berbew | ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76d

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe
Size

320KB
MD5

bffddd5ecc1681bd77205d648adadc20
SHA1

5e74553ab7282f3c34a8a9a3a77f7f3045ef0715
SHA256

ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76d
SHA512

496ac630a8ad98e45910e8e7b65718496921242167292bb5f3bd84ac6e8fe0c3dbc83ac12c5fa70b6d05308df57e042324a3430c89055ad5d0f043d28e00bc54
SSDEEP

3072:QX9hIki3SsUoMs+r8Y1ZOTEGEzGYJpD9r8XxrYnQg4sIgQxzjGG1wsKmOH6ipNi4:QX8kbrrYIG2GyZ6YugQdjGG1wsKm06D4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4148	Jlnnmb32.exe
4168	Jbhfjljd.exe
1552	Jfeopj32.exe
2164	Jmpgldhg.exe
1588	Jmbdbd32.exe
1584	Kemhff32.exe
2944	Klgqcqkl.exe
1084	Kpeiioac.exe
4956	Kebbafoj.exe
1516	Kpgfooop.exe
1076	Kfankifm.exe
3840	Kmkfhc32.exe
5012	Kdeoemeg.exe
768	Kfckahdj.exe
3900	Kibgmdcn.exe
652	Klqcioba.exe
4792	Kdgljmcd.exe
3996	Lffhfh32.exe
4904	Leihbeib.exe
2908	Lmppcbjd.exe
4172	Lpnlpnih.exe
1036	Lekehdgp.exe
2620	Ligqhc32.exe
2356	Llemdo32.exe
1684	Ldleel32.exe
4296	Lboeaifi.exe
4300	Lenamdem.exe
532	Lmdina32.exe
3184	Lpcfkm32.exe
1964	Lgmngglp.exe
4788	Likjcbkc.exe
1088	Lljfpnjg.exe
1500	Lpebpm32.exe
1352	Lbdolh32.exe
3040	Lgokmgjm.exe
4352	Lingibiq.exe
1872	Lmiciaaj.exe
516	Lllcen32.exe
1628	Mdckfk32.exe
4584	Mbfkbhpa.exe
2904	Medgncoe.exe
1780	Mipcob32.exe
3524	Mmlpoqpg.exe
2868	Mpjlklok.exe
528	Mdehlk32.exe
4800	Mgddhf32.exe
628	Mibpda32.exe
2568	Mlampmdo.exe
3332	Mdhdajea.exe
1052	Mckemg32.exe
3636	Mgfqmfde.exe
3400	Miemjaci.exe
2528	Mlcifmbl.exe
3620	Mdjagjco.exe
3172	Mgimcebb.exe
3440	Migjoaaf.exe
4884	Mmbfpp32.exe
2652	Mdmnlj32.exe
4024	Mgkjhe32.exe
1336	Menjdbgj.exe
4348	Mnebeogl.exe
1740	Npcoakfp.exe
4844	Ndokbi32.exe
224	Ngmgne32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lenamdem.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Lenamdem.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lbdolh32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	3680	WerFault.exe	245

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4148	1080	ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe	83
PID 1080 wrote to memory of 4148	1080	ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe	83
PID 1080 wrote to memory of 4148	1080	ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe	83
PID 4148 wrote to memory of 4168	4148	Jlnnmb32.exe	84
PID 4148 wrote to memory of 4168	4148	Jlnnmb32.exe	84
PID 4148 wrote to memory of 4168	4148	Jlnnmb32.exe	84
PID 4168 wrote to memory of 1552	4168	Jbhfjljd.exe	85
PID 4168 wrote to memory of 1552	4168	Jbhfjljd.exe	85
PID 4168 wrote to memory of 1552	4168	Jbhfjljd.exe	85
PID 1552 wrote to memory of 2164	1552	Jfeopj32.exe	86
PID 1552 wrote to memory of 2164	1552	Jfeopj32.exe	86
PID 1552 wrote to memory of 2164	1552	Jfeopj32.exe	86
PID 2164 wrote to memory of 1588	2164	Jmpgldhg.exe	87
PID 2164 wrote to memory of 1588	2164	Jmpgldhg.exe	87
PID 2164 wrote to memory of 1588	2164	Jmpgldhg.exe	87
PID 1588 wrote to memory of 1584	1588	Jmbdbd32.exe	88
PID 1588 wrote to memory of 1584	1588	Jmbdbd32.exe	88
PID 1588 wrote to memory of 1584	1588	Jmbdbd32.exe	88
PID 1584 wrote to memory of 2944	1584	Kemhff32.exe	89
PID 1584 wrote to memory of 2944	1584	Kemhff32.exe	89
PID 1584 wrote to memory of 2944	1584	Kemhff32.exe	89
PID 2944 wrote to memory of 1084	2944	Klgqcqkl.exe	90
PID 2944 wrote to memory of 1084	2944	Klgqcqkl.exe	90
PID 2944 wrote to memory of 1084	2944	Klgqcqkl.exe	90
PID 1084 wrote to memory of 4956	1084	Kpeiioac.exe	91
PID 1084 wrote to memory of 4956	1084	Kpeiioac.exe	91
PID 1084 wrote to memory of 4956	1084	Kpeiioac.exe	91
PID 4956 wrote to memory of 1516	4956	Kebbafoj.exe	92
PID 4956 wrote to memory of 1516	4956	Kebbafoj.exe	92
PID 4956 wrote to memory of 1516	4956	Kebbafoj.exe	92
PID 1516 wrote to memory of 1076	1516	Kpgfooop.exe	93
PID 1516 wrote to memory of 1076	1516	Kpgfooop.exe	93
PID 1516 wrote to memory of 1076	1516	Kpgfooop.exe	93
PID 1076 wrote to memory of 3840	1076	Kfankifm.exe	94
PID 1076 wrote to memory of 3840	1076	Kfankifm.exe	94
PID 1076 wrote to memory of 3840	1076	Kfankifm.exe	94
PID 3840 wrote to memory of 5012	3840	Kmkfhc32.exe	95
PID 3840 wrote to memory of 5012	3840	Kmkfhc32.exe	95
PID 3840 wrote to memory of 5012	3840	Kmkfhc32.exe	95
PID 5012 wrote to memory of 768	5012	Kdeoemeg.exe	96
PID 5012 wrote to memory of 768	5012	Kdeoemeg.exe	96
PID 5012 wrote to memory of 768	5012	Kdeoemeg.exe	96
PID 768 wrote to memory of 3900	768	Kfckahdj.exe	97
PID 768 wrote to memory of 3900	768	Kfckahdj.exe	97
PID 768 wrote to memory of 3900	768	Kfckahdj.exe	97
PID 3900 wrote to memory of 652	3900	Kibgmdcn.exe	98
PID 3900 wrote to memory of 652	3900	Kibgmdcn.exe	98
PID 3900 wrote to memory of 652	3900	Kibgmdcn.exe	98
PID 652 wrote to memory of 4792	652	Klqcioba.exe	99
PID 652 wrote to memory of 4792	652	Klqcioba.exe	99
PID 652 wrote to memory of 4792	652	Klqcioba.exe	99
PID 4792 wrote to memory of 3996	4792	Kdgljmcd.exe	100
PID 4792 wrote to memory of 3996	4792	Kdgljmcd.exe	100
PID 4792 wrote to memory of 3996	4792	Kdgljmcd.exe	100
PID 3996 wrote to memory of 4904	3996	Lffhfh32.exe	101
PID 3996 wrote to memory of 4904	3996	Lffhfh32.exe	101
PID 3996 wrote to memory of 4904	3996	Lffhfh32.exe	101
PID 4904 wrote to memory of 2908	4904	Leihbeib.exe	102
PID 4904 wrote to memory of 2908	4904	Leihbeib.exe	102
PID 4904 wrote to memory of 2908	4904	Leihbeib.exe	102
PID 2908 wrote to memory of 4172	2908	Lmppcbjd.exe	103
PID 2908 wrote to memory of 4172	2908	Lmppcbjd.exe	103
PID 2908 wrote to memory of 4172	2908	Lmppcbjd.exe	103
PID 4172 wrote to memory of 1036	4172	Lpnlpnih.exe	104

C:\Users\Admin\AppData\Local\Temp\ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe
"C:\Users\Admin\AppData\Local\Temp\ea38a4fae77c239d97423dcf1f213cfc98e9b8ac1c58b55600999d901358f76dN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\Jlnnmb32.exe
  C:\Windows\system32\Jlnnmb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\Jbhfjljd.exe
    C:\Windows\system32\Jbhfjljd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\SysWOW64\Jfeopj32.exe
      C:\Windows\system32\Jfeopj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        23⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        32⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        39⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        50⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        56⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        68⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        69⤵
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        74⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        75⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        81⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        82⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        84⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4196
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        90⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        96⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        101⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        105⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        107⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        108⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        110⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        111⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        114⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        115⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        124⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        125⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        130⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        131⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        133⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        134⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        136⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        139⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        140⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        145⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        146⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        148⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        150⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        154⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        157⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        160⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        161⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        162⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 408
        165⤵
        Program crash
        
        PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3680 -ip 3680
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
320KB

MD5
9f2759a5e227ee454493ccf57ff19ee8

SHA1
a9ddcad6087fa1ec8b848e8085b54f5a4a63008e

SHA256
8896fa46fb26d24ef1929b002ac614338a0ea1770f7780713fa2b4d44fba65a6

SHA512
ffcd637b251ceb69ac73515b3a58579b48ce505d43e72f5549bb3a14c9dd3f8241596992c4393cb42b64625ccb23e48f070653842b293926b43ae7ab223d5459

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
320KB

MD5
116bea811f2e3863b264e1fd08d4307b

SHA1
c4c3c80edd643a852ab8f328c0e5024797249b37

SHA256
58f0104b03ed979fa88dad8ded07847e4a3b3732659c450fdea6358af824ea07

SHA512
756290b88c6db97392f7c59f4648ed96db2dd32153e90b0032183867bcbb5717b07e61ca0515e7b53f3c2b7da7e58343e01efd842013cc89ab51697d7c1c8800

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
320KB

MD5
1490c766cc6ca4456877db7e976fdb14

SHA1
3a0cd821b08d51f4438512f4ad120a410bf703d5

SHA256
7997a261bfad710fa7e64604ec579d0c91b435ab01d4406459ca4791616b964f

SHA512
ff520ab216049973c5da36f9d651629bf4af854eb36d5f70f0c6797e7ce3fb858744df62af551d14df221acb71cd5379e0064cdc751a3fe67a6b599801c32734

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
320KB

MD5
4ffbdd17da17fb718a2f2d4c66caf56c

SHA1
04b4d2c4dc691101217e90bb7dccb4707075e7f5

SHA256
13c3b986b9632bed3ce6d43029a0f8a2fefb9cd978a55bd5b9fc7e8a459bbf54

SHA512
5a29a5f3e07e7ba14a725a336c8aea20ae55f5707bb16c59c1229af83c6574d019c0ab16db683b41a00aeab8ea5391f6a7645f67f02c4f86c38c88e8cce6351f

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
320KB

MD5
5b6c259d6b696beeb371f988fa98f8e8

SHA1
747197b755bdb1617714f399159e0390e4de855a

SHA256
dfd30e9b1c4c7cefbbf19c38e2a1b268ad602c562869350a964ee4e482759170

SHA512
ca450eadfb2e25d399dbb39fc46f09c832dd6a12a750fb6d921e716310268e9f42b6d11920e4e3e0bfbcf1296a6d03eb6fd3437b3f7dd12b8b8e58e09d0d9a4d

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
320KB

MD5
1b22e34f23187412e9a52ce3f17dd071

SHA1
821ef013b28f6a40a405aa9fbd61ee4bb342a6ce

SHA256
66629d210fe261c207fb57bbad76bc38250fb63e62911ab67f3f2a490142b74b

SHA512
c022377fca8857539c16e3016c274068a2809fcbb67f4895ab5a6a60fcc779b3ea352bde86c8230f40ebf2bdc5e108e6a6fa9e93afbbd376b08add48517992c2

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
320KB

MD5
e0abc1d7eb5b9143a287f4be0c38b51c

SHA1
46e4156517ae92b7343a344316d22481d78619d4

SHA256
65c782a18119bb16eac0205331043ab8eec4875fb9a237311e0e6db3af0ba9ed

SHA512
d70fbd935f24fd220e7ab752eed4f72260588a2aa64332f6dc1c91f97ab47cd90e16e10c6abac4de5669d1692e12864a941026b98f1c90e937df9d440b24978c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
320KB

MD5
2a11a1779170bdb646a4875b4e6a3178

SHA1
97e98f6f89e44a8bfbbb0d4d3441d92ca3d43d7e

SHA256
acaae3c07f39e6c35448279cd726f38c93d617c956497b0f117adcb1e7855f2e

SHA512
a17ce098143031ace1bd7adfafee127d04aff76fcb0a5bc2e255f028700976d2accd2f7d26120757ab9f37adc386bf6600e37b2b21a1ec2b03267ee17f14be06

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
320KB

MD5
4d368ae7c368d55dd8142090e09a7c3c

SHA1
443e42dedca541dce113453e324fb779be036a56

SHA256
a0ea4c3ae36d9d5a33ae4c560617323c3e319935db5e7ba892cad4537b030bd2

SHA512
8773ac15d32a3ede985a8855d9b657484af77f2df6b04cd655d9308fc354fe237a1c2145f12e66a4591486e0cae897e8d3a8ac731f71ef79d907750c4be88944

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
320KB

MD5
59d36865c596f5f4c4a68b6c6d07bc1c

SHA1
9a00e4ac5410ee133c94b0636c701f4271259991

SHA256
c3703cd5297606a8114f9d4f7ff39bad67f30645752e7354783df661437e30d0

SHA512
1ef56acf61ef97f046491e360c0329e6b57f59a22c045cdb21a620c2e5fe81a374f8c5785cf94efe268da476625db37a2b616b5070158a5b791338022404397d

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
320KB

MD5
f955036ca7710a231539a1d15b43b201

SHA1
e612d70a6dcf723b44f25ef123524cccb361801a

SHA256
b6c7f53c6f2792b1eb7cdd39665b6e839024401969df573ae9f333c95aa3d932

SHA512
dd87855f372ba9160394f321d1df5dda14a281ef12717dbf791789313e3a2f278dadcd37a6815cedaf840b917691e955aa92858957ba83d0244e30c49a7210bb

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
320KB

MD5
1c453c53068d5ffce7944c9cb268fe60

SHA1
bbd7d27c3318ed68dbc3d54e5bd91264e670af64

SHA256
f55513301e48af5a66ae164044e49967f9748e2d15e4af83094c7c86d9adfe16

SHA512
66c31d8411f5a0436dd2736b0c1969de56dd267ff557a54dca103306bdc76dc6150bdb4e2f4c234510009adb5fcd6d6e9afde4a57d12cf275e6f05b3363598a8

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
320KB

MD5
bf5fc6a3cf6dc01df31d9005536744b3

SHA1
c433b588fda8ed7ae7cb8ae9cd4018e55303c6d4

SHA256
5b81a7cecdc9b1d260eb551e70ce6fc45683f4139ca87820b129b76cbf6764e3

SHA512
db82b19139235336b6a658b3a11dc52c01c25cd956efefe4e1e7556cc7df7fc0e0e33746ee6d7d75839871a3463b2aca57bd622c5785be87f04d1b1fd5e2162a

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
320KB

MD5
39223e404cbc61e93d8e7123056e3459

SHA1
25b5e33e322121580d939d38953f50c0da209f0e

SHA256
a3cea41c5bcda9336f2c5f52128ee576e58127ddfe4b4afeec5ea8a430bc964b

SHA512
41a3bdb239700dde7af70c2051e910149f8b0c10b2326ab66cb55196fc8cb0f3187bd24929cda12c289457ce2e121addf6c1ed8ab4d93000589a0e6d093f550e

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
320KB

MD5
29e1fa7e5fdfc9a3f6677fe3100e1b32

SHA1
7c7ea542ad876c82305c86ddb2681a7c294ff957

SHA256
a43811f86d8cc509f6df75a715ff78c4f82b51a76f91dff4e02a3be83be6611b

SHA512
6ec661f284d99e995d664c64a56be20b32e258fb4af56cfb51de40da69ee37ba966bccb1a68c1ed6af6d6834225d57385a6a68b122ca7a33272fc9f850953211

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
320KB

MD5
1027a5b9633e05b95bf809cb5abe76b2

SHA1
d84de15674c79506e0d1679491539e707c099c35

SHA256
136777d118034b1242a9848dc1243fa9395587c8225204db43aa693a60fd9fb2

SHA512
e647bf73ade229fc708679fdc894a09effb062bfb63ce2f61a1cc607998c9de4f1e47de3e6453426d9ec48c56e4d409254066816488f8f76daffd369678cda95

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
320KB

MD5
eb4b04040520d452f99d24a418641481

SHA1
08c917caf20dbca5e6e918e0f10c0ca9a36cb044

SHA256
adbdef231e46910305c50e96b1b74bb82f63a52863d5ec6ef586b2315c3e98c5

SHA512
adc5b7146dd852f661cc1ae8b1ad150cda4c9597d1eee35f6d0d178ed324e9731ce599a31ae85dc31cb521187d0e1d5aacd8d89ea71bf9d378a27cfd3d08cd3f

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
320KB

MD5
3810714251ca2a18479fe08a49d406e8

SHA1
c3eedaffb24a2a11ba5d0971aa8eaa30f570f427

SHA256
0662425b5343b958c24c673ac0408622dd68cab848ac783666e69234a837de80

SHA512
e2adc83d3f693f9075010da835cc78e8b0a01d285bd11575a80607e52c8b96f00a49929da91f6a318bb37bb759a3772ce68d57be8abd5ef2b4554a4bf326430d

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
320KB

MD5
ed4ddcb99a19a17bb5d26ba72228e222

SHA1
afb6a870dadf791d827dc2f509351250d1397586

SHA256
74058e827244afcbdb094b3c89d2c002253ab174a75d377cb3f89f0acc56264f

SHA512
6fcd12916b66a357ecf77940c7c33253a61132eb12009c53aba0e4347226435930d1897ae766f562a4bcddd75f1fc97c1ebdce7d42a357e8293a0cf4a0a192ba

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
320KB

MD5
607d7a4d4d260d41857faa0e677425d8

SHA1
c6fb433bcffe264f6346dfb12f97b78ee316d9f2

SHA256
5b3b4b6ad29b65063cf6b113ae7cdd3aa38dee1045874ca0a12a7855c2c5c1d9

SHA512
b92ab59a87b69615efb06361a030787a04dbe9d51c8b539f258603d69942f64fe8838f33036f4e2e1aff337e653772a9ec5ce901807db1f1b586d406c7488d05

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
320KB

MD5
fe51be5b80e57212cb1021bb39c03c06

SHA1
96f39a66e24558d706fe0c002ec0dfa9a48d4c48

SHA256
47ce4c898cb7d859ce656ef672d1158c410750eda9bc0e73b498e11632f694bc

SHA512
d263c25e39d400cc5f377547c63ddae24de3c5d844bc84555f0295454ac74dc8c5eadefb221058b2149ae195b6d49f7da385404c042f9255931503d4c57b8f39

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
320KB

MD5
c6c357e2a46cef661387bbc41e0c724f

SHA1
06a298fff33d2d1513fbc6108048824a860d6271

SHA256
4c1e1b3a98604a13d56e7bbae87708a87cee9c613b6d8bf4dab2b1566216acb6

SHA512
d8920e1284a1b28f7e3a8526808458a4bd44a1d3e6043ecd40b3db86aa37520fbb4ed4562ab89a22c6d80a130037b9bc9200155bd481bf7b75a8e256828222c5

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
320KB

MD5
637a76ee4c59ef329c41094f36d1b3bc

SHA1
4ee577d767df080df338f8c8b9f05fa082b27d09

SHA256
6f5fe31f3b67d2bf5a746abe4b048c26a970c027ac85f5b13e48a0999e6be4a4

SHA512
aebba16c45a78853ee529a5a1c3fe50d75da6dc47d1c66d5ebfb22984552767273715307b3f353d62003b98b908a3b6ea53da179e42949d8ca2b86ef367a70dd

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
320KB

MD5
e8d5b36d415255f0e8f05489734c942a

SHA1
f930da9604376adc740e18913d5bad2c04a03b01

SHA256
8f571e26511c3e5752d81d678fbf4f5bc76e1e375e590ff90267be234e2f517d

SHA512
faffb1608071093475852a77eb480e4fef89292abfa306d4ba3f4b43dd46071d9de27cea18197b4dd24505c804b6f92fc25cdbc879f7e19a6d8778fc5fbf519a

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
320KB

MD5
9d0272d0c8b6335de3bfb396b8b981e5

SHA1
c3baaa30c35cd292b9161353057e84b39262648c

SHA256
37343559ec1c70e2d5b61ed6eddfd57d7554bdd1a75444adc35e959fed3cfd40

SHA512
ab0248267fc8c02094f52879d9f470ea1132c9cae29a2172c16822e33c422f20ad3b8fb84bea3e0b269bc038dc54c29d8fc318b88f690dd8ecb9c2881fd25faa

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
320KB

MD5
24c3b49f1b422e2fbfc5fa08ce81e1f0

SHA1
9d465153478a104a015d1c71ed5fad8f5c0acc40

SHA256
a31c3f230fd582dd63bb1c9b9e241c04723c2615e8f8d8b12ccd107947e6b92a

SHA512
d8d20a9011a2e00934b0116cf89d1a81c571d364fb0d88a8b9f309259186a1644907949ec7dbf4752f987d2e1fdf09d93513b71d6ce4cc5f6c9af17513bbaf14

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
320KB

MD5
0c1d6bba2b979c463d4bfd05846f3ab4

SHA1
f153b1a3555fb65f946396cecd5a1da53884d88e

SHA256
5f92102bc872ee6ac815dccce49f64bfa188964f500d795f39a9faf8ff500e0e

SHA512
d5b4912b360477c3a4dc96a0be9e90359dfca2a07e7cf9fca5b0dbb720a42a270388b7f4285f79966c19d1b0164c982d74285fa80a6263c897d77ed62dd90a79

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
320KB

MD5
6f3ae12de680f02945d68d5e773bf1ec

SHA1
39113b7d5ded1987f2630ea4ad2d129a94170794

SHA256
542cbdec13a18fee0491ddb9d5daa53c239a3c7cb5deb7ce89eeaeab5fe4f5d5

SHA512
f64db11ece377f95564510ac0af70760384c0c33ad7eb210e007ec5be2c43f5a85bc5422ba9176c7d5763907aaa1e4bceb5b0a97aadd9c8b702df63efb8575cd

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
320KB

MD5
4afd59bf2835a0e0295a6c4497aa0552

SHA1
db3c7c37f961c9fc37ff18c91d02c76c114a84d2

SHA256
56f0171283d83dda8988d61a2abd8627dcc745818d5118efe6f16867e93a91e4

SHA512
774d67052985cb41d72be08860c88a083b2209aeb3824050b7eb0a9f6a26f56885ecd3d4db18bf5817694d976b5c933b901c1670bc34e8c7ad4a68695cbc3e39

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
320KB

MD5
971fee0a76c5e48ebe108648b93aceda

SHA1
d81b2d892a9b958ed69ba2f8a1a9d191442a0f67

SHA256
e1f030089d5dd751d48f0e3ee65eac9e61838f20e16a324e8477b333c2a84f53

SHA512
3d214097f6020fc42c5e037a87a83d0d5ae62d3c149ef8598ecf4395cccc6b14604a86850ccadadda0b2a28733434fb83a79f4940d30e7602abb053567e56c00

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
320KB

MD5
b41bf38a2b37a7c23da0c716b461af4c

SHA1
64257c039892db302a2b8dad44aef5b540933cbd

SHA256
02502278497cc6830c2883eeeeefa3f3365888394babd3b1c7dee3971c80ca9b

SHA512
e163804b61717e7b3c307fd5b2e621dcacafe55bfd3df32f57515567b4e46d2a9e34e8ba8946d1a7ad8a245b3fc7740ce24c538616e5be0a82b2547215a7480e

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
320KB

MD5
626eb011ac042376333dd588b12fda91

SHA1
6df02f1d3da87b81cb88332187cca3cba9a51a62

SHA256
12cc5273bd5dc7afbe74ca07876fcb95983cca07db7fc9f931276459cfdc8a00

SHA512
9f104d68ddc0c47b18a0361f0347149afc03dc437f04221c3c3be6fdf186c0f331c27423a8e9ef72b538ead1ff74bdd6d587e7df0ee57c2bd0c77f0bbadf08c1

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
320KB

MD5
c0f4aee42a89b41776cd8ca991eb7b0d

SHA1
faa0b3e83c976c371a1b632043bad117b6063f14

SHA256
2ee5cf20f7bdc292af26c4d725f5313365b1db966ae3474470afa7c9785c5b0a

SHA512
2f45d3ae73216a2f9a545632d13bbcb2574e0f28209ac6ebf13f8e320cf342f35d5d795640dbf9400635aeebf3041824b28b4ff51f49db28d9bef2856d3056ec

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
320KB

MD5
6006b40ed6badee6852553e176f6c467

SHA1
e52676395530a1bc7979feeed3a35c063085e44b

SHA256
c4f5d75d946a5a58bcd38ab0ba778819cc3e525da5213a345a4e8beb82b58a5b

SHA512
84b7c23bb33e53a91572ccb56775e0c4705dfd940d4a71e1367c9b18c9d82a376e64cc7d0e72015db196e78b8eb3b53f7833fc8b82edb223c983df8edc0add49

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
320KB

MD5
d55c5238361c1b2855ed76c422154714

SHA1
e70bb52891e9bbbbe2b8852d1c39c11eec1e82e5

SHA256
ec958c13db09fd2eb9f256481ddd886fd055b9d1edd2355b28259216a9476d4b

SHA512
c31872b59045c2a079c1a0267bb7d2d92f3736a2ba6b43e67d235e05e9370f27ec924468131f1087eb024fa194ffde6773b3081db5f396f9af885caea8241a95

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
320KB

MD5
c6b5c6610cd75835b049e8a3e05e8bb0

SHA1
ed5d52d04e829910f93b9f4bb32cf7610113c459

SHA256
25ca55dc02d79310509b5b51e1b2098fbdeeea8c2730f3d60eec2a3b5b3100dc

SHA512
62d36df17e78f8c37241847d54bab30d103b394e5d3d80c4eebafd4b5ac7c0679219e4ca23f331cf8311af3f0b69b2348815e2d340b04e2973bb3e23bd388d7f

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
320KB

MD5
c8ec5efc64f97066337873257fcf1eba

SHA1
3152ca6923425cc04777c06f6ffbc12c3377be65

SHA256
0b9af6141f462b75afe211e89dab98cf5c01ca8052125ff20d291c4b42d6649b

SHA512
ade33af5005791709a1d378762d69ae217fe34ad565775650c3a6e892f615ac2230c43be8fcc8c28ff8374147a3616c01df34a2b58b51d959d771b4cb723eeb5

Download Submit
C:\Windows\SysWOW64\Mkoqfnpl.dll

Filesize
7KB

MD5
c69981828a2d2fc2e386a02fbb74df73

SHA1
5bd2823186e2ffcfbe255825805afc34ac8bf096

SHA256
bdb150698e41c35ebc4a7c5f7448736fd55fb5c7c2558b4abd1b0a6f6f5b3d2c

SHA512
9c65c5419b1761f9df333634799a89c2cb9d5e43fe4b2e1683f40031187ff44da2dd512569cfd8381d33bdc995e6f21b5d19f5ac69409d27124ff0b76e4754db

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
320KB

MD5
cda5459be4f46defdff59c69dbdb0b99

SHA1
ee6eac23b4cb1223a53cfdbd88a60f2637acf275

SHA256
efafe1ccd10dabfd6fce0427ad994c805186291854ef2ab98433c3edd335b1da

SHA512
b64843e55d3946e0da4bc2153fa4994e9aec2c6a71eda94f5abe9acd712a8f5e8e8e39905ce23fef6ec7b56e5b8c793b0e98c2767a5815dc7c43db55bf914c84

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
320KB

MD5
2a9274a38e0d0b6d93d9a1423fb7a6af

SHA1
dd9239c626136e9bbd1f279418d154dc3066fb72

SHA256
577d0ab38ee74841cb35777355796b11d10a17d5558330143bafa654a75a760c

SHA512
fd2f21b30873539e99a4600803ad2750cde5b98821c6a55b1a2b9de7720650938cd8eec38ad537890c998abd7c61f9559f2a3a102d77bb45f4719b1651cfc14e

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
320KB

MD5
98a36813cff05b3fbc2cda6ea1bd44eb

SHA1
4ca75d9eb9255fd1c652141ebedc9b88b95332c4

SHA256
a30bb63c89c0aa080e4fa03c08706d3fecccd261963f354979dfa39ea85c4a73

SHA512
bb3502cfe75e4c8975a916d3619189e991b6c2c649e5c9a5c5c1a39571c44a9635cbf5cdb932b615dfea34fe7e5077d83327f0b387da24eda62ee760011205dc

Download Submit
memory/8-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/528-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/556-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/652-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3488-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4476-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-1110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5980-1106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads