berbew | a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaa

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe
Size

323KB
MD5

f8ba545c876512acfe977d65177081f0
SHA1

bcc5b24df273301b97774ed258d335245801c987
SHA256

a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaa
SHA512

458354f6f851dd3321a8923efb71ee250e8ef2b8803ad709aa0aa3ecbf01d18310e34c71b938d5beca4f28e21cae6ac3553a7fe2a4b5ae34b87b6ccc420fd46b
SSDEEP

3072:HhDZrYEY6DFaUc1+2KFljd3aEtKpV6usAANuxJaUc1+2KFljd3a4jPfv9Qz0N3EP:HksFlljd3rKzwN8Jlljd3njPX9ZAk3fs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4908	Jmmjgejj.exe
4524	Jplfcpin.exe
4448	Jbjcolha.exe
1892	Jfeopj32.exe
3600	Jmbdbd32.exe
3048	Kfjhkjle.exe
1356	Kmdqgd32.exe
2192	Kbaipkbi.exe
4500	Klimip32.exe
3328	Kfoafi32.exe
1984	Kdcbom32.exe
3044	Kedoge32.exe
3732	Klngdpdd.exe
1144	Klqcioba.exe
3932	Lffhfh32.exe
3764	Llcpoo32.exe
800	Lekehdgp.exe
4264	Lpqiemge.exe
4584	Liimncmf.exe
4960	Lgmngglp.exe
2012	Lbdolh32.exe
2336	Mbfkbhpa.exe
1884	Mlopkm32.exe
2988	Mdehlk32.exe
1520	Mplhql32.exe
2844	Mmpijp32.exe
2000	Mmbfpp32.exe
868	Mcpnhfhf.exe
5092	Npcoakfp.exe
2272	Nepgjaeg.exe
4372	Ndaggimg.exe
3184	Njnpppkn.exe
3624	Nlmllkja.exe
3776	Neeqea32.exe
1128	Nloiakho.exe
4352	Nfgmjqop.exe
4676	Nnneknob.exe
216	Npmagine.exe
3264	Nfjjppmm.exe
3516	Olcbmj32.exe
4420	Ocnjidkf.exe
1148	Ojgbfocc.exe
560	Olfobjbg.exe
1624	Ocpgod32.exe
3976	Ojjolnaq.exe
1076	Olhlhjpd.exe
992	Ocbddc32.exe
1048	Ojllan32.exe
1328	Oqfdnhfk.exe
3508	Odapnf32.exe
4564	Ojoign32.exe
5056	Onjegled.exe
4760	Oddmdf32.exe
3700	Ojaelm32.exe
2160	Pqknig32.exe
2188	Pgefeajb.exe
668	Pjcbbmif.exe
3460	Pmannhhj.exe
2860	Pdifoehl.exe
1612	Pjeoglgc.exe
1172	Pmdkch32.exe
1700	Pcncpbmd.exe
1956	Pjhlml32.exe
4988	Pmfhig32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbdolh32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Kbaipkbi.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kdcbom32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Jbjcolha.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Klqcioba.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Ndaggimg.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5572	5480	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmdqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmmjgejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll"	Jfeopj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Qdbiedpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4908	2864	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe	82
PID 2864 wrote to memory of 4908	2864	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe	82
PID 2864 wrote to memory of 4908	2864	a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe	82
PID 4908 wrote to memory of 4524	4908	Jmmjgejj.exe	83
PID 4908 wrote to memory of 4524	4908	Jmmjgejj.exe	83
PID 4908 wrote to memory of 4524	4908	Jmmjgejj.exe	83
PID 4524 wrote to memory of 4448	4524	Jplfcpin.exe	84
PID 4524 wrote to memory of 4448	4524	Jplfcpin.exe	84
PID 4524 wrote to memory of 4448	4524	Jplfcpin.exe	84
PID 4448 wrote to memory of 1892	4448	Jbjcolha.exe	85
PID 4448 wrote to memory of 1892	4448	Jbjcolha.exe	85
PID 4448 wrote to memory of 1892	4448	Jbjcolha.exe	85
PID 1892 wrote to memory of 3600	1892	Jfeopj32.exe	86
PID 1892 wrote to memory of 3600	1892	Jfeopj32.exe	86
PID 1892 wrote to memory of 3600	1892	Jfeopj32.exe	86
PID 3600 wrote to memory of 3048	3600	Jmbdbd32.exe	87
PID 3600 wrote to memory of 3048	3600	Jmbdbd32.exe	87
PID 3600 wrote to memory of 3048	3600	Jmbdbd32.exe	87
PID 3048 wrote to memory of 1356	3048	Kfjhkjle.exe	88
PID 3048 wrote to memory of 1356	3048	Kfjhkjle.exe	88
PID 3048 wrote to memory of 1356	3048	Kfjhkjle.exe	88
PID 1356 wrote to memory of 2192	1356	Kmdqgd32.exe	89
PID 1356 wrote to memory of 2192	1356	Kmdqgd32.exe	89
PID 1356 wrote to memory of 2192	1356	Kmdqgd32.exe	89
PID 2192 wrote to memory of 4500	2192	Kbaipkbi.exe	90
PID 2192 wrote to memory of 4500	2192	Kbaipkbi.exe	90
PID 2192 wrote to memory of 4500	2192	Kbaipkbi.exe	90
PID 4500 wrote to memory of 3328	4500	Klimip32.exe	91
PID 4500 wrote to memory of 3328	4500	Klimip32.exe	91
PID 4500 wrote to memory of 3328	4500	Klimip32.exe	91
PID 3328 wrote to memory of 1984	3328	Kfoafi32.exe	92
PID 3328 wrote to memory of 1984	3328	Kfoafi32.exe	92
PID 3328 wrote to memory of 1984	3328	Kfoafi32.exe	92
PID 1984 wrote to memory of 3044	1984	Kdcbom32.exe	93
PID 1984 wrote to memory of 3044	1984	Kdcbom32.exe	93
PID 1984 wrote to memory of 3044	1984	Kdcbom32.exe	93
PID 3044 wrote to memory of 3732	3044	Kedoge32.exe	94
PID 3044 wrote to memory of 3732	3044	Kedoge32.exe	94
PID 3044 wrote to memory of 3732	3044	Kedoge32.exe	94
PID 3732 wrote to memory of 1144	3732	Klngdpdd.exe	95
PID 3732 wrote to memory of 1144	3732	Klngdpdd.exe	95
PID 3732 wrote to memory of 1144	3732	Klngdpdd.exe	95
PID 1144 wrote to memory of 3932	1144	Klqcioba.exe	96
PID 1144 wrote to memory of 3932	1144	Klqcioba.exe	96
PID 1144 wrote to memory of 3932	1144	Klqcioba.exe	96
PID 3932 wrote to memory of 3764	3932	Lffhfh32.exe	97
PID 3932 wrote to memory of 3764	3932	Lffhfh32.exe	97
PID 3932 wrote to memory of 3764	3932	Lffhfh32.exe	97
PID 3764 wrote to memory of 800	3764	Llcpoo32.exe	98
PID 3764 wrote to memory of 800	3764	Llcpoo32.exe	98
PID 3764 wrote to memory of 800	3764	Llcpoo32.exe	98
PID 800 wrote to memory of 4264	800	Lekehdgp.exe	99
PID 800 wrote to memory of 4264	800	Lekehdgp.exe	99
PID 800 wrote to memory of 4264	800	Lekehdgp.exe	99
PID 4264 wrote to memory of 4584	4264	Lpqiemge.exe	100
PID 4264 wrote to memory of 4584	4264	Lpqiemge.exe	100
PID 4264 wrote to memory of 4584	4264	Lpqiemge.exe	100
PID 4584 wrote to memory of 4960	4584	Liimncmf.exe	101
PID 4584 wrote to memory of 4960	4584	Liimncmf.exe	101
PID 4584 wrote to memory of 4960	4584	Liimncmf.exe	101
PID 4960 wrote to memory of 2012	4960	Lgmngglp.exe	102
PID 4960 wrote to memory of 2012	4960	Lgmngglp.exe	102
PID 4960 wrote to memory of 2012	4960	Lgmngglp.exe	102
PID 2012 wrote to memory of 2336	2012	Lbdolh32.exe	103

C:\Users\Admin\AppData\Local\Temp\a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe
"C:\Users\Admin\AppData\Local\Temp\a830e62e93f1f14b2225ae43d626e15f6eb727756c2302d27e21d4e723e0feaaN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\Jmmjgejj.exe
  C:\Windows\system32\Jmmjgejj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Jplfcpin.exe
    C:\Windows\system32\Jplfcpin.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\Jbjcolha.exe
      C:\Windows\system32\Jbjcolha.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        62⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        70⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2328
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        74⤵
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        78⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3504
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        88⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        89⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        90⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        93⤵
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        94⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        97⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        99⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        106⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        109⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        113⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        119⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 412
        120⤵
        Program crash
        
        PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5480 -ip 5480
1⤵
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
323KB

MD5
def769b0f9e7b94dd09fa431096038ee

SHA1
9d9811975b1b541db5cf89a0d810c9ec7478acea

SHA256
64c39f6dbd73921bfca886d0496fd85e4d896cb85ade0711d91a2202c83a0c5e

SHA512
0c0ad2842b0c72294c6d2bec8cdfcac5f502a90cb95f9e40606e19580d0d5c8c7cc6f32bff6316e86b5a526ad49823c6363407c8aac35550bf137e28dd3f2d0e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
323KB

MD5
f58c3d5194f4b1fc89e9f6ba39282087

SHA1
815aa62575c1e2a44489148daf86765f31890202

SHA256
48fae089aab3c77ddb2038f5ad56b64b57ac4561e16dc8440e2b8fa244bb2ae1

SHA512
7eb4ee07e8f1186d40d82fafba8c966407a743d28b9ac0777155284a519de13c77730743dd93d6acf5e7bc5ca495a41a1376b86bada64a02d191f0385c25be32

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
323KB

MD5
592fb4b1de6e3373a8163d9ff8b70b2a

SHA1
a345638c2a2da2732eeb9182184b378932aa68e6

SHA256
5652e331b6b4a811d8afc03608520a61567894016cceddd9c58a5845c5e33658

SHA512
c615e8d63610c71df7394e37c94a7787b79d130f00642beb904c46f309cef07a9b3b50d82f7abbf4891c5853f5579904572ddf8bb63a0b19c4765fa3128c99fe

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
323KB

MD5
54e83a0a51ab2e87d65271946a076426

SHA1
c437f51f012315e6ddd5c89ac60e59fe59bcfa11

SHA256
0bcbd127f5774fcd8269245df6290c627320b11d41674c5a33bb52b954975bde

SHA512
47b70fff2e5870ba92edf361b35d508afeeb2ba041a3f9bb3df638d18091a6ab6b1b76a4be707630adbf035fa2e71115caed3b96ba46eb603dc2fc832e830d61

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
323KB

MD5
83605b2053728eb6bd5999ece56bcf4a

SHA1
8e798c819c33c8f11dece3251bba361441394245

SHA256
d44ddd8a62f39db5c626ffe35220b047a70a40d75d1ccbf180f2a26e9842404f

SHA512
afbab6205b0e94e738141cbc4fe1642406da2b5119a4532dd0efcc6b0444ed3a76ea263afa455d0d02d276838602159d7e92ee511fcc17892189d331c0381e0e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
323KB

MD5
cfa1e97f076a1f1953c620750cabfd62

SHA1
abddd8583197a4fecb66ee4c9e727ad60730b7b5

SHA256
5aa4bcb75757535223272e503e155bb7a995411fcb8ba7104edc74d75444f05d

SHA512
6341001feab292f5e4cd1edda5e0d2878d295e528da4f6630d48725cc1944da089043a62c5be104eca32f17b0078ae7e06e595d213e6f3b9c87c9ce65383ab17

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
323KB

MD5
360a73c17a11bb6e8bd55e8f70e46a1b

SHA1
cde7cf2f10acc29a67613638f05fa22f44cd70f6

SHA256
80cb728bb972efe33c8fcebe96721a730fa665d01571b04dd475b11490d70357

SHA512
08a906362fb89a5896e7b72dba54bdaeb3a6fb88961b0cf5fd373a0199a06056687371d927c5399cd8af4a2ea85583b1f0b79abf6eb5d2de1d7b7bb312b3a78b

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
323KB

MD5
5ff290d647887f21238edafe1481c6f7

SHA1
b45082927683abdc88c7cd25614270b89da05662

SHA256
f8d4ef8fad9134daf520382ee2933bb8e54cd725bbe172a9fd9bb52f4d653371

SHA512
760ef59be7059bde125784e4a728de375af3cd2e786f1bf6ac50317f8da20885c93bc219ccc046cda3ac1bba0b50f2fd665cf52e8289cc7836054a44e3ff7cbe

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
323KB

MD5
e518971e83d0a21f67dc83e1c521f089

SHA1
baf6280c2a734beb2a2cce4a23e09e224f94ebcf

SHA256
71722fd7507f269e6a98e07c325a6c62e6850bae93ac67430d3555001f2014e7

SHA512
bfaeb53ce25cdb5b65028ea9c7d111942279892474fa594569cda981e8d50594d1880c6c9a6fd02752855d3a385e1051e7a446241271a77611ba3321ffd0af63

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
323KB

MD5
509674712ce268b913a604017fc4eb18

SHA1
65dadaa2108004fd199543a762f2ae139ecc5fd1

SHA256
6dbac92207d0365e5493d7fd427bef858e932e35733f5a5b3e70c6b6fcf76e95

SHA512
3827e8fd0066e6a304311ef3dddddab257f8f0579f180048f9be24a1a8668cdd0a7322f5780d1f06e6dc872d2587236083b89aa8500d39c83abfc112572cdd25

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
192KB

MD5
609caf17d894df0a1a01f3a2a21a671c

SHA1
ae456906a7002da8e1ca5f10d50f6e2ef0eb66b2

SHA256
d20b8d5a5a121d3c12bd1b8e130355c4eda61f0d5470da6a730a27dc92efa4d3

SHA512
0d9ef695690c28e6df8361660aed74c3d958d9e2d554ae19a68979590dc93efbb0cab3334a03e6aeacf30f3e4e5ef51264f076559a59483c9d3cc0d27bcdb378

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
323KB

MD5
68dae19a12e7533f37e4929a4cf58258

SHA1
f69c822103696e2248821f9b3129e641d3ae691e

SHA256
a403b5f607866ae8a22f8b5ba7fd705c3e2d828d01a3022a74d3179f04b91c86

SHA512
140833535610108133047b1e8896b31eddef998ba42281aadc261f3e423c63326d009c2c89ff0be4cec8c022d092e5c6aa067c4bc8f346b98ad8e9f31246d797

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
323KB

MD5
efd6fbf5594289e34867c2d65517deb6

SHA1
df4437c4c274bdaeda36a876541705c864643f63

SHA256
827b17660b5123d5397b0babe9d1ef4c4b0ae25179cecfa729bb9e6d8a6441d2

SHA512
adf314e8fb2ae4c09f28fedcc98257d87f8d9e7b185649c414be2172036d132036cf638a2586207c77bad5df5ebee8f7076003457b603ddabd4b1491a410c96c

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
323KB

MD5
a87a23ec56ee85e011811cd51b447269

SHA1
80343829e36219481c6ea639520cb2c923f1cb41

SHA256
136ddcf1273927fb9574ad9c3758830149e645217cb415815edf1ddb88c77294

SHA512
2633828bc715784aa5759d7ed0106b6494b45d620a3bf73d3b6c7d4d119baa07932e9f9148cbbbf65d273e62bf202715e26c732527d1a00114e8f149962be511

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
323KB

MD5
e5c74a8468c765184267fb497420bce1

SHA1
de724a9df6b563e91508884be8c28b33b3b77be3

SHA256
79f8f3fd152189ec6334a065b4c590c38e58673f99196503aa787dcea7b415e4

SHA512
f03417df3516bcdbec04adccabe187aa14f5f52393f1ac123aa11da8590ccdf0b50a757e7c26d69349238e06d4b566d099bb657964dab03a87cf1d79520a1df6

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
323KB

MD5
6965c540e1049f8ae996d565fce6b6b5

SHA1
af743aabd2c7f9a1f38f1dd56aba57066f2cb000

SHA256
ce752fc65715d3c88b7f2a8ada0e9f5387694da56cc80ef6eb2e2e74968bb59d

SHA512
a9080ba41f2c4758b33eadd29874bddda644534abcead2449bde2ea90bded3d7829bc078391522105d91316e122025b2b9e3e0651b9c85cd93566450413bb695

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
323KB

MD5
8bdbf2b1475cbdbf83127bb2b6e3b875

SHA1
d5a623a300386ec50f5604f1b7cd441db1ae033b

SHA256
b08544e6ffd3a4751666340f0f10678b7a120a37ad730aa26fc47f3c7a6ffd59

SHA512
e68704d509899d158c793265d1fa61241adbcc28972bd42251e4c381907fcb41bd3f796fcace2940a7a166e130aec8894242a78ba522aaf155ad3a0e4e7f1140

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
323KB

MD5
4d2ce3053e2859742d2f1a756c5065d0

SHA1
332f5a6899df15a0ffe7ab3d87821650fcd7ebe2

SHA256
390501e77ba78416c087549a12a5a7214f62f87f33645b30caeb2318815bfc2b

SHA512
a3bc7551547f11163864eef78a7303c2f0afc5ca105f36f211bbe99bb8925a0af1f94e6f166f0392808cfd9f9c5ce60dec40447bc9e4224aeb3e1ed2013c83ac

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
323KB

MD5
d7d6cc5ac607ef087f2c8fe78aa92606

SHA1
d725dca4961d1b06c87552f6b1cbe3a88fc036b8

SHA256
7d073c0494c05b27ef69631fd349e24e1888446d70fb0db22df3d08156c47b76

SHA512
f6aadf90b57aa356bc21971f1497cfd0ee66c458ef59a9fa0abc32267f7d0ed8e6575a5bc8c6794585a4d2f045089a49bc155313441af07a569ebb61085e494f

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
323KB

MD5
95c837c73d73484a9f93ff6d6ecacee7

SHA1
68a095430fb02af9dee9158a88c4970f81f034cb

SHA256
18b7b4ba19d3d9bceae8dbcf3631c2958abe44b38049ae26ff484e56075127e1

SHA512
c81840f773b6f37a7209795fa83df46203d7221585fc8c4aef965520e81bc591913ac9b0f12e9f2c1c184e2ca7f2ecc8cbc98177cb3a6a67f066901c0f98591a

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
323KB

MD5
e173b35c1f9f3b3bfc6aa3777d3a230d

SHA1
8223b9f4535f79b311d182a10a5fe7b3cdf6b41e

SHA256
deddd6b1a46500d354556a3a1090e29f5badaa22eccb671a14e6102f043feef3

SHA512
926ce0d50ef11e1369889094fab3dd2fd7c2bb841a659d4844ababcd3c5d3022f82083212689c3320b8532e836335210d4c33b0bf3cd89a0d5780aef3a8dd321

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
323KB

MD5
0c9bf5e77ef6c049b18c9a220ef8c1e9

SHA1
1a96183d4398cfb3627c8b341c3ac36ea4c04ce6

SHA256
a7f541aa015d5e9e76f0a2b5eef7b5fa70ca5d66a61aa516e74858770b410570

SHA512
d3815cbd214d1918cff88e1831dc42162c546661daaa40b7b0ce91854de5ca58de1ed5d722bb4b5ba95bd68fd9f4ba6aab311315eac32ab2aa614e69b1cb463f

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
323KB

MD5
debced54d609a0f42d37e7d55140cbc4

SHA1
709da3a51953a44b291688beeba18f15be6a427e

SHA256
4f8068d2eb3f5d00f364390e8550c10d672fb0fa6c085bf74c24f63d6505c525

SHA512
23241c86a936298a21361136d757e28b170391470f1bd4d6b3f701cee4d278e5f5b77dde29044af81e65fc6d11cbb95b3f8f807218c168621a709186c111c350

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
323KB

MD5
eeac3b039b2b08b3b2159ed297399d8c

SHA1
b6345611f3277c422a7ddff6aaeeff9fbc1d9d61

SHA256
c337d7dd12a6979835c0d253f63d3ecab290214376409b25eefb5fb3858b47fb

SHA512
4dbdf27e28dbafae36eaa776dbb86ba95ab78e9941f2c64c2fb40dc88fd995e00daeac1cc2282a625de828438f390e2973d34528196c1bb58ac5b8a77040ed6a

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
323KB

MD5
d48a9ce90d922a59221407b641772641

SHA1
d3c5f4b5c060906eebc17313516f5ce7605a056e

SHA256
6440a8b3957493de86a24b0929a90a441d30c31ab9c48c26cc1bdbaeebb45143

SHA512
1a8ca7c34e6862927cfb29f761ee94d7f0b69f352d9f26934d833cb04cc264c4586b0780eaaec7eb334d1a75c8299c1bc8c029d9c3f2f95a45c4c05ba22d77ad

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
323KB

MD5
0f11682efc2a1884c3ba845092299fa4

SHA1
6167c247b79d3d220832662cf04277c09c48aaed

SHA256
a229036a6d402fe772ee460b0ed854e1cf86d757087c3d4b59f282ee8a8ed46c

SHA512
a71d25aac9b94104005556c2db54cb3bcc4c4644354f059aec3ae1cdd3388e9a4910d08f24c3fb4ddf614ad1b9510906f7358d39f45fe8fbdb96833b58039c68

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
323KB

MD5
f8899067db8c3a8aca7763d050a3c6b2

SHA1
4d44ca581f5eb33bfed64192e6811308b2903165

SHA256
c9d81a53de45ddff5fa80a5e159170859afda18cff395cf7d6a131353ce61574

SHA512
3999d889a1a6bea1fbc868e615c287bd38745955fe7a2aa744ae385965e23dbd87c42463b0f34e2ba7fe9f7b924ac411dcf410f39d64a2c3684265fbbb994e26

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
323KB

MD5
b5f633773ed9a83cd49417b0aeae2591

SHA1
bd09d9f96c23afda05a96073b910ca6148ba66c4

SHA256
a9fbb7b445645b8815136f33bb70af5d5adf1285546b77d72895481704c3bd70

SHA512
d8e8ee4d6e2138401edb4206e486cde8a507d2e9913e3fdbdf3fe6ca1801d8b6cb586cb5f84fd0bcbed690bcd9b969b72671c94b44baeaabbe1d47ad78ae398e

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
323KB

MD5
2d7e4497da6a28a7112baa4a76af6c30

SHA1
8088ba2f89ddd8a62d063d23fc5b043c6ade55b8

SHA256
f90fbaf041b49573b46173f121f450e482fed6516dde2d8602921ed1c4b8f3e3

SHA512
1a184dbb13fe16451ce1e74990e3e6631fbf67a66867ed6f28d1002da6487dc69bc0ac2c285df42d943c4e8fd611a9ec4fc1ec6050fa88aacef0b100b11c8697

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
323KB

MD5
78f429a36887e5cde7b7ce83839377cd

SHA1
440b9e6b365046f170d07d6c4ae44affb8a9fba8

SHA256
81ccd12f77f4b2ae1642cfbf6a96d1a35f8534f56ce6222d8ef8ac010883a844

SHA512
8c3a1cff3b34f83cfe712a797d0b46dfe063983dca128935be821a05fd62b74b4bb4fe93906ba05bfda38506a6156ef377f88c34ca3d6f1f6dfa684f719d9f0f

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
323KB

MD5
110e2a32350896cb9a4da09e13d4b90b

SHA1
793461528f9d56ce7a42b87272135091c57a04b2

SHA256
623d319f412abfc022a0a29ad5863caa2c7d174c372fd70adb83fd5dbe7fe107

SHA512
14f8024a81c781cfad76706783c341d40a04274ddd40d51f167a968a82892bb38c935ae484153909bf2139f53557be3eada4c8e8ead348e9c11b8de6dd68c4f7

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
323KB

MD5
5ab691d2b780dc4cdb6bf1c63160f979

SHA1
ca4658a783eacf032719d9df4487b3583fcca3f1

SHA256
5e801045c30b829b7904aeb2c82a69b96236d43f5846b719dfed52ee2c82ce79

SHA512
7b4c0c90c43dcf070e08865ab1c1a473b4eaf69f1a62ef6c87419269999b510d64d5882261171d674365be63dd7d6d0b5c25ed080bee8e2b2dac0800795763e4

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
323KB

MD5
0595f2d91b696be7ecb5369a74fdca64

SHA1
d09aeec7b883c322fa48a396266cb96fa280d5d4

SHA256
467c582220e6b715f4f209270b756ee03aef6a9169a4120bd5c95fda081abfac

SHA512
3536968c99f649d950b33ab94fccffa7b149a598ce617ab63d7238dfeee782c66a84496a1bfb4a1eff04d51fef5388f9cc74ab4616d4825ad677a39fd53074ce

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
323KB

MD5
c1a8ede95ca3ead3cd9ffa1ff41e8eca

SHA1
1d8b9a91957a11289c6052b6ccf45b80a61be40f

SHA256
dceb8ca846156231cb17b93c77c088138ad3ac7ea6c4f8277503d41c0b29d892

SHA512
dd46d23a36d6403b5ec38410fe536071fe7a69fb6eb4b533738b68fc42a0a45a4d692bb1361199813737f600f768cdfd0a67efc01ee8363c9c0ac67527c64336

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
323KB

MD5
30328daed0160c206d423d95361addaf

SHA1
d8203bbbd84e58fa71a44f6a00c069287772c2f2

SHA256
96b564bb20269c0a38a46ba8e169df5610f2207193692cebbcb0b83f55f71888

SHA512
ea272568df2e08742ca10fb6764467e1803007c41b9b8cd7d1f1f41d06fd48973c9768c37953e9529c54f021c11b4dc2767d775611a99bfad19803e32760cce0

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
323KB

MD5
59ce39f82435e25b2f8ae563480e1965

SHA1
9ede755f4f31898ed6606a2147fcc6047796023d

SHA256
45b129025f936bddc40bc0f1f17c5a71b21decd2978f61f73acaa7141589cefd

SHA512
7b50edb640917733ef751c74323aa467da2ba2c5dfc40733e9acd772fe2de91e52737e5682540726b9e99bb4ae7a73115e9e8c64a2e94576ed066460ed20ec44

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
323KB

MD5
1f2ab27ee7125d43f3136d7ea88bb5e3

SHA1
9c2455ddc1bd98681f154ebb52a41c033e728dc9

SHA256
f4f924656bcf179f7f18f1d51468f6df1413f1051766bce92c24c29e6aded1c9

SHA512
76275b556e22c6eb5ed76810a9d2ae076f07314a8314ca1cb4c55fd29c8515d645d2a26f4df7b8de9f72ab61ded5fcf6bb915b9218a047240b408b70279434e2

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
323KB

MD5
50980391268ce5fcc7ae95b0cdc8defd

SHA1
dfc0237b623aba1a958a30aa8b4b5b600190d195

SHA256
aff861b38dd2d0922797045aad4b993b2c38fc895b88b7fab62cb0faeb705b28

SHA512
e6681038190f96e69783acb7b1f66b1e5c0210c2ca82e7d5578d605dbd3e09141129cf8b29f04840b8be46a18a1c6c82791b321bf06f4b750d75560cff91e623

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
323KB

MD5
3d9e29d76ae5b55b87ba7cbeaaaa31d7

SHA1
6682be90b56e49b24fb088e7dcc4de434f7bd42d

SHA256
aab810123171504ae7524546d69a65a5489b3c10b0a29b5aaa665b45b3de12c3

SHA512
6e56a8bf985affada346d20aa7e91726b57de698551d20947cc02575b725a9a7b61d367a4ad4d7575c42e27d4ca1b2ea8aa3defec9f9f0db92107abaf33b495e

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
323KB

MD5
595ee94dcd557700d97b40bcefb83001

SHA1
93b2a48b105ec88b41f9d71c577a53e898cd8507

SHA256
4b3c0ad0a1270c760006ece8da54df31d489f6f6f892c6b6f31e157f03dc2354

SHA512
85541e0caf17bfb8b8e4ea7d5817e217b2f2fb4a769fc5d8f21051a11d1ebbaa69c8e9ab17baf1183d658d7c3f4c2b45d8f29e70a990c71028d147bdd1f68f26

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
323KB

MD5
26898a7a7dcc93e4764820df2a4d3aae

SHA1
ccc5798f3de3f8e4c98b354a75dca13a46a64339

SHA256
7ab12dc9957eb65c9d48878a1413f1ae6ae6fb7a26be7547c22af5471da967af

SHA512
5d2ed8f761c8faf97c838e0f8380d40c27328e7d2bee4ec3b763187aad7a636055cc1e03b17dcd5cf1131024a0143fe053b65330050593a8e975d056074d19f9

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
64KB

MD5
eeff56c81ab9214c6a12d37102408351

SHA1
2a0b77ffd3ca16aa333e656174aa1a8ae1844aaf

SHA256
7cdd3c78d5a8884f133dc84fbd8eab8d0fe00082046f92395f1404475342bb68

SHA512
15a291af335c97a07321b5720ea5edb0a1fcde07f4a531b286c107508c18686628af983848ca0f2bbac5d223e97a2c51a805535cf02fedc902c1b11fbe1cc5f4

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
323KB

MD5
a7f394d6c52234a07855c68d42cc36e4

SHA1
0f47731b3b2c450cc8acc795800e9852adb00c08

SHA256
429cdf4d7c0e184fd042088106af3469218125edb0e430ca87bfd1b02c809b3d

SHA512
fa9c86c28b1abe2205aa77b26b7ce7a228b91f92786c1301defcb4d057aa3f9fc7782644b948ae54bb1283cf395c42fa63bb8de70a8e4a7f6227ba834a5c2059

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
323KB

MD5
c3edc716e23609eddc17fdbd596fbf4f

SHA1
d3576828ffb1514766276df3979fa17ab3d261b9

SHA256
e201ba284fb1a9f32a9fc71b9889383ec8527e5fc5b6cf6065a7a68677fdc96e

SHA512
09172116c4022aa891a230edd997a2ee93b35312c9d08e9a84d769bc68d0029665dac475c2e50e61a79670d4b4379de3f96f7737cd32996a7deadb5c8efba59d

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
323KB

MD5
de1ba47e17bf49fbe7fda546917ec7a7

SHA1
11c1f245faeb44c0d2907aa4fa58984b945a5b04

SHA256
108ac95b7825b32c7ffc8d2757b45e82b402f0312a639b5067008cf83d072af4

SHA512
9e3b4ac127cc6b0531dfc42449e3aa5c581a1f727b884dca82eb598c37f2ad1decbc2bfb85626f95cebd0abc76030c08a14fc11b22fdf3ee86c83579dc93bcc7

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
323KB

MD5
c00dd8a473fc3203c451d8a87afc8fd2

SHA1
bfa3a0f68adcfc9562e8f689d64d62529d0086f7

SHA256
a9c6ef5e95f5ed9c140a4c33e3dc61325cf344ffd93b39c1e81d2da0c848f1fc

SHA512
fd6073757ec6631df397a61f05db96683c7cd9826aa4b316a3153493b22148b1f1ff24e7c1b1742c3f72c211338ce6c2dc0f38f35b3b728f300daaf2d759cd6b

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
323KB

MD5
896389a5ba2ec4d8eb9e2d50dfffccc9

SHA1
821305b7625df04e2b6969aa473ea6d7450f5a59

SHA256
3026da62f53dc96ce0bab4d2ff11f2d54d7ea1cbde6f9cfcb03ccf4b513ae363

SHA512
a656789b3f81e37cc030fd4cefc20d8908ff61901df9d5a4f604032352b535ba108654b6f27e9d9f18df1a7a4d873973d6cafb9e2a87e42346c379b04a03d2d5

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
323KB

MD5
2f49923479e3d1c161892cac47aa12f7

SHA1
7a6d68efbc2ddd17881327d8c0a454e9892defeb

SHA256
2eeacc0ff75331712731eee23ab60cbfcc1fdb4ada408e875fee006c5b2dbc27

SHA512
8b2b3014a9e814a69b0ded2a3274c7d7230f005a49a913608c8c973844679fbc38f4c8b0e24bea30a6124d8951745ea412351486486ef240d92d757d38fcf3cb

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
323KB

MD5
c3b0eeb2f1215299c0acc5a59b81cd01

SHA1
5ba94a6ff0e7806f19cc8c449e360cb708c08c22

SHA256
aa9e44c368b56eeedfee2dad2a07f5e7ae27bb49620086a8e592874c071612e2

SHA512
a3ad58dc7b0e1e3c6cb185abbd293e4cb5390d5b7c5c08e440b742e6781d6c639e802d3c68a2c3ce2b06c053cb52ae3526c456d61cfbb52642773f8f5b696641

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
323KB

MD5
ffca87fbf131392699f7217a155f2b8d

SHA1
b752a4890d8b95f93fa71d487172a93c5d139b28

SHA256
cc3e709247e5457654c6e92048eaf58afe074149fe047a98932b3edaddc156a7

SHA512
761060ae600ff58098a24078603e7ed704ee69642a48fe8202d0acde21d0d5974485f3b85ac22f08220085ea4ff59f249beea0d9c6eb1472ce42e8b1ff91abad

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
323KB

MD5
a149092f5d5adbd232dbd1cf39d31151

SHA1
7fd5e17a34bb699aecf95e4054a2a357db7ea346

SHA256
2b95ce1a9fd0c44872ebd980cd160a8fe0cb9520c82234a542f87a8c86830c3f

SHA512
879e0e5939233e0af7ed35f52606cd02ac2572d9bff23007bba3a5a4ded96321aab2c43cab490171a3832d420f1f6c345523354cfd939e4369a5942c00fdb60c

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
323KB

MD5
70910c915d2282a7c678570b27639133

SHA1
7c54740d04b0924312018c15034ab848c4cf0fa7

SHA256
fec26c168491399a90ab72409e5bc3827576a2c749cdcf0254169bf432cfc83c

SHA512
97f47cab4b3d7b3d7281e50f311a6a553bcb56cb4d3680435e0056f96e8911f2ee6a2d8a71d517511b8d79defddfbeecea1cb2f506583da804f3f39e3c73fed8

Download Submit
memory/216-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/900-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-905-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-854-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2988-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-882-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-823-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads