7fc0dbed8e4aec60c2739488082031078fb22a564ec038465b7681e01cf5cf5f

SHA512
f132288b13d2f2b6141fa36007fb24593c9f0559905ff36e0e920a303f6540392095c92759d24a53093ff0a2722c6c686155403d453aa7bafac0c58afa097b95

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
e5e5c34b8cbae72002f6ec88993b1f62

SHA1
37b5edc5510f8c639ca2d346fe007a68ada02716

SHA256
07b28af7f83371688b3df224633733428efd2e39f529a8fada03ca8ebc628082

SHA512
6d05ef85ba2283baf78ac83ce0a3755d4aa1d2a899ec42e4fb85dc590c43e26e626077075da0c0d0f09d2d1fc3397b102248ddc31c61d582cbe6c92566434d8a

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
fa271b2c44658d678db8291bcd436b7d

SHA1
0c802007c0c65df61a24c504233a30e30a2a36df

SHA256
894f604420e3cfe7e7aa6eee171d34b1776318b690c5c3e5e8afb51ed3c1640e

SHA512
335b24ba0d961659b28c20b40da9b6785187867b260d8983e52e81d47d2ef3fc910b5460186d3d33addb6ad79d679fcabe26a1b86385fb57cff399c9b5c752b8

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
de75f622caeb969e26a9fa511f3a78af

SHA1
89ae713a0ca2c1d4a5c7aad90ab558629c49ee6f

SHA256
491c5af096479d08abc6ab8d0f44121c8f4b778bd3a6bdb49aeccbb7d97b5610

SHA512
62de6a2e03e2d2469d878f0be7de8b9a3bb7eb18423dd9d33c97a4287d8a0a5e5dd2d42a12bf78f864d70cbdfa2a849492f8309ab781466cb5a0f65ff5cf4c77

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
4756a3564821f8e8a104a43c95a9516b

SHA1
2792a74b82b2451d86beda03ad515a81b28b4537

SHA256
ff3499d1fbc9050e3e8333f1620743224835ea931142cd164573c012154198cc

SHA512
8d3489cc7e58be4982225987f4368636f30028652d560e7e124e7e6307bbd1e007b3e68e6f3e3ab2e460319a76bedd3dd54d036147a4d160dcb83d3cc85bf51c

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
6432c07d18a729cc213504cb76c8616a

SHA1
0c3b88f17db9ea579868532a874dbcccbe7e3104

SHA256
2a17c737dbfee264dcc6a8b6b94aac2c5aac279141b2d4d5747cd000c85b5eed

SHA512
fc2c36a46647c163b1c1b0fc0ec7a3204336515a75f1650a9beadba6b4f73d864a8e2ab307e75b9a18f5241c5ebd17cec7db3b0da54c4d2a14fb3c7146e84122

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
ace18fe6752c3a4027514fe3931e9115

SHA1
85fb94da2bcc2c7cf5e6a3b2508a2cc7f5f75abf

SHA256
2aa6cc141a33698b1ffdac1362d1567e26e26c4c49361ae776287e4e1111805c

SHA512
cff7ac408cf12c13b157ebc502d970c2ff6a6b671f4a044e5f994e85b20ae164419fa423966e5167e1213e3eddfb0af18f45b84e69baadb119507dabc5b95a32

Download Submit
memory/464-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1644-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-1049-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads