berbew | 6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe
Size

55KB
MD5

91f359fb6875231bde26fb6866667710
SHA1

3048f0827376b1e7a6adcff944b5abce8f3434e0
SHA256

6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0
SHA512

a661914a7ce587c180d4b510f7b26e5981fb9b0f75caea65d4d549df23231bb40f016872c2a21b3a20a32e9c7810b17cfc2d41231b02317cfdfcf49966906904
SSDEEP

768:7EGRVU4PTTUN5Bodqf3lqL19jB/bAytZcbhKXEXH2p/1H5IXdnh:hbEXBII3gL19V/0ytZcq6H2LE

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1064	Lpcfkm32.exe
3048	Lgmngglp.exe
4828	Likjcbkc.exe
1272	Lpebpm32.exe
5108	Lgokmgjm.exe
4404	Lmiciaaj.exe
2748	Mdckfk32.exe
3196	Medgncoe.exe
5044	Mlopkm32.exe
812	Mchhggno.exe
2284	Megdccmb.exe
4068	Mmnldp32.exe
3772	Meiaib32.exe
3176	Mlcifmbl.exe
3736	Mcmabg32.exe
1988	Melnob32.exe
3400	Mlefklpj.exe
4240	Mcpnhfhf.exe
2420	Menjdbgj.exe
4508	Mlhbal32.exe
112	Ndokbi32.exe
904	Nepgjaeg.exe
4492	Nljofl32.exe
4556	Npfkgjdn.exe
432	Ngpccdlj.exe
4892	Njnpppkn.exe
2304	Nphhmj32.exe
4572	Ncfdie32.exe
1960	Neeqea32.exe
4980	Nnlhfn32.exe
4244	Npjebj32.exe
3252	Ncianepl.exe
2916	Nfgmjqop.exe
5104	Nnneknob.exe
3788	Npmagine.exe
4956	Ndhmhh32.exe
4300	Nggjdc32.exe
1888	Njefqo32.exe
1232	Nnqbanmo.exe
4708	Oponmilc.exe
4860	Ogifjcdp.exe
4628	Oflgep32.exe
3236	Ojgbfocc.exe
2416	Olfobjbg.exe
4460	Ofnckp32.exe
1060	Ofqpqo32.exe
1976	Ocdqjceo.exe
2148	Ofcmfodb.exe
1456	Olmeci32.exe
3140	Oddmdf32.exe
1136	Ofeilobp.exe
2668	Pnlaml32.exe
920	Pmoahijl.exe
1972	Pcijeb32.exe
2380	Pfhfan32.exe
1236	Pmannhhj.exe
456	Pggbkagp.exe
4796	Pnakhkol.exe
4060	Pdkcde32.exe
2776	Pflplnlg.exe
2956	Pncgmkmj.exe
4920	Pqbdjfln.exe
924	Pgllfp32.exe
2144	Pjjhbl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Medgncoe.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ofnckp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5416	5244	WerFault.exe	230

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1064	2204	6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe	82
PID 2204 wrote to memory of 1064	2204	6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe	82
PID 2204 wrote to memory of 1064	2204	6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe	82
PID 1064 wrote to memory of 3048	1064	Lpcfkm32.exe	83
PID 1064 wrote to memory of 3048	1064	Lpcfkm32.exe	83
PID 1064 wrote to memory of 3048	1064	Lpcfkm32.exe	83
PID 3048 wrote to memory of 4828	3048	Lgmngglp.exe	84
PID 3048 wrote to memory of 4828	3048	Lgmngglp.exe	84
PID 3048 wrote to memory of 4828	3048	Lgmngglp.exe	84
PID 4828 wrote to memory of 1272	4828	Likjcbkc.exe	85
PID 4828 wrote to memory of 1272	4828	Likjcbkc.exe	85
PID 4828 wrote to memory of 1272	4828	Likjcbkc.exe	85
PID 1272 wrote to memory of 5108	1272	Lpebpm32.exe	86
PID 1272 wrote to memory of 5108	1272	Lpebpm32.exe	86
PID 1272 wrote to memory of 5108	1272	Lpebpm32.exe	86
PID 5108 wrote to memory of 4404	5108	Lgokmgjm.exe	87
PID 5108 wrote to memory of 4404	5108	Lgokmgjm.exe	87
PID 5108 wrote to memory of 4404	5108	Lgokmgjm.exe	87
PID 4404 wrote to memory of 2748	4404	Lmiciaaj.exe	88
PID 4404 wrote to memory of 2748	4404	Lmiciaaj.exe	88
PID 4404 wrote to memory of 2748	4404	Lmiciaaj.exe	88
PID 2748 wrote to memory of 3196	2748	Mdckfk32.exe	89
PID 2748 wrote to memory of 3196	2748	Mdckfk32.exe	89
PID 2748 wrote to memory of 3196	2748	Mdckfk32.exe	89
PID 3196 wrote to memory of 5044	3196	Medgncoe.exe	90
PID 3196 wrote to memory of 5044	3196	Medgncoe.exe	90
PID 3196 wrote to memory of 5044	3196	Medgncoe.exe	90
PID 5044 wrote to memory of 812	5044	Mlopkm32.exe	91
PID 5044 wrote to memory of 812	5044	Mlopkm32.exe	91
PID 5044 wrote to memory of 812	5044	Mlopkm32.exe	91
PID 812 wrote to memory of 2284	812	Mchhggno.exe	92
PID 812 wrote to memory of 2284	812	Mchhggno.exe	92
PID 812 wrote to memory of 2284	812	Mchhggno.exe	92
PID 2284 wrote to memory of 4068	2284	Megdccmb.exe	93
PID 2284 wrote to memory of 4068	2284	Megdccmb.exe	93
PID 2284 wrote to memory of 4068	2284	Megdccmb.exe	93
PID 4068 wrote to memory of 3772	4068	Mmnldp32.exe	94
PID 4068 wrote to memory of 3772	4068	Mmnldp32.exe	94
PID 4068 wrote to memory of 3772	4068	Mmnldp32.exe	94
PID 3772 wrote to memory of 3176	3772	Meiaib32.exe	95
PID 3772 wrote to memory of 3176	3772	Meiaib32.exe	95
PID 3772 wrote to memory of 3176	3772	Meiaib32.exe	95
PID 3176 wrote to memory of 3736	3176	Mlcifmbl.exe	96
PID 3176 wrote to memory of 3736	3176	Mlcifmbl.exe	96
PID 3176 wrote to memory of 3736	3176	Mlcifmbl.exe	96
PID 3736 wrote to memory of 1988	3736	Mcmabg32.exe	97
PID 3736 wrote to memory of 1988	3736	Mcmabg32.exe	97
PID 3736 wrote to memory of 1988	3736	Mcmabg32.exe	97
PID 1988 wrote to memory of 3400	1988	Melnob32.exe	98
PID 1988 wrote to memory of 3400	1988	Melnob32.exe	98
PID 1988 wrote to memory of 3400	1988	Melnob32.exe	98
PID 3400 wrote to memory of 4240	3400	Mlefklpj.exe	99
PID 3400 wrote to memory of 4240	3400	Mlefklpj.exe	99
PID 3400 wrote to memory of 4240	3400	Mlefklpj.exe	99
PID 4240 wrote to memory of 2420	4240	Mcpnhfhf.exe	100
PID 4240 wrote to memory of 2420	4240	Mcpnhfhf.exe	100
PID 4240 wrote to memory of 2420	4240	Mcpnhfhf.exe	100
PID 2420 wrote to memory of 4508	2420	Menjdbgj.exe	101
PID 2420 wrote to memory of 4508	2420	Menjdbgj.exe	101
PID 2420 wrote to memory of 4508	2420	Menjdbgj.exe	101
PID 4508 wrote to memory of 112	4508	Mlhbal32.exe	102
PID 4508 wrote to memory of 112	4508	Mlhbal32.exe	102
PID 4508 wrote to memory of 112	4508	Mlhbal32.exe	102
PID 112 wrote to memory of 904	112	Ndokbi32.exe	103

C:\Users\Admin\AppData\Local\Temp\6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe
"C:\Users\Admin\AppData\Local\Temp\6da6f325d745aff49360391210ae6b02e8f96b8806ccbcfdcfe438981fde9bd0N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\Lpcfkm32.exe
  C:\Windows\system32\Lpcfkm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\Lgmngglp.exe
    C:\Windows\system32\Lgmngglp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Likjcbkc.exe
      C:\Windows\system32\Likjcbkc.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        24⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        33⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        35⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        37⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        38⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        39⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        41⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        42⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        50⤵
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        61⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4256
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        71⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5096
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1348
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        77⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        84⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        87⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1860
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        92⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        95⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        96⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        102⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        103⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        104⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        105⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        106⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        114⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        119⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        124⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        127⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        134⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        137⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        138⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        143⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        146⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        147⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        150⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 408
        151⤵
        Program crash
        
        PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5244 -ip 5244
1⤵
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
55KB

MD5
2348c83f9d64ee5d4f19f8d136645d3a

SHA1
a074aa82665c226ba80e9e364a5c663acb73614f

SHA256
868dc917c64548a5eab6ee3600f958f3a52a5eb0af5128f96dd8edf2afa9ba36

SHA512
4134461038a8f88729230191c8a33c887fa5d9597674ef8783bcdb53156d06f2418fcc1cf8bc86b5206e530b650a91eac04e7ce0f55f8f7ee1a652376f832bdc

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
55KB

MD5
399d66b7f0aedab0ac7f8a588d825159

SHA1
73ce7d16edf15980d3f763daa34fcbf64a8c3e64

SHA256
b04b200d3e3d359c710e1ac747281e9a6c3c3d2c2f446b44c19dccced1f1300c

SHA512
ca2e66d994e0e84fe17d540cf3f1d31f9f84ffed6f9361d717bd61979de881e9ffcd292de86dadc9e8fcf10f4d4d525712fb416777c281ac61258235ea3241f9

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
55KB

MD5
1d1a3fb13683ba07f0f5ab5f9501afd5

SHA1
cac32c773e3883efbd34dec6d222723e1264478f

SHA256
ce2ed4571d694e7b6f21dd30dbc224c03592ce3ea07591b6244b15418cf529d2

SHA512
c1bd911961599ad25f1d9db04f4fa2822dcd7097ea064abc21f63cca2a16e8ab23274345b0f7761ea665bbc7907c1453b4c58333db3c9fe6bf2ba1fdcd071def

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
55KB

MD5
5484e3d1866a5a78f42f5748f513761b

SHA1
d350a35dce5efb67282c44c4e7570c6d18884f4c

SHA256
2653a5e45e81e76d58a37228dc45dc1c4d66fe132c238c27446d502266cac165

SHA512
db9a75f04d69ae4cc1f4130652cfdcb8b8131daa4abe959a020d08018117aa54d08fada4f870fd34e4ddad9870762d00f748d3a3a3bf32fbe5f5a54d2a56eaf7

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
75110517b48d9179b73814d80b4620af

SHA1
8408bc412bc3e845e2b50936c561bfa2a204af41

SHA256
716ac4c96488ffd978c0a6f1d0db4de3cc7f2b42c151978b81966bdb6ca5f3a0

SHA512
91f446657f0d2d10a410cf9b82c1802333cdf8bf369c9c991976e298cedf27045c4c2e29ddff55641820af5eb5e8df224875482cd3ccc278c9e429de341fa4db

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
55KB

MD5
7bb0fa4d27f3e0d4d8668587b58ffff0

SHA1
27e9f36660e77796d933b099dc1b7efbf67bd97b

SHA256
b142d0666dcdd13eeee1728d179f6d62f9f9528b50a63637c16eeadf035c46df

SHA512
727067f8f02eb2d09c63ba991d8be6b46d8c1a4f8ebe7a2f1064a92822cd21a59002e06f1d2c8a90e11704c6fec3541d4c2069d51fcdd78beae196f159aef465

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
55KB

MD5
e4bcc365ace4c1bef56f19979ec33974

SHA1
3d79d36cdd70b851e3e2b99b65d5bf87acf3e2c3

SHA256
63db562d8eade7480fda2d295ec7b9255984271b747d5906305198067cc2e3f9

SHA512
fb31c2f74393867ff76432423c7b4dcefb6dce5cea6dcb91d4ff3264fa3defdfb2e110f49a845ad7e03ee9679a31641a6d63399d549e8229b54719a6296f03f6

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
55KB

MD5
9cac626859032a16fa2af9fd7f152c55

SHA1
e90ea7e18823f8c492f4dd1ac77a9058a765254d

SHA256
f3469f91ac920e9ebc4e3dbd793dcba70a11e4f8d35e434ac6c140fd8b09c7cb

SHA512
e724491878c45a5d29b0834257a52009d348331a67341ac27eb207bfad82eb1b95928dfae905414e1cc0d213ba00e0eac2b6a9d3bec489bdcb342c436a632319

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
55KB

MD5
05de67cdcb233d3640917e9e3e8a3ef1

SHA1
92263a8f0b989ac212eb366ebf128706b31d656a

SHA256
3ab19bf9eb1e78df74394955a2187648187d5ba6aee5b82aeb9936d93709e005

SHA512
342fb804415ac44ed665612e2a461c4e26b7c23b12d84771beb89143f13742baed42c0d9e7af43944b9a801aee26bb4df175599eaa695ad21e3c028e4d974a61

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
55KB

MD5
de705bd1d3d10e37a8514e9d6862199b

SHA1
00711cfb5548fd07ddd72b2e20bf05bed28797d8

SHA256
45207f1bc18eb43a1a3f818686057f20a98188ed3df514c2702d8d8e929ff83f

SHA512
4734d8a8db55900e9df1a07f2f5d2aaa7b4884803af537746c0546cb42ea482018797d3c48f3e0f262db04fb073a6c1e9e8e148563a2126f2388b19ffc5fc2f0

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
55KB

MD5
3d5d9c07efc55b98a21219aa11cc6249

SHA1
e9aba0f1d9da1ff9936d6f260dd5874a8c576c0c

SHA256
92c34dff43ba27250d237be9b6483723a9df68cf2f999ad8afa6a96cc092068f

SHA512
bec8473e0d0918ae55571c8f6ed6fe2a70711e9b4a02fb133d0f35ecb84e0e83dedfda9dc2800d56c9a022ce1e876aaca17764c8c48dbe52543059dc4330b19b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
55KB

MD5
b30b39a1605d0f2ded366132d5d962de

SHA1
02c63ef583cd5a6b3eb4d474a9bd98ef53877ce9

SHA256
cf8537645d6fb87339c80e1a1cc7cf758bd40a6a599295ead9109e151455488a

SHA512
fb34cef48a801cf57ee1c97d92477506555bd8cfb7a8c488054cfa1a1c243057dac3cb025fae90f876919f658cd4b85526df8d4a86e1ae8b593b9c0e8877f590

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
55KB

MD5
ca5c17657e635dd56cf7508794c0bc05

SHA1
f65df83f7831606fee283250e704ef503213c42b

SHA256
2cc3bab09107aa213310ed5e7b2c68b5a733fa762d23ea204f120b1af2710441

SHA512
682ed394ea8e8a13a0ef59a478ae77a1b5ad1ebafd2236cd91c3e746164c8e577a13693b31f1d5ccee2ec0363f6a2648e709b7cb35bea026cd1e27cef58b3052

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
55KB

MD5
ea5a45fc4d7d1b38e0545c2677c75dd8

SHA1
c631656f71b8f72499e8a3b86f51723042972353

SHA256
6a76c941ec6077405e493ec48aabb8c27daa8d0e919537abfabdad78778e9494

SHA512
d81289ddc6e644130fb74e6843fc40c2ecb8e4a0b28103fdda5e00fa4a5591ef277870b9d9f3e6cb573a10c9494b2fd2e49f866aaaa87761cad8c7c4cf22dce6

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
55KB

MD5
867f84c907c3541ddd45653012634cb8

SHA1
4477cb14694641aef366298117836c40a8051873

SHA256
af90fea172e8bdc9d753a2014dec787f156bd31f31ce8cdf13e0d8eda9e319ef

SHA512
df9ca66fe38cc5755c5b547b45a949a87ee0566faab4f9b12a222d9674c117fc2cfc2e7b74c702adafc9f4bd7183896d742f98114d1a9888f1deb1f317cbf77c

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
55KB

MD5
8b3ff40b85af5ab022bb3d23562fbec9

SHA1
5f92b24f1d1643328f052e22bd1bedd3a59c549d

SHA256
172e0d8c0c4d6a914348c75cc5a25e846deca9270136d57a43b3552e48b3263e

SHA512
930c0bc852dd8a87d582b9cff3778664afa27825ff5e4d54029f2cd2e66c1db22975ca4660b3e226fef0581a3f18ea570348267d2aded95c87f4a30c1c07c7ff

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
55KB

MD5
e4033fc0ddeeefe49b7c523f13bc3dd0

SHA1
78c8ee1d44646755e94c4d796ce5ca30952c6ea9

SHA256
7f82f1cb7c4a1908c8a3e12dc1d3cfabff0f1754c142e998a125cf0459460a70

SHA512
2e52c50773fd3a3e0e2ba8e7eab2343b0157af3688976a8e525f6029fba7ec144050e5a27ffed64b1d6fcc390b527f49a077568d70988d39f97a7dc1525ffff1

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
55KB

MD5
ff2de810231e5a4235429a6c5effe3bc

SHA1
8c92c10fa21a216a04b5d350324e3d1731819034

SHA256
68531da1ef30f6cfa469939228ce9536b04605bb628d867cd8d9473de720461c

SHA512
55eee8b12899a02ef015fad6f2725aaf8e66ce10190fba06d0288cd46d46b70792bb3cce24131ccc50f248a812f95df061840127b18119fe96e7e0c3214d0172

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
55KB

MD5
648bbcc5da9f6bd049b5292b0b97a5d0

SHA1
f05a248afc730e2bcaceea6e6d6f0317cbcfe5de

SHA256
d5bd44fee1337129b5aa2737adae61f7e77d65084290be184570a9f4456fa557

SHA512
ad3f01537527fc5e5f16ff26993c31eab39345969cdbbfe846dacb4eebf091aba28b5098f9ca4a8fe648bc5891a045247cc2c49c026380a00c7b5d2285f50abf

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
55KB

MD5
0a05f556720b425d9ea81ba2db9f3de9

SHA1
45368b0b2903e5b5ef8f113ecdfb918059c41ad9

SHA256
952423f1d262780f56b1f7e7ff4b5c282a9fbdd18f7aaefbb3ce94704276f9b2

SHA512
1fcce8adc1bc232e2876bf3976ee424b58ba55333083aab19903e33698bdac31ac9156e3e4b743bf41e5e06944dd75c301b180f16fad16a7507ddfda236f05ec

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
55KB

MD5
44c55488b6500911d2de7a1d29288116

SHA1
3a2efb618efa805e53f3519f69bc5385f9bc1800

SHA256
dd6bdeb7830acc528c1cd3631b4e6ab34600bd78cce522a5dbcd6c8c7d5fdc9d

SHA512
8be8ecbd97402ec3fe4e998d4a1a64d3fe0f2fbdf29431eb1404ed48a6788b826a6c5fe41ee594278f55e4cf9c0790d70908cf490a90321f425627c235a95153

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
55KB

MD5
63b1b6c6e42fc2de72a366312b2b7a91

SHA1
8ffdcf62b87960a4d173edfbfdc766a1f6904265

SHA256
7c5d9ae747a5f71458b392f5f40c6108ade0ae256b1f68620fb1c371a31e73f2

SHA512
2120b17ff342a0f2ed9d9b04ea4703871dd7e33c91c2816511aabf324f16a09d261ece10d3e92b2a9bbf7ea3380678a9f3fb816252bf032004d6894f37d2eba7

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
55KB

MD5
05b0d29dcbb8a56ec5512a508480886f

SHA1
42ad4a4e1f0b108a0cfd6b01784728c5dd8b7655

SHA256
65743e5153b0c698266209f117bc8e846ff4c37ddeb929822773ecec774cc76c

SHA512
d228dae178383ce2345931f7b2abcc5401f0923410e95db4e29622e7cb0d38c222d85aa536bbd6ce6d1ac9bca7d010da040302d2a96ae428851bace21814c5e8

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
55KB

MD5
1e039a58bd8fe8eb24712ca1ec5d7a65

SHA1
5bf75865b131109f138940c0908ce2b275c7f801

SHA256
7962d9932270d0b41ef54c74115847b1ad7d8669a11fd5a39389bf32ea4e6098

SHA512
b46699984b68ba811d2e2b63061a36af87388134b6ba195b5f020bdf181ea45b4feed4a5b9ceb63ae97611dd4af267fd14c01ac28d33aab7c6221a128a5362cf

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
55KB

MD5
e0e667079eb10238ec701dd4884ff1c0

SHA1
49f4c90a6e4e486fac562972352ce9fb29053aff

SHA256
174f50b67f1e3f5bce286a58752e048d19605fdbf4e75809d337e463fa299e8b

SHA512
cb71e5df6962eb4d8f332d3f2bbadd75cf2c236305c0624999efeb89d87387b9b3506592a60c63337ad8335ec43b2b6d6afeb101a806b7a727e54d081231fca6

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
55KB

MD5
0d3b3979384cb1a537706582e23c76c5

SHA1
93f1080a823256430ad9ee02a7a9d3585b5e50a0

SHA256
48e78ed8caa5f115db5397870fcda3c86710f5fc73dad419a9fecf2ba89759ec

SHA512
1e4aee91722dcf79dbbb7903b7a7cc472134de48d33c5aca1b34a34f3eb14f3f0d0e89757a30f2f6a5b266bc6650d361137c82a8f271ee0ff8363162786582aa

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
55KB

MD5
2e18f94a684f127889ab18a9d6173c7f

SHA1
69517f4b4619c981cc215ae827e3ef742c93be58

SHA256
6fd7281a4d3d156ccc6dd54be9dd24e22e2a70927f08cbb76c93dc25443a5062

SHA512
28c1be369f15929c4e2428eae117cfedc55865e90032e203cfa397a85b847665a852d4ea121225e30363ef7c01e4edccb7c3f97de32b4bee004f6470a0f72e30

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
55KB

MD5
87adc2ea114e9f64125d658c484771d1

SHA1
43a884e373197345bfdd3a90ebd3897668549aca

SHA256
e49a875ddbd6100eff7198328e40880936066238d8794c8bf38ebf1c0c2c6e62

SHA512
f527e0fe313406aaa2ed82578b9961614750b98e22d85e68d60133f452cef58a81e19f9d487cb2ad6c01f86e6a72d047d8443f154ed808391b712e3817ac4c1e

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
55KB

MD5
c95c0980ad909018b50fa665c4cfb129

SHA1
9f972eae68cfd87b8b413ca8eebecc383fc50d72

SHA256
b66428e73ed86f445544e7bd1d5534defed0941df93b6504146e25afd3eebeb1

SHA512
8f758e73006b1bb40530617994770843a0af195113481f8ff16c614918dbb8b9993a4e62f8a45f3a699e767c963317199b4cf3aed4913af2ff95b3201df93b6a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
55KB

MD5
150c33e699528408fb7870a27fd44bd8

SHA1
01970d0eb3458dc2a47a572ba7863f55044fdbba

SHA256
b44659bcab06647f9bddf01fdd36be946d25a619ee9b1fae57b4a8134236e045

SHA512
82f106f902fe705471773f5ded1e1e716524dc8af2c5ef8283fd07b85fef5c1cfd8ed80d2eb80bbd6d3125ae9d379b34ea9d8260f74349e4006f3c7cc3f3424b

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
55KB

MD5
89f4c6b4024639b53a923a62140186c2

SHA1
260daf84e191c6c5e9020e060ab06d4bda13e21b

SHA256
2062d02994d4fcb109c50f27fbe94c0b9f1fbd6b3110890cae2df8ec9812c4bc

SHA512
35eb2e0dd812550aeb7367c3f331156f8f6e77d7668e19efbd963c6de83e21772ba4832db1534b4fafe2344f269b507a80d3cf2fd069a8c3502e36dc36991053

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
55KB

MD5
ef1524c8073fbf9c82e69143ca659d2c

SHA1
2c673eec2129f7ff5ea267a967b3bc5a8bf9bd30

SHA256
8caec7473bdc941514c45fc03c0e7628da13a1027de1ec3e30a97dd3e43ac9d3

SHA512
cad6c358f89947a2f4fb6a41985e08fbdeee385e86259286b5f1665b589836c93e280201fd3f57d2fba81b5a8b96a1e40d913db27afdc9969998a3c5b99f62f9

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
55KB

MD5
bf089070450c092289195763a56618d4

SHA1
20d5e2e7c70048fde4717be24581b16b08d59326

SHA256
01a33b0f6fbd76bfe05110195568701c23963109c1e01e525e472f0858a5b9b4

SHA512
c39fb3cd2ccc11002b7b1734f3f352334c24d3b9754ced33cb874773cb8e7b73f57522fb9de727461551d19e4e0077364e8ed4d0abe987458cf188e8f671a8f8

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
55KB

MD5
e3f5c9ea8612c4ed09f4c8785bd3bceb

SHA1
86b23f1a0a0fb478db4bfcef819ee6b2cecfd235

SHA256
80c4e1d06bc2d6a08a9280c500822cb3c0f9af8c8c254c2c9da66cb55864df91

SHA512
dd8eedbb9ac292d285a400c45508536dc5c7cb006ea852153e272e4f97314f44ba2cc6f53d56b61a462ffef3ebf132354ec2b0c217ef64c6500812a5426daf83

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
55KB

MD5
aa2edd0349dc0f86f568690021d3152b

SHA1
0d4ea32eaa77873fd2d18a354a828632e6a52e4a

SHA256
ae6a3cb6b94038962fd8d9b4bdd16ea66e09dda99c2bf1336337a4e82c41877f

SHA512
5238374f9e377a8c66d1c97a4eb55c30ba2676d674d402d348bb20091ded37c61df41528bb6355f113459ec64d1361bd139b74f7f47e0a8251cb948032063700

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
6f39ef11230293ebf3cbef65fd265a7e

SHA1
7e301e732f1156b42346394d75d574e2507c2455

SHA256
9ba99bd933d08f1d0a7a0445019196615418946b11f38881b0e0bcc27779333b

SHA512
9cb8365359b3159ba72bb4b401524a8a91d0036af8b979f4ea9d2bcce6c2cab5c5ee5e83094dedd99ad3d342da16684b1fdef958046fb866527abfdff744b876

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
55KB

MD5
039f761f2d20d49b489720015addbb44

SHA1
62c6367b209538b97d09290f949190a644aaf4d5

SHA256
882c595dcb253d78f0cdc055f1dc882aadb44361369546c5dcb0929fd89d8ed6

SHA512
8e76a844f5641f16d3f316dbfa41dff38366e11d8dca9ec36599da72cbfa303430829d237ac281e3e52ac858af8dc4aece1b12426d973e500ad0826eeb51685b

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
55KB

MD5
a475b5300d12bb7a119dc84506ebb447

SHA1
008e44ce2b22111b3da9389f2c345ae07954336c

SHA256
c772c9434c4d7d25893faed438bf2e955ce19485c6553bff26e4696fc253e577

SHA512
4b3180f60018fd7e48f606972e25252a8a1df0e9a59fcd6d1b7a488b3dc224fffcbf000a7253c3e62254c2e2f7119751bfa6efcceb4af8305d5b05fdc8228c21

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
55KB

MD5
618f5481bd3ad5657717de964bd74762

SHA1
b5de0167e05bcd69bc8b612505e9607501308ead

SHA256
23bc107655a8e39849b5cf5888cf2dbf43e067f65a96e26ad7eac7f55ee0d69a

SHA512
a8b26c9f7baf9044dbcbc333655b870d0a51f89e777000ddf4ff955fda4eddc95cd21f78558483ccc675f8e60987a8e960f309c05fe90ef0a911208e29440852

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
55KB

MD5
5f957782f6a349947240c1e5433a7e05

SHA1
f6cda9a41568734e4d72602f43f3b4cbc7be68cd

SHA256
01907fbac0b0a3c185b06ccdf5478cffe042ebfce5f159b9c13f1430bdce84f1

SHA512
27c44174f0364acbc1425961cc1fff19c8992b7f0c38f99e119d7dd794f35d2e9ec9192deae3533906a3a7f25930455ff25c36993783c762407f400e4dbd7b5c

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
55KB

MD5
177da63b7bcaa48abfd02eef3c3cd01c

SHA1
b0ddf02146b6a5b704844390dff683844ba57669

SHA256
40ec45f6ab02c7095611ee67374f6fca20f3fbd51e7bbc76b1d3f194f72f23fb

SHA512
1e258cb15a2a9b2ec349d10821aac39ef2a7533c4845e92c32c2c44399b0918f566fbd2ade788d0fb23b05d713255b459cd4dbe7b5555887ff88473235cfeba8

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
55KB

MD5
226346613695c1c792fda339dfcce26b

SHA1
74352a5ac96d328effa942bb9702cb0326480d13

SHA256
6821ca3e0949c821df2383e0881cd44012ea4a12bc894d6c599cfebc39eb85c6

SHA512
19ba70bbae29cd4030aca7ba9732d988da67786c6e260abf2d6f100840e1381c4c16f5f6036bc3a63eb35d0cf8463fd52a7aad99516bb1732b4b766c7bf8d3b5

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
55KB

MD5
d4abbe346f261d99270bc50d62f26314

SHA1
00174d9732b07c778f695de2450e1ffe133a62e2

SHA256
ed8247e340e92b406a49f4bbf4a63517eb28e4b06dbe82803ca277288cc9bad6

SHA512
e0ea593ef95e14030b2e0ca081c24d78b3eae4886f239df0f8755a8f365a4ea4622039528b428468edf2f2b7c1014717cb08cfd19816d649f756be66f28106f5

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
55KB

MD5
5f43be989c33216e9e1060d08ab51cdb

SHA1
44ae0889ba0610d5cdf4b2571e0685f26cfb2c38

SHA256
795397fbfdc050b69798b7595d3cf6f070aaa52ef69a772c3f63fa867ff28c1c

SHA512
d7b5a9296987f8015cd9a36cfb28d7403582a9da4bd697609e45e99dc0b4bfaf254fb95d0350194912d9d15895da43c109bb25fe3fa6cacb8e01b8a81b3418d5

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
55KB

MD5
c0cc1795e4ad0265007bc428457c3c38

SHA1
c79f8f75192b44274933e12770b3d703613c7d11

SHA256
ff729461ad869b3633db08e86ca7e3e231f224370d6b1bfd3a9a615cfd48367c

SHA512
d753bef7cfb8d80522f4eb32fea221a349e08f767258401ce7c32695a00ac00baf6e99a9b125dfd52a6ba54092b8a258229e059aab5290468150947ebce82803

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
55KB

MD5
5a3b7ced7828d62857a853b3cdbe3221

SHA1
aa19399e612c3680a19a2dc4d2049bb361b199c2

SHA256
9a536642941c9b2549e51087610c71b17609ed2dd2471b1d120c13a63d73d293

SHA512
2d1f3afc1a86363d86a7845055a571fc4b7d8421da230f2021e82c9074a62e38c94cde94a61886a5b2db103329a79d8a073b115e9610eedcd2972535c158b575

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
55KB

MD5
076111a1104ad382a15c0b2492686dc0

SHA1
5acd4bbf3f754e83549e3c41d901e2dd0657c48a

SHA256
f44f40adb594d61eb9d1adf72f23f4ef5fe1d49a6cfa88ab44ecd9cd47c9ee93

SHA512
ec70c34ab777ebea3e11414ed238bbcdc2779063f7a49198d59b785c5ce49247a56bb15b393281e0cc870807e04e8e32b7fe01e578b775a83d7f06e93ddf6492

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
55KB

MD5
1026f60e2f185f5e585791b058ddf1a3

SHA1
fd26fa7a13e541b643ac62ac3d488f5415a4fb1f

SHA256
30b02be5bc46b240ce4f837035919aefd42c668e3b073d07ec33eb5d07e4b29c

SHA512
ab7ebc16917553f5a4c92d2ae9005c2e50ceccd8c2888f705dd915650f75b56606673778e4e43d572c67420fef44c9c536ff7568c08629024224e1210f188d86

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
55KB

MD5
ee674040239220924196e9779e2ef95a

SHA1
10acf3ab697774f7b0398899b4ae9f8535aa3288

SHA256
f6c708c3ea4613b8a50692bb37ce2d5f3950b5e447af9b080a3b33e474483ae3

SHA512
64b8707d509a99a5066003c90955cab9b5f78db066e421f3fb7653b785e3a2cb69f04fc9e61d24743674ecebd3e046102d5964b1a063595ebe533b649484eb58

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
55KB

MD5
57235ef2fb0e1a9fe612d686ec872140

SHA1
7ddd8400ebf3970d2f24e9d98ac2c3f56ae4f5d2

SHA256
ce2800785b06f28314779143bba99dcc4a6ba772f7513a42480a0c2280e2e773

SHA512
bc10285cdce9a7bebd9f539d2e5a679440b77da7032bf47ad0806375cbc8aaa132ca2467ac1b5a92716171e3f38196bae2e6736fa106527e743aa387dca1364d

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
55KB

MD5
9cdb229c529058a3bcb771879f00bae9

SHA1
320a94f743c87128156a1f3c60c2eeca9ef8f3e3

SHA256
f663dab9bee52260ff91a3e3d6ba2f6132a50d1f0692703f1d82a6ee5bba8145

SHA512
861ff879d799f1c0e022d621f69cd89e646371d134bb48d8a87c413888386f6f03f6344a090c032b4a910a0dc454fadf55d73758ca966fbe92934988098478b3

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
55KB

MD5
df342f33ef3e408279074a1884377a50

SHA1
97bb96c305d3b50662a5dea568839941f4350d5b

SHA256
79c4d22ad554dd8bfbde66b1bd616257bffab40a702a0d35df18cf3ae215f174

SHA512
bfc9efe93303caaad73bc7c874cc9b644555fda6fc725d916a0d43dad53c463b7dc09927026a769e3a6eafbdc2d0a6ea8295badffebc680385718dcb78867b13

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
55KB

MD5
b7b43fbea4329be97c1fc7ed7cea8fb2

SHA1
e1267ea6d8ee5cf4440a1f646360653f050aaa69

SHA256
8e51811a9352c33daa21e475b7aff5d9266fea98420e309a82f62cdb10349d12

SHA512
808507fb467765c199de3e10f01c52daa68b46c3742b926e7beda8e664f954f95f4a878593cc386a310ba4b37469609974d75885f944179b867b26a2f23fbc80

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
55KB

MD5
d2acae7fa62f1485b85042294115ef3f

SHA1
b605703d21e36a69fc58dbfcdfcf6184864631c9

SHA256
75db24fd1ae0e12416f888e0f9e4cd0a729ada7a482d2b6e0e171adcc86c85d0

SHA512
bc127c6e007826efa6a82cb37966e36ebb55071e58495c319c5d5a4540ebecb7be0cea8a7c124d8691347227a4a60b89e0e1e15874a3be841ecc6aa180b1442f

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
55KB

MD5
e6e29826896be51ef11fb72e322c6d6f

SHA1
aea19fa92a00f9b2ec68db5b376e88f4d6da0798

SHA256
ffed1d503764400d4280abfdbf11f28a2c84ad6d1777c787775d8f053063e53d

SHA512
a566e6034b675a884458cf2b96ad5a25640ac23ad9b4c4376e03e6542197cf6bd072f9650efcb798a01449a7b881fd610704c88e45dec436684d89354ca119d1

Download Submit
memory/112-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-1122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2204-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-1093-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-1045-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5552-1071-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads