berbew | c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fd

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe
Size

359KB
MD5

2de3a1976c7f471c2adc7fa1bb5b8d20
SHA1

91c041a5512f81ea41ea5bcdd95d5faacdeee157
SHA256

c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fd
SHA512

eb05793db856ac5b6c2adc90935615a0743b5cfa9d1140143c85edfca8359021e092fea2de0f5ac512aaf59223079bd239544c9a12bd8ee0bac548baaa17b711
SSDEEP

6144:2vYFuaOQBgKAX4rgYVrOigcC6oQ6+EcC6oQ6+YahBQyiTACPTRN6+YahBQyiTAg9:eYZrBguK9E6n9E6vah6yiMCPTRN6vahm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4220	Kbfbkj32.exe
2596	Klngdpdd.exe
2040	Kdeoemeg.exe
1760	Kbhoqj32.exe
3696	Kefkme32.exe
2120	Kibgmdcn.exe
232	Klqcioba.exe
3916	Kplpjn32.exe
3428	Lbjlfi32.exe
3376	Lffhfh32.exe
2340	Liddbc32.exe
4732	Lmppcbjd.exe
2956	Llcpoo32.exe
2812	Ldjhpl32.exe
1720	Lbmhlihl.exe
772	Lfhdlh32.exe
2984	Lekehdgp.exe
3360	Lmbmibhb.exe
2588	Llemdo32.exe
2316	Lpqiemge.exe
3112	Lboeaifi.exe
536	Lfkaag32.exe
1616	Lenamdem.exe
2976	Lmdina32.exe
1440	Llgjjnlj.exe
3180	Ldoaklml.exe
3960	Lbabgh32.exe
2200	Lepncd32.exe
3988	Likjcbkc.exe
2280	Lljfpnjg.exe
4544	Lpebpm32.exe
3452	Ldanqkki.exe
2764	Lgokmgjm.exe
4296	Lebkhc32.exe
4236	Lmiciaaj.exe
4520	Mdckfk32.exe
1864	Mgagbf32.exe
3192	Mipcob32.exe
2160	Mlopkm32.exe
428	Mchhggno.exe
1920	Megdccmb.exe
4936	Mibpda32.exe
1500	Mlampmdo.exe
4020	Mdhdajea.exe
3256	Mgfqmfde.exe
5020	Meiaib32.exe
4920	Mmpijp32.exe
2808	Mdjagjco.exe
3148	Melnob32.exe
2608	Migjoaaf.exe
1436	Mlefklpj.exe
4760	Mdmnlj32.exe
5072	Mgkjhe32.exe
60	Menjdbgj.exe
4300	Mnebeogl.exe
4716	Npcoakfp.exe
4692	Ncbknfed.exe
2668	Nepgjaeg.exe
3652	Nngokoej.exe
1984	Ndaggimg.exe
3868	Ncdgcf32.exe
4832	Njnpppkn.exe
3304	Nlmllkja.exe
5124	Ndcdmikd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Ldjhpl32.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6216	452	WerFault.exe	249

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 4220	3720	c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe	83
PID 3720 wrote to memory of 4220	3720	c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe	83
PID 3720 wrote to memory of 4220	3720	c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe	83
PID 4220 wrote to memory of 2596	4220	Kbfbkj32.exe	84
PID 4220 wrote to memory of 2596	4220	Kbfbkj32.exe	84
PID 4220 wrote to memory of 2596	4220	Kbfbkj32.exe	84
PID 2596 wrote to memory of 2040	2596	Klngdpdd.exe	85
PID 2596 wrote to memory of 2040	2596	Klngdpdd.exe	85
PID 2596 wrote to memory of 2040	2596	Klngdpdd.exe	85
PID 2040 wrote to memory of 1760	2040	Kdeoemeg.exe	86
PID 2040 wrote to memory of 1760	2040	Kdeoemeg.exe	86
PID 2040 wrote to memory of 1760	2040	Kdeoemeg.exe	86
PID 1760 wrote to memory of 3696	1760	Kbhoqj32.exe	87
PID 1760 wrote to memory of 3696	1760	Kbhoqj32.exe	87
PID 1760 wrote to memory of 3696	1760	Kbhoqj32.exe	87
PID 3696 wrote to memory of 2120	3696	Kefkme32.exe	88
PID 3696 wrote to memory of 2120	3696	Kefkme32.exe	88
PID 3696 wrote to memory of 2120	3696	Kefkme32.exe	88
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 2120 wrote to memory of 232	2120	Kibgmdcn.exe	89
PID 232 wrote to memory of 3916	232	Klqcioba.exe	90
PID 232 wrote to memory of 3916	232	Klqcioba.exe	90
PID 232 wrote to memory of 3916	232	Klqcioba.exe	90
PID 3916 wrote to memory of 3428	3916	Kplpjn32.exe	91
PID 3916 wrote to memory of 3428	3916	Kplpjn32.exe	91
PID 3916 wrote to memory of 3428	3916	Kplpjn32.exe	91
PID 3428 wrote to memory of 3376	3428	Lbjlfi32.exe	92
PID 3428 wrote to memory of 3376	3428	Lbjlfi32.exe	92
PID 3428 wrote to memory of 3376	3428	Lbjlfi32.exe	92
PID 3376 wrote to memory of 2340	3376	Lffhfh32.exe	93
PID 3376 wrote to memory of 2340	3376	Lffhfh32.exe	93
PID 3376 wrote to memory of 2340	3376	Lffhfh32.exe	93
PID 2340 wrote to memory of 4732	2340	Liddbc32.exe	94
PID 2340 wrote to memory of 4732	2340	Liddbc32.exe	94
PID 2340 wrote to memory of 4732	2340	Liddbc32.exe	94
PID 4732 wrote to memory of 2956	4732	Lmppcbjd.exe	95
PID 4732 wrote to memory of 2956	4732	Lmppcbjd.exe	95
PID 4732 wrote to memory of 2956	4732	Lmppcbjd.exe	95
PID 2956 wrote to memory of 2812	2956	Llcpoo32.exe	96
PID 2956 wrote to memory of 2812	2956	Llcpoo32.exe	96
PID 2956 wrote to memory of 2812	2956	Llcpoo32.exe	96
PID 2812 wrote to memory of 1720	2812	Ldjhpl32.exe	97
PID 2812 wrote to memory of 1720	2812	Ldjhpl32.exe	97
PID 2812 wrote to memory of 1720	2812	Ldjhpl32.exe	97
PID 1720 wrote to memory of 772	1720	Lbmhlihl.exe	98
PID 1720 wrote to memory of 772	1720	Lbmhlihl.exe	98
PID 1720 wrote to memory of 772	1720	Lbmhlihl.exe	98
PID 772 wrote to memory of 2984	772	Lfhdlh32.exe	99
PID 772 wrote to memory of 2984	772	Lfhdlh32.exe	99
PID 772 wrote to memory of 2984	772	Lfhdlh32.exe	99
PID 2984 wrote to memory of 3360	2984	Lekehdgp.exe	100
PID 2984 wrote to memory of 3360	2984	Lekehdgp.exe	100
PID 2984 wrote to memory of 3360	2984	Lekehdgp.exe	100
PID 3360 wrote to memory of 2588	3360	Lmbmibhb.exe	101
PID 3360 wrote to memory of 2588	3360	Lmbmibhb.exe	101
PID 3360 wrote to memory of 2588	3360	Lmbmibhb.exe	101
PID 2588 wrote to memory of 2316	2588	Llemdo32.exe	102
PID 2588 wrote to memory of 2316	2588	Llemdo32.exe	102
PID 2588 wrote to memory of 2316	2588	Llemdo32.exe	102
PID 2316 wrote to memory of 3112	2316	Lpqiemge.exe	103
PID 2316 wrote to memory of 3112	2316	Lpqiemge.exe	103
PID 2316 wrote to memory of 3112	2316	Lpqiemge.exe	103
PID 3112 wrote to memory of 536	3112	Lboeaifi.exe	104

C:\Users\Admin\AppData\Local\Temp\c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe
"C:\Users\Admin\AppData\Local\Temp\c0345927266315155352f9aab37e422c3f2c317bdf01c2e5b60e50596d8880fdN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\SysWOW64\Kbfbkj32.exe
  C:\Windows\system32\Kbfbkj32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\Klngdpdd.exe
    C:\Windows\system32\Klngdpdd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Kdeoemeg.exe
      C:\Windows\system32\Kdeoemeg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        28⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        33⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        37⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        43⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        55⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        58⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        59⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        70⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        75⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        80⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        82⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        83⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        85⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        88⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        90⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        92⤵
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        96⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2352
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        98⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        100⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        101⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        102⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        103⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3864
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        112⤵
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        114⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        120⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        124⤵
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        134⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        145⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        150⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        153⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        161⤵
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        162⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        163⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        164⤵
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2320
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        167⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 416
        169⤵
        Program crash
        
        PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 452 -ip 452
1⤵
PID:6192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
359KB

MD5
19f8f7a4b12e79b5ba93e9e1a5bcf133

SHA1
ee47214bcb94d7b592f4c4498334d3b62fbfee74

SHA256
8401e5d771fb5eabf4dd10461c7a00133d3cfe6bfe9e975d3e5a3b4188db40ba

SHA512
1bf4a28d6fb542ea44cbbd36be57556390e690c3def54d77e0d951e38b14bbef662b75a53509bde720c122a4375679d6e7c436f75b66a9c28ed89d8b9f3fe6f1

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
359KB

MD5
db721d1d0523cf9f7f83243e64c24ead

SHA1
1ff25246c1003e466a9117fcedb1dca8b6bbc3ae

SHA256
416c29ac7ae8751d0174fe6889019fa92b0ab6d28d95b91ced154237cae90b50

SHA512
b5d6f9b5bb1a974966e4f68fb5bc3cbbc5ed1b6af3d6754a0306a57ebba88a4a4afd992e5fd8cd231792b05d70f179ffee0ae52b8426961abb6346e5b4702ff4

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
359KB

MD5
2308bc17cb829e3a4f9dbeafca7adaf3

SHA1
b311339d33924ff730b1b24d5225768499c8112a

SHA256
d58ba72cc87525f106cf506002406c87144719dfda6c66df948027d5c7bc6cd8

SHA512
8167dc14f02e6fd9bb449bb8da28235486091b8480466a97515d5baa386154114a951d77d5ab0037bebd1961855044111c9e98c4255dc078c88d559f80e60d17

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
359KB

MD5
999b1d41d206d8d833266680edab7f4c

SHA1
adfe972c5394fb432ac5f845ffab13a0e86f1300

SHA256
ae2dca68c603dcfd21255a7adc3fd202b446614d039915e3ca063c465095327e

SHA512
1851dbd322f192d826e0dda2e7f3ca5d3eaae4a6c4f9e688340948328c052232aa966f65f9acb6fc55079425587e5fd005f54ec29eeab771d0963692024bc8f4

Download Submit
C:\Windows\SysWOW64\Gnbinq32.dll

Filesize
7KB

MD5
90768b09a2673da1f5cc7d5447442fd5

SHA1
80c7743e1126fce382bc773cc45968988734a33d

SHA256
421a750ca37be6d246e459bbfd38d9cdcc83a7cc82ee67ebfacca7abff8b681f

SHA512
cb1fd82de05fbd205edbce385c58a60e7910057b7d91c7eff3a61c07e1a8ddedd8d565a92bf9f7a772208c96b9045d558ab8a68b39117d7e4865c2c9e6627a73

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
359KB

MD5
0c81d81041d7c86a4d553aca9b5cb48f

SHA1
c764a8dae4273f77fbd6dbac6da2964578007f98

SHA256
48450f773f64db7ffac60dc21385fa623d316722e21cf21822aedf3f54776046

SHA512
044f85470b4c48ca5a3a665d73f2006af44ab54c081b29f75d2d976aab5c7aef19dcb6858e28cc977701b40fb5f02d33e70ae96e91ce3e1c742e0d55929aefb3

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
359KB

MD5
bf0587d55be666f2b51590ebf60d589b

SHA1
724e9a59eb303345cf373a734d2200e54d557c16

SHA256
06db83eb042e15eec76125ac89ada2ad783975575462e3569c953902e513ca15

SHA512
758e17aec7283736ecc82e4b1d4b85e3f3324b3c341038b1c470f6d60deb3cdf3d5140514c8b5e9d1f4bdb29c665cb912ec0706b011b9a4fae6e9407da0a45f0

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
359KB

MD5
3dfbb266025079438338f7652d9f164a

SHA1
834319812149548f87897b461f7858cbf280c273

SHA256
36b031487343f14dca8cde23473fa923d4bbf5c34865c5673c17ff3326e32d53

SHA512
4ba23df1016bcf1ee293d43b9899ce4868d92ce713aa95dd826ed61a9c2371e8a90c954d9e57cec2c9056b4bb0167a98091f05c6ca63ac0b01cdbf604112fbce

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
359KB

MD5
a53b53e7f5f498b016826b4fe1893ffe

SHA1
d0d7ee7dc5e45da577a66799b0c4767b4d4a4edf

SHA256
e514e880ed91085f1f47181f412b64f31206f9147169738bd77e7e6fc0d6118c

SHA512
646a6ec4e21101b6e165c5c5c12d5cae37e87db9bfdbe25c4c54d40c61a64c530d6ece02a26609f7b4dd22f02a8f136da7341ba47b8e8b6b1e31f8655dcb60ef

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
359KB

MD5
a5f262b48ccf6e1d45e630acdc918951

SHA1
a1d20ea2e04efdbf7e573e2611da62febda6e13b

SHA256
90a9629bb0a2009c6251afa0697bdb6e416df49db0500b047b6cf783121e4874

SHA512
d6f21820fa52902b7425623244fbb39c4cbae99114efa2a7bdd1e1e5512c4f719f2bfeef3ee6646fd936bef5f9493b54776332372dc128c3fbda80d5964c9858

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
359KB

MD5
576bd7b6b22bf79ac77d43ef45d86363

SHA1
da95d69593258e18d4bb03e1e78af3691619cba6

SHA256
4d1b83c8d9eaada35d492b277edeb2360dd869fa249017632c50b070a3462867

SHA512
ee8027815895809feaffda063426de9dbf2d82619c3398ff6781c1a553630b806914e029478fe44784b3503ba01d6962829441da55adcdab4cdfbc58d5dbc239

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
359KB

MD5
9bf92290a2d24597ee6534a3c538dd60

SHA1
911ccf2461fbc700df927d565c404a434a653526

SHA256
c4868a1ddd992a929018f66a356daa6340629615c79b8773c127c09ca34e49e2

SHA512
37b4bdf5db99849bea3750ee65b7f1ea56310207698a42faf4cc2b3cfd52f04caffc6afc4a01925c539fe86d962adc9c7d3b3fcc75e200f6a40d2e441bd4f13a

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
359KB

MD5
7d0d650bed91c3f64d44ce5826ee5696

SHA1
2831f52000b84d3225504eadbefab6b2b89a0ed7

SHA256
9ef8be86a15665efa6d12d5ce79013675cc7cb8a4b26f9d4d31edd00edbda78b

SHA512
0cf59c612dc21b690283f56fb930990e34d59e2f3409aa89722f671b931cfc30c59bceb991137bb556fed0211b15bf1bee5d7d4991249d9359856b4881587ff1

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
359KB

MD5
625e216096039ed0a9a444e7b917f212

SHA1
29fdc9c79ab115575a1ce4f273beee1d7cf95b87

SHA256
0619eff706b41962d7ab400991b11434366d80b7a0aea20512be7a4947ee296b

SHA512
80160494450c944ed041ec3577d4fbc817f4473852216a381018d2060998468f3b8092d2943b180a0a1b431a8884009ec0b1229f25cb67a554481cd17c126da9

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
359KB

MD5
73ded1cd04db4a69fa04b55a4041d5cf

SHA1
d19249046bf1e6a766d0ba4be85de52513dda2b1

SHA256
db74b5a23b228be5cee95a3490463647c4670e85ac370600e412db8503db314d

SHA512
6ada73141d9d5ff21c7be6654d9dff50e60603328db13405518058242f5290956933b44efc6ee19ed61d7c2a15c64b6c1706fbf3571f3dae1133e6a3a0cabdda

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
359KB

MD5
3f7664c05b7f1962c0596e38d5b2dd04

SHA1
cc2dc40ec0cb1c35d36efd20e988c376588c18ac

SHA256
f9edd3e1244af710b4d6e0ba62420c5e58f15cc9960d41c2d638ffd780e50025

SHA512
ad13724fc8ffc959fd6cf52f81555e0f34f739e507f1a96a91084a53f01fde9af148e654a767bc3cdf447946f81be158cf35a36d41ec4a3c9fe1fd89307c6d9e

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
359KB

MD5
64bcd247bb7594a518e94d876a320fc0

SHA1
8f6e17cbf13e86f1f6b15618a4366006be0ffa99

SHA256
5503be76a0a37d91043e23bc82d020390101d0bebfb2ec334c7a9abdab334a5d

SHA512
8ddda3202a4e9c8778aa09648b46d1b06de2b77419a8732f3cb1ae982a33455dfef29fad4fe2fa7199c3b75e067d06b8b92516573b278a5b1ec0ce5607d6d77a

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
359KB

MD5
5490894eed5e06f7a030453e30f74134

SHA1
dff2dd94a49d5f18fd213bb5ab6d3d1f191978c4

SHA256
d6c12b736467eb24c21656ed0bdf1d82211a07cd7c997b2ca562967e46d7dd2a

SHA512
c306f72ef05225b7a0d798a6384deca4ac6ddbf0469be4b43cca27791bddc426ae19cc14934cf35779456baf0ec008cd2240eb1fb229b3e26165be15a7a092f5

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
359KB

MD5
605f3a6f8504229b80e389655002775f

SHA1
1d933148058a729c3bb199df331830302578cf9a

SHA256
1b3062f19a1f798ce42da5c375b0a171a8d2bd483f5e891f724ee5e345518c3e

SHA512
b2040eeda4cdb0090aec3610597894487b1346f9ed4ba4f3c519929a26e8e359a66d07bee82c733ce506fbaab57122d9f07d014db75dba89d3b53d45ef996653

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
359KB

MD5
1c0ae16a4aa8c55e9268409d51c7acbc

SHA1
517e26306512ed9dfa9be8d4deaa8ca72d6d2fe9

SHA256
9a6a0d7735ab539e5e2aa350ea2d1eedab8a2c7ccb04827cd4619171e01efa53

SHA512
0262de5c7e2649733ed7a7393b32b531e4cbab22b971ffa4d79d5251bd00bb3b9e9f04863b0862b99c887cc27dfe0f8b9b89b4902ee454637364791c9d3516e8

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
359KB

MD5
8a205bc171093bdf1a1709d9382a8ef9

SHA1
c221875fa9c77f33104cba352a3ca5056ac8f8ef

SHA256
21885c6f081c0da894892a27b88269f03ca9758807b7e91e4ea0ce97a0a70637

SHA512
491a2d4fab323c8c55a77431cd7eaf7868e8fe0bc27b99fb7593cbe64cd2f6a76a6100c4f2a65f106f61854bb094d1d753c014aaa5efee7203f662adef4d6ec3

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
359KB

MD5
f24b09d88defa2453a8b6c3aefcac3ae

SHA1
1b5d72fe56f0db2e467ae5fbe765728120bb920b

SHA256
00ab9c0f4d967a91f7664bc66be09b4083746e5e5e25923168d251aea07fced9

SHA512
6bd8c1fa723363b388c401d058809cc5aa5fda299a3a4f8377a938a666867e76600b098410c87446a9184f558a0028ee2907306b9db4492f158bcf221a4e95f3

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
359KB

MD5
59fd2174e5fd38a89ba37de2c821ea86

SHA1
b9d7c2090417a1e23aa3083c6adcdfb09951add5

SHA256
2fd35a820379fc84676cc61a3bd91819d4d21272be7983fdb378b927f67605a7

SHA512
850aae2aee7572fe35000008398e163bc4df581da112b6f42e21a4cf40590a9a76509a14f3af59dbd19ee324f10a4c4c818cba314dc27fe4b2599a3a64c5c50e

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
359KB

MD5
557e21803e9fe5ff28b1dad3397881bb

SHA1
01b97e3c12e96e2b9c34aba9c09436bcce28bd4a

SHA256
f897ed8ca5666a61ba576eb60b47ab269c3e9fb27cb806a40cff611d3a59e9c2

SHA512
82de2b96a265e44aa621a6b0164fc643b01d5bbfd25019f9c1d74c9384f6a804838e413d82349ec9e454094bc16a7fde7ed64aad1a634e8477f42c0f76050f78

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
359KB

MD5
6fe0f0653467572f6d0ae8e3e21c3c19

SHA1
80612f20a7add46ac4d63e725352db294d71d3bf

SHA256
e9056c8baf67ded4338638e53a208f39cb73c32e9831935323b02b1cdb792ed8

SHA512
ba57f178143a6f364e69b257e75b3001d49b1c1a57fbd46e7a0ec12af06945d89a7afcfcb6c75b1906eb249aaccb9d53fda2c41bc29fd9b821157794d4866292

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
359KB

MD5
d5ceacc19efe392e16dd6dcfea4a68d5

SHA1
8fb4f15c7b7e70ef53cc0899580d1353311d8b5e

SHA256
b87649a901b61a73d9d0e7f583ee317f0c9865eee25706a5ef62426dadfa81d1

SHA512
2a49da253ae3d0b0aac3e1073e0d2bcffb513b9acbd5bca85e5049df306e7180220336b9868aef91bdbb2da073c1def8b772ef20da7c2641ec3a8b95641c7337

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
359KB

MD5
7bd43d2f0a2d26960aeca410f7f70115

SHA1
e8390c26300d7a1eb3b6fa4a30bc415468a80729

SHA256
33ae389224008eb1d49b0bb5dd82a9a978f817b05ba15a37b5626b1f9006510f

SHA512
4627a97131757ae118a45bf9a6c13b2109e312d305c33c81534298f0a956acd3b06cad62b6cebf9b015f0cea619b297975687e0542c542d581bc08560f6d5a95

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
359KB

MD5
a0d26a0b91a32723f79846d3a5ecd64a

SHA1
f6ed232eb053189e59478c1fd841cdc0ac43e338

SHA256
d34f689130c4d8a34f10f53c7ef1a6b157989a7958583065ae3de3d570aeea68

SHA512
dbd359952070740513cf6d36deada5d234ae2183729d5b8e2f44032503e7dd2c764d81465b0aa6fba833422c8f87e79286e0a530da0ce2af80d9a590427415b9

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
359KB

MD5
061cb84e9f6982d045603076fa135665

SHA1
4d01284ade118cf793f4299a13a3443e1e29b1c7

SHA256
4819ddb212b392b005e84d12be0f7665039024d0170a4a86361df12f0ab99521

SHA512
71c76a3247f036a884d4d01687562ce95e0eb699c8d6cfacb0d31e10a9b7112ebbd4e675ed19af9ad6921f530dc084247ef2cf5dc35fb0958d2d97150820c5ce

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
359KB

MD5
4ed19ec51ff893a9394f00ba218e1c1e

SHA1
c831dc651d19b7c166d099f43ddde8bfe3a01c09

SHA256
863b33ec4eb58082786faa3d91e738b41aa76e9ac3789bc770d2f235641032e7

SHA512
7f31db0911b1652ef3e601d011b491ba0f4d5797a4dd2885b8c6eb2a5d84b7416002534a976ae830bba5b42ba54604bbe93e0e8fcb0c442c4fd24e8480b7b616

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
359KB

MD5
935fd36f6d0c817c333ae6c1d4fab5a5

SHA1
8eef51171f125f74a3060868489f1091f23c6ad5

SHA256
4a2235bc1cf9d2ec582c8affb53bd9b3d105eb513aecf0828c1a8c51920eb00f

SHA512
a580291550e99b964bfea9b8c0debbf1d304764d46d0d65af12f960b7284dc61a651fecb1747cc138bc05fd054468f1d568cd331df9b436c2a44a65eb76bd7df

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
359KB

MD5
a51b5d2752ca78be9f058ea04e62a538

SHA1
c94aa5dacb083b495ba05151d9fb1592618cf07e

SHA256
d5089214026011775292596cd2a6e64c401a518ab13fb1a2b009bb9dd0be82b0

SHA512
25b7847cc15181eaade7c134f767e6ac1adf5f66c74ce6021deec69e612c71646cecb592ebed2c14d57efab9d7dacbd9e4966de60715075d9af562f7e93f502d

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
359KB

MD5
8e4a507c149acfb50a750e1a942bd934

SHA1
fd2881220ed69e7e57d60337a5c6f969d5c16d4c

SHA256
5456e98d3ccfee6c80b52e290c992306658bfafc5a61e43048be8ed94e7d72b0

SHA512
4970fc3f14702ef7a6878128ea5e7affba42a953ad829983088807fddc13d6d22ad6b9e9b06f596be75bea8165481d5438cf6caffe65759a2b34e2ea4f0164b3

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
359KB

MD5
043f02555b06905632dfd6fb5de13d6d

SHA1
7a207ef776b7a5ceaa4cfada5da13112dfe35dc0

SHA256
f129a58553b09cd8448ff76f013f2c298c14271b48eea68d503ef50b1556a05f

SHA512
e2825991120b8150d9c8854d7f09331b4d4d38de1c70a933962a5d512bb8db585ea4366efdf75530c167a89ea91395b0cd5e51bda4b3eacc8168a3899aa2cc7c

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
359KB

MD5
cd2d0bf3e8d9ba7a825dd92e5872f874

SHA1
720e8c4d59a3ee1d4408e09d702fede4c94e971a

SHA256
bc536b992467aaee3b6c3c0a00c06156fa575a068e40720e07c1b83a00603818

SHA512
8d41906452d7b59181f5a21c2b217ee9af1b0d522131c5f28992518dc77131f27a5ba4a0fc890eba9a99521394a76915e8111b3573f40002813b4422973fbbbd

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
359KB

MD5
30842129bda898653897e4d16f5fee41

SHA1
4bf61cf13a041d08bf3d3604f4ebe047fe6860b2

SHA256
a8f7e9118feaf774c9e59fecb9879a14ebd4d354710eb059ba1363242d5a9b9c

SHA512
c2d13f6de31330cf2dfabaa94c0599951f3ac73c7ea2fc005e8bb84a7c6eddd49d73c214e49bba0c0344661b5c629ca8cabd982c15a82933fd8b85b5ea04721a

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
359KB

MD5
d77a7f2fa3de5352a37e327789eec53c

SHA1
5bdd919e8ae8f4f8fd8862070e1344faa142d98c

SHA256
ab63248af1f18a17f8ba97b265c3a7f2aaf58d3e6e7b27b900dea93966a517bd

SHA512
d04c31b1094e93288cf10695a748f806d4432b1df438360dc416befd8b876ba72bf6510c0d3b9067ca1d53b6dd00dc73970dcaaf0bc7fe24b945c4d51ab1a6a9

Download Submit
memory/60-387-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/232-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/232-572-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/428-305-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/536-180-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/536-662-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/772-626-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/772-132-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1248-1209-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1436-370-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1440-204-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1476-1174-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1500-323-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1616-670-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1616-188-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1720-124-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1720-620-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1760-554-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1760-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1864-288-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1920-311-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1984-421-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1984-1290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2040-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2040-548-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2120-566-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2120-53-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2160-299-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2200-228-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2200-699-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2228-603-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2280-244-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2316-164-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2316-651-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2340-595-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2340-93-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2352-627-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2524-639-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2588-156-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2588-645-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-542-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2608-364-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2668-410-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2808-352-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2812-116-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2812-614-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2956-108-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2976-196-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2976-676-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2984-633-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2984-140-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3112-657-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3112-172-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3148-358-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3180-686-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3180-212-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3304-439-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3360-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3376-84-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3376-590-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3428-77-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3428-583-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3452-259-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3696-45-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3696-560-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3720-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3720-529-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3868-427-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3916-69-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3916-578-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3960-693-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3960-220-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3988-235-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4020-329-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4220-536-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4220-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4236-271-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4296-270-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4300-393-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4520-282-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4716-399-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4732-602-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4832-438-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4920-346-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4936-317-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-340-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5072-381-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5168-450-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5204-456-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5284-467-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5304-664-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5320-473-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5400-484-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5400-1267-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5436-490-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5448-1160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5480-496-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5540-1200-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5556-512-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5592-513-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5628-519-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5868-1231-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5988-1241-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/6112-1236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads