berbew | 29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68ad

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe
Size

74KB
MD5

f9aa2d3d812b093f55774f1089b33f30
SHA1

1e46b011657a5e4e3f440db8d88b417173c2a955
SHA256

29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68ad
SHA512

4ce637c5480cd952c2501a0c24aec2ca9508d5e33a6dc9315592ba60937f9f0a4c720a4aa225f70105b36b1d04a6a26b539172660bd6c020d295ce21a280e9f3
SSDEEP

1536:7G7NVA3Vxi65ksJHkMHx7OmVozXAyfBHnOooDxHKsv3n:aw3Vxi65kEN7OpQlMY3n

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abajahfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbljmflj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgolnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhioblgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lppgciga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgdmjpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjjohe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keappapf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajcigf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmdkpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjemfhgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didnkogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjbhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddlong32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loeceeli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obbeimaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfblcgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjqei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apndjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfooafm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmidknfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalfllhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhbaijod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dancal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kojdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbbnpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjkndi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnhbngf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnnnllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflmkimc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffihe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakmen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcjide32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhldoifj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abajahfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckfocc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lonndfba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njbgik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbbnpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aihfhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baiqpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqhfkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obphcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbachf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmkaqnde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khifln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kojdig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcjbkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnedfmlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiocbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpahkcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfblcgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppmlcpil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdqpbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkdkeaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lekbfpgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppkonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdgmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cikkeppa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2564	Jpnagl32.exe
4112	Kaonodme.exe
2028	Khifln32.exe
3280	Kocnhhlo.exe
2160	Kaajdckb.exe
4012	Klgoalkh.exe
4336	Koeknh32.exe
2840	Kikokq32.exe
3320	Klikgl32.exe
2816	Kcccdfqb.exe
2344	Keappapf.exe
1504	Kpgdmjpl.exe
3936	Kojdig32.exe
2880	Kedlea32.exe
3240	Lajmkbcg.exe
1700	Llpahkcm.exe
1028	Lonndfba.exe
628	Lcjide32.exe
1812	Lehfqqjn.exe
2812	Llbnmk32.exe
1492	Loajjf32.exe
4864	Lekbfpgk.exe
4620	Lhioblgo.exe
4408	Lppgciga.exe
3252	Lcocpdfe.exe
744	Ljiklonb.exe
1236	Llgghjme.exe
4184	Loeceeli.exe
3752	Mcclkd32.exe
1976	Mllaci32.exe
4588	Mhbaijod.exe
3220	Mchffcnj.exe
2484	Mcjbkc32.exe
4876	Mlcgdhch.exe
5112	Mbppmoap.exe
4644	Nqqpjgio.exe
4648	Nbblbo32.exe
3404	Nfnhbngf.exe
2400	Nhldoifj.exe
4400	Nbdiho32.exe
1232	Nfpehmec.exe
4344	Nhnadidg.exe
3596	Nbfemnkg.exe
1708	Njnnnllj.exe
2576	Nqhfkf32.exe
408	Nicjph32.exe
2588	Nqjbqe32.exe
4028	Nfgkilok.exe
3516	Njbgik32.exe
3384	Ooopbb32.exe
3816	Ojecok32.exe
1068	Omcpkf32.exe
2876	Obphcm32.exe
2728	Oijqpg32.exe
1640	Oqaiad32.exe
844	Obbeimaj.exe
2272	Ofnajk32.exe
2412	Oilmfg32.exe
4436	Obdbolog.exe
4472	Ojljpi32.exe
4592	Oqfblcgf.exe
3620	Ofbjdken.exe
4880	Pmmcad32.exe
2004	Ppkonp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njnnnllj.exe	Nbfemnkg.exe
File opened for modification	C:\Windows\SysWOW64\Cdncliaj.exe	Cmdkpo32.exe
File opened for modification	C:\Windows\SysWOW64\Cinhjp32.exe	Cgolnd32.exe
File created	C:\Windows\SysWOW64\Cmkaqnde.exe	Cipepo32.exe
File created	C:\Windows\SysWOW64\Klgoalkh.exe	Kaajdckb.exe
File created	C:\Windows\SysWOW64\Hnjdme32.dll	Kcccdfqb.exe
File created	C:\Windows\SysWOW64\Lcocpdfe.exe	Lppgciga.exe
File created	C:\Windows\SysWOW64\Mllaci32.exe	Mcclkd32.exe
File opened for modification	C:\Windows\SysWOW64\Njbgik32.exe	Nfgkilok.exe
File created	C:\Windows\SysWOW64\Ofnajk32.exe	Obbeimaj.exe
File created	C:\Windows\SysWOW64\Dapbnf32.dll	Pmopgdjh.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnfn32.exe	Cibaeoij.exe
File created	C:\Windows\SysWOW64\Kocnhhlo.exe	Khifln32.exe
File opened for modification	C:\Windows\SysWOW64\Mhbaijod.exe	Mllaci32.exe
File opened for modification	C:\Windows\SysWOW64\Mchffcnj.exe	Mhbaijod.exe
File created	C:\Windows\SysWOW64\Nhldoifj.exe	Nfnhbngf.exe
File opened for modification	C:\Windows\SysWOW64\Nqjbqe32.exe	Nicjph32.exe
File created	C:\Windows\SysWOW64\Gkbhpocn.dll	Pmmcad32.exe
File created	C:\Windows\SysWOW64\Pamhmb32.exe	Pfgdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaidd32.exe	Cdclgh32.exe
File created	C:\Windows\SysWOW64\Cgeedfgk.dll	Koeknh32.exe
File created	C:\Windows\SysWOW64\Kojdig32.exe	Kpgdmjpl.exe
File created	C:\Windows\SysWOW64\Lajmkbcg.exe	Kedlea32.exe
File opened for modification	C:\Windows\SysWOW64\Nqhfkf32.exe	Njnnnllj.exe
File opened for modification	C:\Windows\SysWOW64\Cmidknfh.exe	Cinhjp32.exe
File created	C:\Windows\SysWOW64\Aeinaj32.dll	Kedlea32.exe
File opened for modification	C:\Windows\SysWOW64\Llbnmk32.exe	Lehfqqjn.exe
File opened for modification	C:\Windows\SysWOW64\Pfjqei32.exe	Pamhmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ppbeno32.exe	Pjemfhgo.exe
File created	C:\Windows\SysWOW64\Cinhjp32.exe	Cgolnd32.exe
File created	C:\Windows\SysWOW64\Djilbf32.dll	Kaajdckb.exe
File opened for modification	C:\Windows\SysWOW64\Kikokq32.exe	Koeknh32.exe
File created	C:\Windows\SysWOW64\Mcclkd32.exe	Loeceeli.exe
File created	C:\Windows\SysWOW64\Afcclh32.exe	Qcdgom32.exe
File created	C:\Windows\SysWOW64\Binafnin.dll	Nbdiho32.exe
File opened for modification	C:\Windows\SysWOW64\Nicjph32.exe	Nqhfkf32.exe
File created	C:\Windows\SysWOW64\Oilmfg32.exe	Ofnajk32.exe
File created	C:\Windows\SysWOW64\Ppbeno32.exe	Pjemfhgo.exe
File opened for modification	C:\Windows\SysWOW64\Klgoalkh.exe	Kaajdckb.exe
File created	C:\Windows\SysWOW64\Koeknh32.exe	Klgoalkh.exe
File created	C:\Windows\SysWOW64\Bbikji32.dll	Klgoalkh.exe
File created	C:\Windows\SysWOW64\Mlcgdhch.exe	Mcjbkc32.exe
File created	C:\Windows\SysWOW64\Ckfocc32.exe	Bdlfgicm.exe
File created	C:\Windows\SysWOW64\Cmdkpo32.exe	Ckfocc32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfgicm.exe	Banjkndi.exe
File opened for modification	C:\Windows\SysWOW64\Llgghjme.exe	Ljiklonb.exe
File opened for modification	C:\Windows\SysWOW64\Pfgdpj32.exe	Ppmlcpil.exe
File created	C:\Windows\SysWOW64\Bjjohe32.exe	Abcgghde.exe
File created	C:\Windows\SysWOW64\Banjkndi.exe	Bkcbnd32.exe
File opened for modification	C:\Windows\SysWOW64\Cipepo32.exe	Cgaidd32.exe
File created	C:\Windows\SysWOW64\Cchiie32.exe	Cmkaqnde.exe
File opened for modification	C:\Windows\SysWOW64\Didnkogg.exe	Cmnnfn32.exe
File opened for modification	C:\Windows\SysWOW64\Loajjf32.exe	Llbnmk32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgkilok.exe	Nqjbqe32.exe
File created	C:\Windows\SysWOW64\Hiodmnil.dll	Obbeimaj.exe
File opened for modification	C:\Windows\SysWOW64\Pmmcad32.exe	Ofbjdken.exe
File created	C:\Windows\SysWOW64\Kcccdfqb.exe	Klikgl32.exe
File opened for modification	C:\Windows\SysWOW64\Ppkonp32.exe	Pmmcad32.exe
File opened for modification	C:\Windows\SysWOW64\Qcbjjm32.exe	Qadnna32.exe
File created	C:\Windows\SysWOW64\Gbgnlcdn.dll	Bdgmlj32.exe
File created	C:\Windows\SysWOW64\Pjemfhgo.exe	Pfjqei32.exe
File created	C:\Windows\SysWOW64\Ajhbbegj.exe	Abajahfg.exe
File created	C:\Windows\SysWOW64\Cgaidd32.exe	Cdclgh32.exe
File created	C:\Windows\SysWOW64\Dnedfmlk.exe	Dkfgjamg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5628	5540	WerFault.exe	214

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocnhhlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaajdckb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baiqpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchffcnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqqpjgio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhldoifj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafdjoja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbblbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonndfba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obbeimaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekbfpgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lppgciga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqaiad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oilmfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppkonp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcbjjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amaeca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aihfhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedlea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppmlcpil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjqei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keappapf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhbaijod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbfemnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqhfkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abajahfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbachf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klikgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooopbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omcpkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obdbolog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgghde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Didnkogg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkfgjamg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalfllhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfnhbngf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiocbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcdgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddolcgch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfblcgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbbnpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmidknfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgoalkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koeknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpahkcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpehmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkhdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcbnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnedfmlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcccdfqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljiklonb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nicjph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfegc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfooafm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbppmoap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajalaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajmkbcg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpahkcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkjpp32.dll"	Ppbeno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhbbegj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amfooafm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdgbo32.dll"	Kojdig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lajmkbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neelfb32.dll"	Nfnhbngf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khjlnb32.dll"	Qadnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cphfbgja.dll"	Afcclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckdih32.dll"	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lehfqqjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkjjl32.dll"	Mbppmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljedqcfg.dll"	Kikokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lppgciga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklhgk32.dll"	Nbblbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnnnllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oijqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajcigf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpnagl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgeedfgk.dll"	Koeknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcocpdfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmihlci.dll"	Obphcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbachf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dalfllhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaajdckb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kojdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbfemnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqhfkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njbgik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obdbolog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdebhm32.dll"	Bjohcdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekbfpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcclkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemgdggn.dll"	Loeceeli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofbjdken.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahdfe32.dll"	Bjjohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfgipmap.dll"	Bmikdq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dancal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idelqf32.dll"	Lajmkbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eginhm32.dll"	Lhioblgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigbemk.dll"	Njnnnllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfgkilok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajalaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcdbcmg.dll"	Baiqpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kojdig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqqpjgio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojljpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppkonp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmopgdjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klngce32.dll"	Pamhmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjjohe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinhjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djilbf32.dll"	Kaajdckb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbfemnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaonodme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbghi32.dll"	Nbfemnkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqaiad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifceapa.dll"	Ajhbbegj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdgmlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bakmen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbjanacc.dll"	29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqinb32.dll"	Jpnagl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2564	5064	29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe	82
PID 5064 wrote to memory of 2564	5064	29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe	82
PID 5064 wrote to memory of 2564	5064	29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe	82
PID 2564 wrote to memory of 4112	2564	Jpnagl32.exe	83
PID 2564 wrote to memory of 4112	2564	Jpnagl32.exe	83
PID 2564 wrote to memory of 4112	2564	Jpnagl32.exe	83
PID 4112 wrote to memory of 2028	4112	Kaonodme.exe	84
PID 4112 wrote to memory of 2028	4112	Kaonodme.exe	84
PID 4112 wrote to memory of 2028	4112	Kaonodme.exe	84
PID 2028 wrote to memory of 3280	2028	Khifln32.exe	85
PID 2028 wrote to memory of 3280	2028	Khifln32.exe	85
PID 2028 wrote to memory of 3280	2028	Khifln32.exe	85
PID 3280 wrote to memory of 2160	3280	Kocnhhlo.exe	86
PID 3280 wrote to memory of 2160	3280	Kocnhhlo.exe	86
PID 3280 wrote to memory of 2160	3280	Kocnhhlo.exe	86
PID 2160 wrote to memory of 4012	2160	Kaajdckb.exe	87
PID 2160 wrote to memory of 4012	2160	Kaajdckb.exe	87
PID 2160 wrote to memory of 4012	2160	Kaajdckb.exe	87
PID 4012 wrote to memory of 4336	4012	Klgoalkh.exe	88
PID 4012 wrote to memory of 4336	4012	Klgoalkh.exe	88
PID 4012 wrote to memory of 4336	4012	Klgoalkh.exe	88
PID 4336 wrote to memory of 2840	4336	Koeknh32.exe	89
PID 4336 wrote to memory of 2840	4336	Koeknh32.exe	89
PID 4336 wrote to memory of 2840	4336	Koeknh32.exe	89
PID 2840 wrote to memory of 3320	2840	Kikokq32.exe	90
PID 2840 wrote to memory of 3320	2840	Kikokq32.exe	90
PID 2840 wrote to memory of 3320	2840	Kikokq32.exe	90
PID 3320 wrote to memory of 2816	3320	Klikgl32.exe	91
PID 3320 wrote to memory of 2816	3320	Klikgl32.exe	91
PID 3320 wrote to memory of 2816	3320	Klikgl32.exe	91
PID 2816 wrote to memory of 2344	2816	Kcccdfqb.exe	92
PID 2816 wrote to memory of 2344	2816	Kcccdfqb.exe	92
PID 2816 wrote to memory of 2344	2816	Kcccdfqb.exe	92
PID 2344 wrote to memory of 1504	2344	Keappapf.exe	93
PID 2344 wrote to memory of 1504	2344	Keappapf.exe	93
PID 2344 wrote to memory of 1504	2344	Keappapf.exe	93
PID 1504 wrote to memory of 3936	1504	Kpgdmjpl.exe	94
PID 1504 wrote to memory of 3936	1504	Kpgdmjpl.exe	94
PID 1504 wrote to memory of 3936	1504	Kpgdmjpl.exe	94
PID 3936 wrote to memory of 2880	3936	Kojdig32.exe	95
PID 3936 wrote to memory of 2880	3936	Kojdig32.exe	95
PID 3936 wrote to memory of 2880	3936	Kojdig32.exe	95
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 3240 wrote to memory of 1700	3240	Lajmkbcg.exe	97
PID 3240 wrote to memory of 1700	3240	Lajmkbcg.exe	97
PID 3240 wrote to memory of 1700	3240	Lajmkbcg.exe	97
PID 1700 wrote to memory of 1028	1700	Llpahkcm.exe	98
PID 1700 wrote to memory of 1028	1700	Llpahkcm.exe	98
PID 1700 wrote to memory of 1028	1700	Llpahkcm.exe	98
PID 1028 wrote to memory of 628	1028	Lonndfba.exe	99
PID 1028 wrote to memory of 628	1028	Lonndfba.exe	99
PID 1028 wrote to memory of 628	1028	Lonndfba.exe	99
PID 628 wrote to memory of 1812	628	Lcjide32.exe	100
PID 628 wrote to memory of 1812	628	Lcjide32.exe	100
PID 628 wrote to memory of 1812	628	Lcjide32.exe	100
PID 1812 wrote to memory of 2812	1812	Lehfqqjn.exe	101
PID 1812 wrote to memory of 2812	1812	Lehfqqjn.exe	101
PID 1812 wrote to memory of 2812	1812	Lehfqqjn.exe	101
PID 2812 wrote to memory of 1492	2812	Llbnmk32.exe	102
PID 2812 wrote to memory of 1492	2812	Llbnmk32.exe	102
PID 2812 wrote to memory of 1492	2812	Llbnmk32.exe	102
PID 1492 wrote to memory of 4864	1492	Loajjf32.exe	103

C:\Users\Admin\AppData\Local\Temp\29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe
"C:\Users\Admin\AppData\Local\Temp\29574850d388bf1f9357a1a9404bf81de615cb5c9c03f04d4db7f63afb3d68adN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\Jpnagl32.exe
  C:\Windows\system32\Jpnagl32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\Kaonodme.exe
    C:\Windows\system32\Kaonodme.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\Khifln32.exe
      C:\Windows\system32\Khifln32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Kocnhhlo.exe
        
        C:\Windows\system32\Kocnhhlo.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\Kaajdckb.exe
        
        C:\Windows\system32\Kaajdckb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Koeknh32.exe
        
        C:\Windows\system32\Koeknh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Kikokq32.exe
        
        C:\Windows\system32\Kikokq32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Klikgl32.exe
        
        C:\Windows\system32\Klikgl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Kcccdfqb.exe
        
        C:\Windows\system32\Kcccdfqb.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kpgdmjpl.exe
        
        C:\Windows\system32\Kpgdmjpl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Kojdig32.exe
        
        C:\Windows\system32\Kojdig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Kedlea32.exe
        
        C:\Windows\system32\Kedlea32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lajmkbcg.exe
        
        C:\Windows\system32\Lajmkbcg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Llpahkcm.exe
        
        C:\Windows\system32\Llpahkcm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Lonndfba.exe
        
        C:\Windows\system32\Lonndfba.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Lcjide32.exe
        
        C:\Windows\system32\Lcjide32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Lehfqqjn.exe
        
        C:\Windows\system32\Lehfqqjn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Llbnmk32.exe
        
        C:\Windows\system32\Llbnmk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Loajjf32.exe
        
        C:\Windows\system32\Loajjf32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Lekbfpgk.exe
        
        C:\Windows\system32\Lekbfpgk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Lppgciga.exe
        
        C:\Windows\system32\Lppgciga.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcocpdfe.exe
        
        C:\Windows\system32\Lcocpdfe.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ljiklonb.exe
        
        C:\Windows\system32\Ljiklonb.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Llgghjme.exe
        
        C:\Windows\system32\Llgghjme.exe
        28⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Loeceeli.exe
        
        C:\Windows\system32\Loeceeli.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Mcclkd32.exe
        
        C:\Windows\system32\Mcclkd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Mllaci32.exe
        
        C:\Windows\system32\Mllaci32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mhbaijod.exe
        
        C:\Windows\system32\Mhbaijod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Mchffcnj.exe
        
        C:\Windows\system32\Mchffcnj.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Mcjbkc32.exe
        
        C:\Windows\system32\Mcjbkc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Mlcgdhch.exe
        
        C:\Windows\system32\Mlcgdhch.exe
        35⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Mbppmoap.exe
        
        C:\Windows\system32\Mbppmoap.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nqqpjgio.exe
        
        C:\Windows\system32\Nqqpjgio.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Nbblbo32.exe
        
        C:\Windows\system32\Nbblbo32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nfnhbngf.exe
        
        C:\Windows\system32\Nfnhbngf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Nbdiho32.exe
        
        C:\Windows\system32\Nbdiho32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Nhnadidg.exe
        
        C:\Windows\system32\Nhnadidg.exe
        43⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Nbfemnkg.exe
        
        C:\Windows\system32\Nbfemnkg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Njnnnllj.exe
        
        C:\Windows\system32\Njnnnllj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Nqhfkf32.exe
        
        C:\Windows\system32\Nqhfkf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Nicjph32.exe
        
        C:\Windows\system32\Nicjph32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Nqjbqe32.exe
        
        C:\Windows\system32\Nqjbqe32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Nfgkilok.exe
        
        C:\Windows\system32\Nfgkilok.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Njbgik32.exe
        
        C:\Windows\system32\Njbgik32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Omcpkf32.exe
        
        C:\Windows\system32\Omcpkf32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Obphcm32.exe
        
        C:\Windows\system32\Obphcm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Oqaiad32.exe
        
        C:\Windows\system32\Oqaiad32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Obbeimaj.exe
        
        C:\Windows\system32\Obbeimaj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Obdbolog.exe
        
        C:\Windows\system32\Obdbolog.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Oqfblcgf.exe
        
        C:\Windows\system32\Oqfblcgf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ppkonp32.exe
        
        C:\Windows\system32\Ppkonp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        66⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\Pmopgdjh.exe
        
        C:\Windows\system32\Pmopgdjh.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ppmlcpil.exe
        
        C:\Windows\system32\Ppmlcpil.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Pfgdpj32.exe
        
        C:\Windows\system32\Pfgdpj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Pamhmb32.exe
        
        C:\Windows\system32\Pamhmb32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Pfjqei32.exe
        
        C:\Windows\system32\Pfjqei32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        73⤵
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Pflmkimc.exe
        
        C:\Windows\system32\Pflmkimc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4992
        
        C:\Windows\SysWOW64\Pmfegc32.exe
        
        C:\Windows\system32\Pmfegc32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Pbbnpj32.exe
        
        C:\Windows\system32\Pbbnpj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Qcbjjm32.exe
        
        C:\Windows\system32\Qcbjjm32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Qiocbd32.exe
        
        C:\Windows\system32\Qiocbd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Afcclh32.exe
        
        C:\Windows\system32\Afcclh32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Apkhdn32.exe
        
        C:\Windows\system32\Apkhdn32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Ajalaf32.exe
        
        C:\Windows\system32\Ajalaf32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Ajcigf32.exe
        
        C:\Windows\system32\Ajcigf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Ajeemfil.exe
        
        C:\Windows\system32\Ajeemfil.exe
        87⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\Aihfhb32.exe
        
        C:\Windows\system32\Aihfhb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Abajahfg.exe
        
        C:\Windows\system32\Abajahfg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Ajhbbegj.exe
        
        C:\Windows\system32\Ajhbbegj.exe
        90⤵
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Amfooafm.exe
        
        C:\Windows\system32\Amfooafm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Abcgghde.exe
        
        C:\Windows\system32\Abcgghde.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Bmikdq32.exe
        
        C:\Windows\system32\Bmikdq32.exe
        94⤵
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Bbedlg32.exe
        
        C:\Windows\system32\Bbedlg32.exe
        95⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Bjmlme32.exe
        
        C:\Windows\system32\Bjmlme32.exe
        96⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\Bafdjoja.exe
        
        C:\Windows\system32\Bafdjoja.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Bdepfjie.exe
        
        C:\Windows\system32\Bdepfjie.exe
        98⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        99⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bffihe32.exe
        
        C:\Windows\system32\Bffihe32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Bbljmflj.exe
        
        C:\Windows\system32\Bbljmflj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1832
        
        C:\Windows\SysWOW64\Bkcbnd32.exe
        
        C:\Windows\system32\Bkcbnd32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bdlfgicm.exe
        
        C:\Windows\system32\Bdlfgicm.exe
        107⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Cmdkpo32.exe
        
        C:\Windows\system32\Cmdkpo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Cdncliaj.exe
        
        C:\Windows\system32\Cdncliaj.exe
        110⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Cbachf32.exe
        
        C:\Windows\system32\Cbachf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cikkeppa.exe
        
        C:\Windows\system32\Cikkeppa.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4248
        
        C:\Windows\SysWOW64\Cdqpbi32.exe
        
        C:\Windows\system32\Cdqpbi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:936
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Cinhjp32.exe
        
        C:\Windows\system32\Cinhjp32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        117⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Cgaidd32.exe
        
        C:\Windows\system32\Cgaidd32.exe
        118⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Cipepo32.exe
        
        C:\Windows\system32\Cipepo32.exe
        119⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Cmkaqnde.exe
        
        C:\Windows\system32\Cmkaqnde.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Cchiie32.exe
        
        C:\Windows\system32\Cchiie32.exe
        121⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\Cibaeoij.exe
        
        C:\Windows\system32\Cibaeoij.exe
        122⤵
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Dalfllhi.exe
        
        C:\Windows\system32\Dalfllhi.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ddjbhg32.exe
        
        C:\Windows\system32\Ddjbhg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Dkdkeaoj.exe
        
        C:\Windows\system32\Dkdkeaoj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Dancal32.exe
        
        C:\Windows\system32\Dancal32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ddlong32.exe
        
        C:\Windows\system32\Ddlong32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Dkfgjamg.exe
        
        C:\Windows\system32\Dkfgjamg.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Dnedfmlk.exe
        
        C:\Windows\system32\Dnedfmlk.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Ddolcgch.exe
        
        C:\Windows\system32\Ddolcgch.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5540 -s 420
        133⤵
        Program crash
        
        PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5540 -ip 5540
1⤵
PID:5604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abajahfg.exe

Filesize
74KB

MD5
a1ab06ff2d153036402811970caeb355

SHA1
1e44fcaa086978031d8849216c6c05244f62deb9

SHA256
dd3c0bea318fa58f4a2bcf97afcf81142cd6a74d2d615bac48473c2b58fe85e8

SHA512
931c7bcd50ffad802dc9fa764fd329c874d3b751648d422e4e96465b673a6446ebe6b52a477cb68fb3644b51c0018cc808e9b147d4c5adc29ec25353260a8194

Download Submit
C:\Windows\SysWOW64\Ajeemfil.exe

Filesize
74KB

MD5
87237262c27f463685529f9a4d8987e8

SHA1
8e1e22752092e65f8dc7f1be5d7d7435b883c8a0

SHA256
884ca2cc93c6b9d5276b5e12784ed92b26ecedb1548223e0999ea85441a0c495

SHA512
d705cb7e74d290e3b5d8db61901d607c0267e940619ec60fdb512953f6f138051227e05ac00426430bf20a295e70a68706690433029c632592730dac85602d2b

Download Submit
C:\Windows\SysWOW64\Amfooafm.exe

Filesize
74KB

MD5
fdc0ae2462d6bfa8fdad28a846c0a0eb

SHA1
b207f6ba51cab096fa491188120f6c481ad884ba

SHA256
442ad05d90ef9e38058b56f67fc26cc196d22e2db968fcdb3913c3bdd03746f4

SHA512
ee36b704e565d92aef381af34b5c58d3481977210b9310c50db6b6a3ae2c47689cc3bf7bd45ad8b6d720ac94e602345a2eb06029583eea8a5cc0f710d3e89fee

Download Submit
C:\Windows\SysWOW64\Apkhdn32.exe

Filesize
74KB

MD5
d83f2aa749e4a8c0bac60bae65552504

SHA1
975a6c79d21f40fe1854d794b7204fc65a07d0d4

SHA256
c5bde2e1d6f3c594302d8cff5bc84a3d6de56a3fbf3b326b077e69eceae629f2

SHA512
d4a6970bb872f18adca347f16f75b6bf71d5baf9f7e4dbb22b5ff62d60486349530c4f053023e12b2e426814a0c87fc2892588e849ab3ae139d085d0fed3dd85

Download Submit
C:\Windows\SysWOW64\Bakmen32.exe

Filesize
74KB

MD5
31c7a31a5cd48ac1484ee257af99bacf

SHA1
3b7f9c3c5ba9eca8ff72188ab1e2f55b52e0a97a

SHA256
f749b141b824098ed73a4e1eeeeaa90af107dad81aa3529f49e86027e1ad3289

SHA512
7ccb7d1610776d2c13585c3a1e72a7857eb8d373885754db46852942b23934d03b8dcf7abc3b26454960e5f0d51ecacda3bffef30a4bd2df68b513af0b1c2980

Download Submit
C:\Windows\SysWOW64\Bbedlg32.exe

Filesize
74KB

MD5
e1f8654cd41674d545aa4152825f6831

SHA1
67c6967dd093f7e4e02133f5b1faf495b4df7cbd

SHA256
5788da847efddafc9fc71dd9dd4c776c656723b2366394603d62971a41d55ce4

SHA512
d1ace36948828d1c9c037d7aab7116ac1f9f0be49411bfa2f021987998a51d93b4a69344a5fb80cdd96d9515f90f4be53b2ea67776131f97fcc1a86e13c49377

Download Submit
C:\Windows\SysWOW64\Bdgmlj32.exe

Filesize
74KB

MD5
1d901c2055126a5125bba83dbcaeaed8

SHA1
45cd984e98d5fa062a62e3a6ef59b66e0f00818e

SHA256
c1ae21405909a2c65b31fd0c5ff7957cbcacc7abd40d77799179fbed54f6be65

SHA512
b1afe2d17d118ad0edff8718fb502fab545773d72962765277f5e14e650ae80d5195959108019446f51bc3fd2def4d30d0e920c460bcf1804c8ec4dc8d90644f

Download Submit
C:\Windows\SysWOW64\Cchiie32.exe

Filesize
74KB

MD5
1e1a2ee36b2c192b800f4bd2cec9edc7

SHA1
430f16eeea5667a3599177cdd2871e6ff6797fb8

SHA256
adc47ebac29efffd418901c2e8d9e4f9c7eb8ce395b7dfeafdfc92f077988f2e

SHA512
3f7402ad41f0d1994e6e1542e55b7cc0911f2e1e6f3fe9b71998c09e9feaa94151bad0f9cf631ef528512a42ed09b4f6e9604f1c4b497c21d79d7348f6647e4e

Download Submit
C:\Windows\SysWOW64\Cdclgh32.exe

Filesize
74KB

MD5
8e0c78fbfe7db1dfe8bb2b532ef37481

SHA1
15981804a2193356b5fe44b7069706a16a2710f4

SHA256
cc8fde2e3dfaae48b834cf6584ce835fc28f11dbfb45bd42305d89f9ff7394f5

SHA512
67ab9eea427cf9d5619e024277b62f8ca497d3e1b4adb51b83cadb7cbdb7403376ab21e0ef113ffba11ec99c88b60bb1bade49b339f2df1e3c598948fbb6ae18

Download Submit
C:\Windows\SysWOW64\Cdqpbi32.exe

Filesize
74KB

MD5
4d54dadc541290b4897bba86367f887f

SHA1
1f168a28c0f800812e2c88fe7ddcfcfeda1cacb6

SHA256
e3344585df57072a459cdde2de505d2c3e75f71d9f1c088c65fefaf65c3bb7d5

SHA512
6d1a0d63119be039be34f4cd2c67ccee45c7ef020ffa434ac8019b6ed9e8b2313b13371437433913ca6f34442af4ce07d3dc375de0196a7b42561f2da6378d22

Download Submit
C:\Windows\SysWOW64\Cmidknfh.exe

Filesize
74KB

MD5
e1b3a009b15aa1aa47f9267e45263e11

SHA1
af450bdaf4fec1b69c5c6907c08d32b47684a3e6

SHA256
8937a709cecf949e9864b8a37046667533e00520f30d6c6498bd7111af61f0ba

SHA512
0a8b400987f3bf1a2b74a60eead2984b6de9eb5579c4f6a8bc5cd290109c13f80405e14210d089b91231270048977a8b31ba45205ab39c7ce2695cac3617987b

Download Submit
C:\Windows\SysWOW64\Ddolcgch.exe

Filesize
74KB

MD5
57c4ce0048c249683f743a43f6ecab35

SHA1
ae51ff5fb1b4dc73fcb46d00de8e1aac7ba8a43d

SHA256
328fc2e83a28fb70be2c77bebce7d1c89a09fe78da052283ae4026694cd96c30

SHA512
5c9a8bbb579439cdbdea42b6f5c87828a541ea397ae18c1404e6a55f957564811eeb49a37ea6771e26a300dc6494667ac866f648fa869bc98499ccade0266554

Download Submit
C:\Windows\SysWOW64\Dkdkeaoj.exe

Filesize
74KB

MD5
fd33d5113f59c56d7a0625303998f4fc

SHA1
f1335b6e0b3ca54a448d5d11139194d78a50f6d3

SHA256
524f5894ee80828e67a097363d800fd301ad7778fbef5cc5c456cd3fa4995c5a

SHA512
5d15f8b40dfb834a55f63991c7ab90793aee634c5dcc673f1ea481fd83fed5eda1c6232a6d2c994f702fdd516e386f0908cb70d2fdb01f985774284d4220ed6e

Download Submit
C:\Windows\SysWOW64\Jpnagl32.exe

Filesize
74KB

MD5
e43210cbbb445a73cc332136a2754138

SHA1
0d734b62820962a7a955adf8485bc7530893defa

SHA256
bec6751e00cdc29073a662fad238001d0d90c8475b0aa92704ae3ae7fc530f9b

SHA512
4879f61e3ea347a62dbbfdedb458583e6843c746615dcece5b8e281304d8826b5989f0261df8ec0f244c08ae7f71dead2367268923f1018e1027002256e2b2f0

Download Submit
C:\Windows\SysWOW64\Kaajdckb.exe

Filesize
74KB

MD5
1e5bceca278547b564eae4970ca1eeb0

SHA1
66881ffd0e83bb38f3b3fddadfa8e6e28d9a3bab

SHA256
10f4c5d017e21066f8c8a47fc74e1ba417349fed0f3f7a04a831f2f6c57ef5ef

SHA512
e6307a48bced7ae8683f071ff1ad5012c03120a3845df0242431ea2469aa4efc7952bb7db4dd6d71da8d441ea9081d40e33ae682bc5f77d30ab8179b12441633

Download Submit
C:\Windows\SysWOW64\Kaonodme.exe

Filesize
74KB

MD5
ef3dac4adf125d0f727dadce6776c8a3

SHA1
85a51f577889836f2d94edf9d4739dc5240910b5

SHA256
9ba75b8b9e92e8d088c1fbfa75aee29791adee0e320020f69ae492ae7e8155a1

SHA512
2b60c0d9ea7cb07ab81b85c4c67c9b72e01368d7eb1a434fe05ae2947e8c9ffa8ac4e421d0cd5c28b3a88ec017e209689b14bb50ed8c4cbb8ca468f896333300

Download Submit
C:\Windows\SysWOW64\Kcccdfqb.exe

Filesize
74KB

MD5
2c0807b80837a84b98042450b6fe410e

SHA1
60df317b93f8859944f2f2d4529bff52c0e21624

SHA256
a558573e9683584b657b5c83ed1654c1fa59393fb7b54849de8edf9e55fb80ea

SHA512
311c87a02639f1d2e44466ac03060a616a3fa2527758fc81c004c131be2a44652c228009f0d069f9a31662b9a1fbee3fee6f6582cbdb593356b0f4b8c499b173

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
74KB

MD5
4d6418a15fb64f16ed50519f08cca22a

SHA1
4b3960694d28445911c891dde35e37cfe52e1053

SHA256
bec0853b2cc659898e2253ee709cf8b77766099112eb5272fba8f4f930cc60e1

SHA512
ee3233b954c97ce029b2ad8a6df81cec627ea41ec4e5eea46e0b7c29a5653aad157541c8b3c5ed8a229d8be8cc6e27519694fbe35cdf2256785c1fefc0372d3a

Download Submit
C:\Windows\SysWOW64\Kedlea32.exe

Filesize
74KB

MD5
e294e2da9eea2b3d5d421945d69fa124

SHA1
eb3ef8dcec7b4910a5f03cad8916a90f4496d5af

SHA256
b8e3926ea50821712840748673eda832fc102d4ceb9e468906d6bb1e32850915

SHA512
5ae48b0eca60be739d6e497683079fbb2144e0a602fe969c0ef21a04e8cf5ecead5b4fce1fa0430da4b9e7ea8dd354f699838a340bb9309d3df0100cf67ebb8a

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
74KB

MD5
e54816022e4c65ad24ab381457be8f9d

SHA1
0ba28c5a785eca18ff7a7c4b97dfc09ed2944384

SHA256
7b4382f853c85e10f75cb717fd30f9d8d6280f4a15ad337fe28be3ac18221b76

SHA512
c1e5276639b6b5e38e1bc1be3ee97dd042c3ed03f56d46fab42ff69acad8efe7bc6da08516a374c01b75d09ebed649ab39d843642e58fba4275c0a09ea24cda8

Download Submit
C:\Windows\SysWOW64\Kikokq32.exe

Filesize
74KB

MD5
5b59aa433f28ed3be1c7f8aa25d64dd1

SHA1
7fc7fa2dac5ebaa3460af197f935e52ab17b0288

SHA256
f369a3e9e8cffe851d15e960e4abcbcdff4c8b14e872c0d6b22427b99c9fb834

SHA512
c778f128a56f79e36e3bfb600168b83f4aa69547cb8f1e56f88595739ea78697986a9c156ba52d6e432265a90b949e9c7bffe9084b9781bb4436cbd941e9927f

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
74KB

MD5
5ee8b21bb8d721d3e9d763688f4c0e4b

SHA1
5857ed50b8cbfc8182735430349a7a05b2ef2960

SHA256
09f28a89abd81ba4e82252e6032e3761252de38b93f383c816a2eaade71a1e53

SHA512
9dd688f74aea5b12178806319baa87a05a601f4a0539a97b56dea4ebd288fa83780ccb9396786720be661e899098ca000c4556ea3d7fdac6d5b327de2ab30d2c

Download Submit
C:\Windows\SysWOW64\Klikgl32.exe

Filesize
74KB

MD5
767a5aceee38d2086e42d2d902fe80ba

SHA1
5bc68ace15f89cef6f012f0fbd0a52dd22f06252

SHA256
7417440a2ed8149dd7b8dbe4b559f843ad2bfd908a3f1cffcecb3a7efb25703a

SHA512
b0c1e48648de9ae9246061831fa0f662cefe82fcdc0b74d346e6f57cac4251b14ec76b4c2ab049b8dfe132d57d9ed3b58aa5d21089a5370e4e4ceca696cd4036

Download Submit
C:\Windows\SysWOW64\Kocnhhlo.exe

Filesize
74KB

MD5
11194517d5e46b2d6736c3b2fd7682ed

SHA1
03309b85ceed63ff7fb090ada8470554dbdd1bb8

SHA256
161370753cf81c0b7cb4535bc591a4ee88809533373c8f24137c6d2658d7ed69

SHA512
c70c2de8199e182ab482e281e315039dfaf194860d91ec7db8e8a47e342b013d4ed44fff8e196d0a48be973eca9f7fcb8fcfa008774f17271baf2ca9a8ce85d1

Download Submit
C:\Windows\SysWOW64\Koeknh32.exe

Filesize
74KB

MD5
0db04c2d619c164b109167d29ca243f2

SHA1
638003366ee26e84a497f36eeead0faf86865a05

SHA256
0dc5836ca62dece60cdcfe857dac4bf579a61012798beacfaf73ed372235dad0

SHA512
1d299e08c20894da959950a929a53a44fb963bf43aa473050bb3e57fafdd45eea78402fdc743d54efbedfc3106f9206360851f56ce3f5d579b85660ce96220ff

Download Submit
C:\Windows\SysWOW64\Kojdig32.exe

Filesize
74KB

MD5
ea57728fc089b3293fcbeb2d91e061cf

SHA1
d2864966e270ee6d0fbc177c7cedfb43dc7aa5fc

SHA256
8591fafac696be38f643125d0644ebf7bdf896b91afb06d9551da072c3ea0462

SHA512
af07391a0d8e1d98c9ff7459565ed28ee3840a6dfd187f7448ffee8fe13524c12c4588ef234ea5a10452c4dfd43ec829784726d9c86dbbc913ee8cd8d68923ff

Download Submit
C:\Windows\SysWOW64\Kpgdmjpl.exe

Filesize
74KB

MD5
3fc994322fa8380b245699d1715c5e80

SHA1
f38a83816364f72b9243e5a828e0fbdc19e52e4e

SHA256
3741dc856bca09da5010854f01112990f580983b0c6fbb63e433d9365ee64951

SHA512
ed501d11d76aa6f8e3aa5569a3d423a58a614bb652cde9c89cb3a91e90675776f6e7ede9db0708b6006246d01bc5d0ef278edd78982685ca82ab82e6ffdad55c

Download Submit
C:\Windows\SysWOW64\Lajmkbcg.exe

Filesize
74KB

MD5
303a3d185556b7429612ebf520054465

SHA1
5d99d85c80d41cd184f9347d8ade63b3dbf35fb5

SHA256
183b7f623bcd97a9d03445ecd939fc1ecddf0fd141579e5d9668403e417db240

SHA512
410e302526978c090f6d8d72cc3b10b8d89f3fc52f39c59823d9c8aeb6147ee6ace6ea23e337188b4e94ba5eb75bd256c389e63bd933c1243af30a1faf7abef9

Download Submit
C:\Windows\SysWOW64\Lcjide32.exe

Filesize
74KB

MD5
11e54f55780967238805ee128fd00c6e

SHA1
5718097461804b40c8fd080cb96c3724fe0d8f2b

SHA256
2fa0afe04ff63f7859a6311acf331f05fee3dd0a4697ed89e75a29b967bbb251

SHA512
8a2e4c2fb9e43ac36dff44a49c8936433fec4b831df2ec6e4d932c951ed0ca54f05908cce4941585cf2110df4e674707b7331a70a0e2912a8474157076905ea8

Download Submit
C:\Windows\SysWOW64\Lcocpdfe.exe

Filesize
74KB

MD5
6218a89ada97b388f0cd8ab28a19280d

SHA1
8d9c141344074d65657d7223a92d5d336372be10

SHA256
d6ec12d41b726defc8d2a285cd2b285395e69f54084954eb55c42905d79d5605

SHA512
fd9ce3c127b3f526bcf3afe3986bd79b8d51e59f2170465a61778490e8847e5aa12be7c4f447c1fe579337c9623339427a83b3d4270939197dec8a62886572bf

Download Submit
C:\Windows\SysWOW64\Lehfqqjn.exe

Filesize
74KB

MD5
64c17d4e884e7aa8ec93407e3998f260

SHA1
8d5e5b896cde0cc1e25ad6203ea706ee2ee5ccbc

SHA256
05814b28a441b498b045236c91f7758b68b46e76075df1a029456172b9455fa4

SHA512
ef631db168866e7163a87acdddaa496af7e3a3b37bfd41b835f779cb86ed513ec1478543d4f03aa510d34fcbe1860be9b7dca350a9891654bce87fe2d2061666

Download Submit
C:\Windows\SysWOW64\Lekbfpgk.exe

Filesize
74KB

MD5
f6a42dacef2f99b91909bc53934af2f8

SHA1
bb887fdb1b7f0c13cfbf2c1032241f855ab8444e

SHA256
7304c659cf8d27ba7dde9959734f3de9708e972255acc4571ca36dd61b708679

SHA512
b4278fecec4474a7d1bd414e9d00396e55ac9267e96a9b29c1470de95c34c5531f8145c17fd0bf369468b829e1ca3b27c9cd594d8cbf0c9fce531b26d94332e1

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
74KB

MD5
a72e75db4258d72faa5caf3063f8687d

SHA1
a56d20dc2c097afc45e137b332640924b5ce48d0

SHA256
14d7931ce01ac8b585cc6e254454cb859d3af7558711161ad6684f0b8d21d806

SHA512
4ca1f9387e7106c68471fdefef5337174de78b60896a57565b7d75988c6e4194c849a326b1a6cebbfd63635e5224e71719aef6f389a5c47423c3998e6f9dc568

Download Submit
C:\Windows\SysWOW64\Ljiklonb.exe

Filesize
74KB

MD5
bc0290c53a45d196b1c53b72fca075c4

SHA1
87261cdc0038ecb7bfd790724b9d6a39a8d897f2

SHA256
0f3fcc577853edd7029f2a301e1cafd11402431bfd69a4555c8da3de67438354

SHA512
c67d1ddfdf87d21b811f09fbd935837a6b9131630d9bbb102d3414ec3bed7dc02fb6c1caa9d2fd3a6c1ec722ceda5d26f8cebc2c379c6519819a53664c37afb0

Download Submit
C:\Windows\SysWOW64\Llbnmk32.exe

Filesize
74KB

MD5
30de56b4ad6847d3ac31d4aac95369f3

SHA1
cb8d0d18131c238a37615999b1c8f02a76af7233

SHA256
f264309b3644728c2a41fba37d0799a110f1de173f0b5a15993c0905cb18ec50

SHA512
7e77b3ca21cfb224c37ae5d724e0b414973dd124eebfe8ff02235eb527e6167f8eedf6d137ada3a83ef53fd50e89d4790cac9774a1daef2f5c1a90de657cb131

Download Submit
C:\Windows\SysWOW64\Llgghjme.exe

Filesize
74KB

MD5
e0a262e42bc1068e17c060884269f6c6

SHA1
5b90bb48211ab6269eb770d498de23168a63c7c7

SHA256
eb8dfdb634119f2c2e10f309aaac6ad661009ba4f30aec8fb4c31cd06d6eaaee

SHA512
4cef27ba400c3357625e421336fa9016bfd871a78364a8b630c4ce4488fa3e9692c09cc9a9e1168d435545b003e018cb475a28dcc4388c86be02cbf9671b99eb

Download Submit
C:\Windows\SysWOW64\Llpahkcm.exe

Filesize
74KB

MD5
0efb06f062462206cf78b6963b50c09b

SHA1
568354d2d308a5869869532ebe34f5d1e0756fd3

SHA256
54889bed13f741d998abeb44e714464cb2b97c2f62b7c10e8318fb2b8c196c2a

SHA512
0798c6e50f51c01181deeff6b616b6d541446d3927abb4fef018092322eeefdab95fa9fde392f7dc7a6e5381887c6eea2eedd79d4c8b87740da349cc0298a377

Download Submit
C:\Windows\SysWOW64\Loajjf32.exe

Filesize
74KB

MD5
4e91328e9c02a4c9dab9f760108f6673

SHA1
04c65ecbd45f038dc4e541b83c32debcb4d1fdee

SHA256
f12407bddf98cd1348c7306c05f5499c7818c0ace4f9d50ed060aa77a08b66f0

SHA512
ff328e5f37becf1865ae187b769d6098075593bbc2bb98d2830a6acac2b8c6c03ebbb5ea419be28d54dd67459efb642013baa3246d3bb13dd8f505e444957ae4

Download Submit
C:\Windows\SysWOW64\Loeceeli.exe

Filesize
74KB

MD5
354e8552b6e7c3f0f9dea6d963395fd3

SHA1
da0159a647228a31a85aaac9687725a8af38ec27

SHA256
6315e849e526c4e82bc5b92543de7d28a6506aad8610fc55ceedd9f7322c21b0

SHA512
4bd60770347d69158e4232a949f8d36f34faf4b501664d6e62160edcc28d0ba0e231e4f78e724bce46525cd9626e71e1594618b1d00b54c28203307f59211327

Download Submit
C:\Windows\SysWOW64\Lonndfba.exe

Filesize
74KB

MD5
95ef6eec4c0dde2f379c9bbe8fb4aa34

SHA1
e443a4a4c66af8e8ac14990deb990ecc76fa56ad

SHA256
d335d0ec0085aaae7c9dc089cb6cb65fbd40dce6a05bd8262b5c5ce55e0861b0

SHA512
aa91a595cb8c155526e9f751f35373f6d6aca677a15cd88af5a7af78d00925463909117677e6c63e6a25743a97918bc5b9e06381a9d7f292fa3bbbc7a349270e

Download Submit
C:\Windows\SysWOW64\Lppgciga.exe

Filesize
74KB

MD5
df31af3b3e7d33a54095bd2ecbbff2f9

SHA1
0546ead08fef3cac722094413606cf39137015b1

SHA256
0400b1122640c93cc9fadaac26c93adad367e430546951b5429859d02c8a8d18

SHA512
8ee4efc87d3df60137f6901c88c0e74d1218e2b1cd6938572b4cde1533494963e40b4cafe3a289ca30a3a30006e0b2cbb5ce02718ff4970c4a1c05859b2d9666

Download Submit
C:\Windows\SysWOW64\Mcclkd32.exe

Filesize
74KB

MD5
0560ba5c9d3979900ed675b73f963d66

SHA1
7d706488950dff0f9128440a04ac16c460c209a4

SHA256
73cf1683e99bb831509f5c187cbcc5867e44684bd6b2064f8652965868f3eceb

SHA512
a982d0f2c3352e5e1b2bf1ecce901614c3a13ddccbaec54c4a91a21e1abb7493d59d2d42ab108b0d1e7210237cf26661b7fbcb08248878c9ff724b58852dd1fd

Download Submit
C:\Windows\SysWOW64\Mchffcnj.exe

Filesize
74KB

MD5
5550c19610fa48450f9037a49e30f525

SHA1
ea9f262c1e1bf9162f2be5393fdd1f5f536c90c3

SHA256
2c23a7be936e98218d86f64bd24e1e1eb76067ec5d3c9ad5fcec7f979ea886da

SHA512
a19fe7a8474b22af06eedb9cddd9f23b9afd8b1e92fcba0cc322e75f77d116b57575cb9e11e98d75b23702b4bbc22e8b4e0b8ddf34b93321a2ddbbd3626149b0

Download Submit
C:\Windows\SysWOW64\Mhbaijod.exe

Filesize
74KB

MD5
274dd574e0562c107fdd790c4a8b8bee

SHA1
31f2835aa372471b15ff0cf55f540f2677c906e8

SHA256
eeb77552e1c31632b561d95271c3d0d9902a1fac911e495c28abababe7427c68

SHA512
720e4f4a701dd6a2f33333bb662df8afbf65133dd61483977ada37bf57dcadc9c03f4a8a40c30df785331f841ba946e0e41b88cf1f7cdedb2f061d17da3b9328

Download Submit
C:\Windows\SysWOW64\Mlcgdhch.exe

Filesize
74KB

MD5
0a8173edf8369a19b1b0c259397d08cc

SHA1
15a2549e468db1c17b9b6374a027b34947e9774a

SHA256
3e97f063243bffeceae79412848e6d72e5f683debd36a538513657f6dc24e5a2

SHA512
bc3b2208231552c0db833af557a15158482d59021b79c104916c265013618fd5120f737a9c760c586fa5203e913a2f1bd302ef5595197b67d4b63b889ff97078

Download Submit
C:\Windows\SysWOW64\Mllaci32.exe

Filesize
74KB

MD5
1cb1f14415674888c02d1f53b5b68dd1

SHA1
66a4bd55887df52d5ea94c25b25492897a81dce1

SHA256
f14bc61a6bae0213efe50fb60f14285b60722a5a86886874007da00162ca52d0

SHA512
6e0324708e939829e632479962a0b74cf5283f2984eb06996404a06de4119966e456b80411582c210b289f9eddc41f0dcf8b2169f2a1fc48492e58b7314055b6

Download Submit
C:\Windows\SysWOW64\Nhnadidg.exe

Filesize
74KB

MD5
36f10ef7e9172068135c2c620df9eb65

SHA1
0dc18af46587b52104984031f4d161f513b50dcb

SHA256
ddcb259d14c45809c46c1e6e5f6c2f7db02f61778f341701f3952da56759cb49

SHA512
7496dc659a91c4102d2b6102a1e48f1cdf1c530f7d37bb902fd68bd8a244a16686ea87d9a414de867734aa8f17ad586a9897554ef26b30ed6d7cd56250078033

Download Submit
C:\Windows\SysWOW64\Nqhfkf32.exe

Filesize
74KB

MD5
7467bf7d6f8c60582e25bc81f797272e

SHA1
8d179af1ac5acbe1aaf369fd88f2c3bd59a2939f

SHA256
caa8f452a1df0a246437271c24e9dfa60e2fe706c320c7242937e7691ccfdd3c

SHA512
767920679ec3d94689b4f1048580c6e40a1fa7418f28826f50acc2260ea21bdb0f6306b1c40c3ab9599bdebe2ccef8cbb2969692de24d569ce642846968ae03c

Download Submit
C:\Windows\SysWOW64\Nqqpjgio.exe

Filesize
74KB

MD5
e848d1341891a68631e29ff077d1eb84

SHA1
c76e48f8abffff17685ded349830cae13d7c1f62

SHA256
af319ead0978d876a645641de1dd68ad518864fec6bd433552487d46d5c00976

SHA512
cc21a9f75179d2a364c71fa7fa9f159943b78cd0b2a6ee4cc356797486e68909623a695437dbfbd37979f7074002910cca9c8f1d0ef60699042a8b7dcc8a457b

Download Submit
C:\Windows\SysWOW64\Obdbolog.exe

Filesize
74KB

MD5
96b3f1bb936dc0d74955343e495ef0bd

SHA1
326acf625ced30d556b8d24dff25bfc7ce82cf1b

SHA256
cd9bb900c486dd4b92ae99dab6d2e934fa142abdcb4b6945017e32978db256e8

SHA512
753bd900854b5bab64a12f1999a3fdf9d7755a935e6b7dfd6784140d26eec41239a5374de37ea503767de319657881f01bd5c35afb52838612f705a73fbdac36

Download Submit
C:\Windows\SysWOW64\Obphcm32.exe

Filesize
74KB

MD5
6536e9de622800c69ba75deb5bb87571

SHA1
6c86cf2fb4c63438a76559503060d26a0b75f7cb

SHA256
93345f4cee5921758bcff0597d1f5fdd532e83bbd6dd8d4576f51fa2bab448d5

SHA512
753e1c6be7fbf28d33bade64c38a634804fd49918bad8a98226a35492e79ef0fb8dc694ff0d3aba4dc621a130a7bda883f6cd934f9162527f85a7b97c12c86f1

Download Submit
C:\Windows\SysWOW64\Ofbjdken.exe

Filesize
74KB

MD5
4bfc930aa6070ab7bc35ca9499280953

SHA1
b486fdef2f7ef59e5477587fb94c7ac4718a099a

SHA256
5ee09a8422388b452cc9ab9820c4b58dbb6d2a94b53811cf0ccadd2c70a527cf

SHA512
6824107b35e90fc4a89bf6cc149e08cad8de3e92c6a0301baa7e72d68414fca3a6e5e359f5e311b41b1cf0613bf022cf233191ec9e247d32ce3103526eb6da85

Download Submit
C:\Windows\SysWOW64\Ofcgjakk.dll

Filesize
7KB

MD5
610e685b749342501b3ff0d2f49a9d82

SHA1
53a196c6028d5f09f3811e9dba9afe462af0fd15

SHA256
2634796e0a343dd20416d4a7ee1369e06bd764b455188a1c012d2b48f0f744c9

SHA512
ab1eedb539dcf8538101e61edff65c0b7956f135a9bef374a61ed5131b0de2682d68c5867cde526aaef8b1293cd581011d97d0b46b63ede71cf448baf37f1098

Download Submit
C:\Windows\SysWOW64\Ooopbb32.exe

Filesize
74KB

MD5
b175196ebd83da1b25d8c7bf382c290e

SHA1
f96c8c73bf2c77ca4527fe5e45a86f0cfd1b6302

SHA256
17d663b2c71eedf0a363aa7a2e298629817cb499e75527fe111d15de5cefecf5

SHA512
61c7a2ed00e55950c123b9f5e6b74b4be48664b866c3c5416657d834b84db83aec4f84306233e14ebf0aca67ce43d74b8eed4e1c991875a212b1bd32937b1fcb

Download Submit
C:\Windows\SysWOW64\Pamhmb32.exe

Filesize
74KB

MD5
8c9f08b15dab6216c108e756a66d8977

SHA1
c8f71ba83f830a0fbad71a1dc1422ddd46a78a09

SHA256
5c1b22cbdd2c163be10b0217e2501056495172bb83ac9dfd45b95410ddfcb96d

SHA512
e3630cc2c987ce76bf3cb7639fcc838b4487e2effb29d60e67f33794987f0227f82715c2edebc573a3a5a54e3b1bb8cee08905145d1f68220b14a0ec561cd69f

Download Submit
C:\Windows\SysWOW64\Pjqckikd.exe

Filesize
74KB

MD5
c15e65d587e1c361410a99ebc4148923

SHA1
2813d1e08197e63ca18e8fc4268fd672ea05b15b

SHA256
13d4577765d9b4b208ff5aac07b5a547be3120f572e02b2dadd5a9c85f70193b

SHA512
2dfb9dfdde72c707922de0c9bf379ccdfd39aa0f957f46de3f7b07be1a6079cd80c3e9da7800e544d81c8120ac4c7174f5f6a480f276bc4eb99dfb43eb169eb4

Download Submit
C:\Windows\SysWOW64\Ppbeno32.exe

Filesize
74KB

MD5
e3c7cd790024890e1236dcd4d1d35253

SHA1
6398aea20100eeb5469bb8537b66490382d7f06f

SHA256
150d2f80964fbf6312d25282326ea9c2c7b0c230b512881e7aa7eb603f06c742

SHA512
60864799872f83d424d31dfef3b7d39a18df003e18c176a43f2a740c4f77eba5db72aa3a8a5670b7c37849c5345ee460435b68a6d80f9236a66b7331e47d246e

Download Submit
C:\Windows\SysWOW64\Qiocbd32.exe

Filesize
74KB

MD5
80a2e620a7d4a58670f7c22c5b53d8cd

SHA1
7f4444a7b80d70617e2cbcdbb9bf175ba17dfd32

SHA256
c49d6c60c39c62a6ef691ab3c8752a6dc4fb15f1efee6ad8981d61427cfb110d

SHA512
6df351bb14e83ed4ac26ea6b93eeb588e45812ce4b082e68076aec5ebb45337a9e28e6602e4690d575bd149afba9945225cb5080aadc2e255ec4f7120d9e6833

Download Submit
memory/220-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/316-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/392-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/408-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/628-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/688-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/744-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/844-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1028-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1056-458-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1064-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1068-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1232-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1236-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1504-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1640-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1700-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1812-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1976-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-575-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2272-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2344-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2400-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2412-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2484-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2672-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2728-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2812-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2816-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2840-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2876-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3036-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3220-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3240-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3320-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3384-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3404-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3516-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3596-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3620-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3752-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3816-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3856-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3892-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3936-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4012-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4012-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4028-356-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4112-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4112-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4184-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4336-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4336-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4380-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4400-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4408-195-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4412-519-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4436-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4472-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4580-568-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4592-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4620-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4644-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4648-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4656-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4704-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4864-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4876-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4904-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4992-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5080-512-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5112-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads