berbew | f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 03:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Size

72KB
MD5

1e96ab5de1314109e565e538bd67a7f0
SHA1

b8d5131d1b148c24086681ac47423c86a9ba910a
SHA256

f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5
SHA512

0669ffb4d06368ea1d689b63b52fe281bf47116a4f8eaabc331e17d4a7a3b59ac0c22d103726386ad6f3b0866a62c0a5cc3582843dfedf0e6c7adad1b1669066
SSDEEP

1536:qghvmf5GkNMww9e/u+dyfzQ8H01vy2qlg7GDCoQ:qrGk+wlurfH01vyV8GeoQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3580	Jfhlejnh.exe
4460	Jlednamo.exe
776	Kfjhkjle.exe
4548	Klgqcqkl.exe
2428	Kdnidn32.exe
2328	Kepelfam.exe
548	Kdqejn32.exe
112	Kebbafoj.exe
1328	Klljnp32.exe
2724	Kfankifm.exe
3064	Klngdpdd.exe
2840	Kbhoqj32.exe
4052	Kibgmdcn.exe
2960	Klqcioba.exe
5112	Kdgljmcd.exe
1756	Leihbeib.exe
2552	Llcpoo32.exe
1900	Lbmhlihl.exe
4480	Ligqhc32.exe
1672	Liimncmf.exe
4800	Lbabgh32.exe
396	Lepncd32.exe
2888	Lbdolh32.exe
4776	Lingibiq.exe
3336	Mbfkbhpa.exe
4268	Mmlpoqpg.exe
4088	Mchhggno.exe
1712	Megdccmb.exe
4048	Mplhql32.exe
428	Miemjaci.exe
4516	Mdjagjco.exe
212	Migjoaaf.exe
2372	Mlefklpj.exe
2172	Mgkjhe32.exe
552	Mlhbal32.exe
3572	Nepgjaeg.exe
3860	Nljofl32.exe
1432	Nebdoa32.exe
2008	Nphhmj32.exe
2268	Ngbpidjh.exe
372	Ncianepl.exe
4568	Nlaegk32.exe
4984	Nckndeni.exe
1384	Nnqbanmo.exe
4960	Ocnjidkf.exe
1040	Oflgep32.exe
3360	Oncofm32.exe
2792	Opakbi32.exe
1528	Ocpgod32.exe
4276	Ofnckp32.exe
2412	Olhlhjpd.exe
4980	Odocigqg.exe
1208	Ognpebpj.exe
2216	Ojllan32.exe
2920	Odapnf32.exe
2032	Ocdqjceo.exe
2596	Onjegled.exe
3168	Oqhacgdh.exe
4656	Ogbipa32.exe
2184	Ojaelm32.exe
2020	Pqknig32.exe
2292	Pdfjifjo.exe
5100	Pjcbbmif.exe
388	Pjeoglgc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Llcpoo32.exe	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Nlplhfon.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kebbafoj.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kebbafoj.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Kfjhkjle.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Kfankifm.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Kepelfam.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Kfjhkjle.exe	Jlednamo.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5800	5680	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhlejnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okokppbk.dll"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klqcioba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 3580	2648	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe	83
PID 2648 wrote to memory of 3580	2648	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe	83
PID 2648 wrote to memory of 3580	2648	f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe	83
PID 3580 wrote to memory of 4460	3580	Jfhlejnh.exe	84
PID 3580 wrote to memory of 4460	3580	Jfhlejnh.exe	84
PID 3580 wrote to memory of 4460	3580	Jfhlejnh.exe	84
PID 4460 wrote to memory of 776	4460	Jlednamo.exe	85
PID 4460 wrote to memory of 776	4460	Jlednamo.exe	85
PID 4460 wrote to memory of 776	4460	Jlednamo.exe	85
PID 776 wrote to memory of 4548	776	Kfjhkjle.exe	86
PID 776 wrote to memory of 4548	776	Kfjhkjle.exe	86
PID 776 wrote to memory of 4548	776	Kfjhkjle.exe	86
PID 4548 wrote to memory of 2428	4548	Klgqcqkl.exe	87
PID 4548 wrote to memory of 2428	4548	Klgqcqkl.exe	87
PID 4548 wrote to memory of 2428	4548	Klgqcqkl.exe	87
PID 2428 wrote to memory of 2328	2428	Kdnidn32.exe	88
PID 2428 wrote to memory of 2328	2428	Kdnidn32.exe	88
PID 2428 wrote to memory of 2328	2428	Kdnidn32.exe	88
PID 2328 wrote to memory of 548	2328	Kepelfam.exe	89
PID 2328 wrote to memory of 548	2328	Kepelfam.exe	89
PID 2328 wrote to memory of 548	2328	Kepelfam.exe	89
PID 548 wrote to memory of 112	548	Kdqejn32.exe	90
PID 548 wrote to memory of 112	548	Kdqejn32.exe	90
PID 548 wrote to memory of 112	548	Kdqejn32.exe	90
PID 112 wrote to memory of 1328	112	Kebbafoj.exe	91
PID 112 wrote to memory of 1328	112	Kebbafoj.exe	91
PID 112 wrote to memory of 1328	112	Kebbafoj.exe	91
PID 1328 wrote to memory of 2724	1328	Klljnp32.exe	92
PID 1328 wrote to memory of 2724	1328	Klljnp32.exe	92
PID 1328 wrote to memory of 2724	1328	Klljnp32.exe	92
PID 2724 wrote to memory of 3064	2724	Kfankifm.exe	93
PID 2724 wrote to memory of 3064	2724	Kfankifm.exe	93
PID 2724 wrote to memory of 3064	2724	Kfankifm.exe	93
PID 3064 wrote to memory of 2840	3064	Klngdpdd.exe	94
PID 3064 wrote to memory of 2840	3064	Klngdpdd.exe	94
PID 3064 wrote to memory of 2840	3064	Klngdpdd.exe	94
PID 2840 wrote to memory of 4052	2840	Kbhoqj32.exe	95
PID 2840 wrote to memory of 4052	2840	Kbhoqj32.exe	95
PID 2840 wrote to memory of 4052	2840	Kbhoqj32.exe	95
PID 4052 wrote to memory of 2960	4052	Kibgmdcn.exe	96
PID 4052 wrote to memory of 2960	4052	Kibgmdcn.exe	96
PID 4052 wrote to memory of 2960	4052	Kibgmdcn.exe	96
PID 2960 wrote to memory of 5112	2960	Klqcioba.exe	97
PID 2960 wrote to memory of 5112	2960	Klqcioba.exe	97
PID 2960 wrote to memory of 5112	2960	Klqcioba.exe	97
PID 5112 wrote to memory of 1756	5112	Kdgljmcd.exe	98
PID 5112 wrote to memory of 1756	5112	Kdgljmcd.exe	98
PID 5112 wrote to memory of 1756	5112	Kdgljmcd.exe	98
PID 1756 wrote to memory of 2552	1756	Leihbeib.exe	99
PID 1756 wrote to memory of 2552	1756	Leihbeib.exe	99
PID 1756 wrote to memory of 2552	1756	Leihbeib.exe	99
PID 2552 wrote to memory of 1900	2552	Llcpoo32.exe	100
PID 2552 wrote to memory of 1900	2552	Llcpoo32.exe	100
PID 2552 wrote to memory of 1900	2552	Llcpoo32.exe	100
PID 1900 wrote to memory of 4480	1900	Lbmhlihl.exe	101
PID 1900 wrote to memory of 4480	1900	Lbmhlihl.exe	101
PID 1900 wrote to memory of 4480	1900	Lbmhlihl.exe	101
PID 4480 wrote to memory of 1672	4480	Ligqhc32.exe	102
PID 4480 wrote to memory of 1672	4480	Ligqhc32.exe	102
PID 4480 wrote to memory of 1672	4480	Ligqhc32.exe	102
PID 1672 wrote to memory of 4800	1672	Liimncmf.exe	103
PID 1672 wrote to memory of 4800	1672	Liimncmf.exe	103
PID 1672 wrote to memory of 4800	1672	Liimncmf.exe	103
PID 4800 wrote to memory of 396	4800	Lbabgh32.exe	104

C:\Users\Admin\AppData\Local\Temp\f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe
"C:\Users\Admin\AppData\Local\Temp\f430b32cce8861c6c00e74c19f2ad76b7d1eb0d69ad3bfcc6328998d016ce2e5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Jfhlejnh.exe
  C:\Windows\system32\Jfhlejnh.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SysWOW64\Jlednamo.exe
    C:\Windows\system32\Jlednamo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\Kfjhkjle.exe
      C:\Windows\system32\Kfjhkjle.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        28⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        37⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        40⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        75⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        79⤵
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        83⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1520
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        85⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        87⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        89⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        92⤵
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        93⤵
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        95⤵
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        96⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        98⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        110⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        111⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        115⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 420
        119⤵
        Program crash
        
        PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5680 -ip 5680
1⤵
PID:5740

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

142 B
145 B
2
1

DNS Request

206.23.85.13.in-addr.arpa

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
72KB

MD5
4567a1e9cb839812ec0338e6450387c2

SHA1
4f449ac6bc5c1263636b7629cab56d15ec513ecc

SHA256
b529179773e2cd2d54ac4f9bad79703ef4b5138155912c53d39d155c4e8212e3

SHA512
a7f97aac6c7b4944b144f64ff999cbaa36a0f0ee16699432d91a08de617d7c2f47876970aaa791458c9a7d052160ba1176fc93925879e57d09bfc8c82fef1e01

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
72KB

MD5
e2d0ce7e737a8ac72cde1b16f75f6ef5

SHA1
9cf996bec6792e0ff95f7ea1aeb6444e37be2577

SHA256
7a0e60287e22f00eff2a04ea71f46955426e3721f9bad2980e76d61f3b02baa6

SHA512
43742ca41acdc12c1e9c618c9c195c2e31bd3c592206f48dd68805e071b321ed193a705ae18b04d941e7888ddac67350870d20a12a00892e58fe2797bd1bb898

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
72KB

MD5
b8fb8e515de74f6814fd7f2143d27fe1

SHA1
b12bcc0bc8709bcd2e99539c0cce727bca859f4e

SHA256
97cd5c2c0f4c7afcb4750a8e1079f56c9b20f8af835c5781bb2859bb44d3a526

SHA512
d64c7b3d0fbe108fb37db298f269d05b6b6e2c52923c92775f13147c7affd188012d2534e521bbed1cbac796203c6322a4af1df3511aa7b87d5e2ff9c23cb840

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
72KB

MD5
f4adc27a04e3691552239020f70ef331

SHA1
534165ee13ba7f6cc51e766b9388a70e5b0671a3

SHA256
11b4fdd73a81c880aecc8d1ddda43b5a48b103f01d1f9e706af0ac08a7849a9e

SHA512
f6af16499745305b955a5fb2d25fe1b1a9c6cec7d051d7936d9ab080d4ee2dc6aa813896ddd40c0d16bc78eb363b11afef500ac656f98c4c353c2b10af80fc69

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
72KB

MD5
0ad26ba6f65a1c08779d42f31e3669db

SHA1
f1eb4f898f792009132666d91622f89f58c464d3

SHA256
65507fa6ad67fd68238b52177d92fd05f83c655737ac560fb38ca4e2b594b878

SHA512
f1235775e93b4f660ceaa335c0380b885c33c61e2a0b6bf2113392971f421363368572d40406f9f82680385ddd9bc22c0e3f295a3a7ae4f52d43a9435e6db467

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
72KB

MD5
c0b5336262faf52f06e0bdc595231c2c

SHA1
2907067fff61b27119658ba73602139786203600

SHA256
b6244bad8a3c59a552450b828171f71e0ce6a9b642fd0d6a591cd1416ea861f6

SHA512
e37455811d327166253f99b2ada63c86d41c77a540ec61e0d2405cfcaf13610bec734fafb81d6cecb0ebc07580d276309c8e42e7fbade08f58dbb70310906149

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
72KB

MD5
738c2c667f1a87f1e608346c48a39fa0

SHA1
86b0edfc53973124355c0cb90029126addb43f12

SHA256
998e75d934074768946a223f228031edb347e23a6318bb20b0ef18a36231371d

SHA512
d683eb90a6dcb6b897cf24a89990e74cf6550b11f3c29a0b712b60e0b49ca2134a63c44470f062f1037224cd20bea2cb646d0fea597698d5d8fc08f6fba57617

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
72KB

MD5
2b919e21926681562c531e80d659900c

SHA1
2c5fb08ad4b34ebe7f48165846f8daa19d0dc432

SHA256
1a3420050313fc1f199c61a6fd03c107262b3626416e75308568ca25401b7f7d

SHA512
7d7d41245e099f5f31aa88d084cf124a52e75d0971b51668d07bcc41be19fe565a39a33b438711fc2fcb94f682a7b3b4e6b748a902bec46aa92c2ae8a4b42f43

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
72KB

MD5
993e614b0ac54f291862b05dfb147c3f

SHA1
442a1bcb529a4d42c9ab787eaba256436f43ab03

SHA256
95facc69d03d6007c9204259285926528b50c461571e0b742e3d036df49784af

SHA512
de28913f9a9a06eedbe75565e62c4bd8e9cfcc632d23c02011760de9630d6d9fc44384b4ae7478e480f19acfeacb10b4ba6c838cffc54c41aea1bc26aec49d76

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
72KB

MD5
c6970d6737710bd94edcdeb20e85e0bd

SHA1
0faa35743a64acc15e0f7f704e2223f5d2798078

SHA256
4ffabf801c15593bf549c33753eb2f5dadd0b797258798528c1f59b658e3e976

SHA512
51ac558ef679f564b974989b24c288df0fc4a03ed3ebd266055806d45076e122e376dc5950f589031244aa1e220c084981761795355c527f36eb98022ffb5bd4

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
72KB

MD5
f9a5d085317f5175d97b96ffba3543dd

SHA1
3b11ff17a2378f0596907e8b0600e9a77c6e6a1f

SHA256
08f77f5a1744988bb3100a55edae85435c382a3d37c560971e17a5d3fcddb184

SHA512
d6966df20f3cdbb76e051e023d336275a5de1d43c961e85e984d69c4acd742be0507e157e19eb9fd3e523ec32c4953d96309922fc3c4b9472d2669888fcd088f

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
72KB

MD5
5cf2001fcd425829479fbb7c5e905d6b

SHA1
0bf5bb0d26209844c62e685bfe90c510c57ab633

SHA256
f13c7a7b6054694e8dfc54e653516d079851116d80bd0be5e2d3e998cf83d6a4

SHA512
9a92648ba8061aa15041185037abeff2d3e2e58710158d5c0a0009797e9ed15635517e622510be3ac41b69c4d2cfa24ce3fac27f6541e7ef6eea5d09829d4600

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
72KB

MD5
897d9c879526a4b4e3ca112b4674ff98

SHA1
b41b1b121b8de03a91b829c97c7bb65c8bd86f22

SHA256
79c542d0800f00088952b4eaa79a3aeaa74c067559d7962eebadbeb7136643d9

SHA512
0e5ec9b0e0847913b7fec4195dc84e98a688ccb75c50ec50b90f2f9dd469b9f6d2c324757bac3f298acdf45353a80e4448b028e7b9e8aa550b107d34eddc6630

Download Submit
C:\Windows\SysWOW64\Gijloo32.dll

Filesize
7KB

MD5
b5f64de27025841bf1fa0bf8fdd01b76

SHA1
400184cbd57577baca4dc816c184889d07e2be8b

SHA256
1b2dad4dbc51ffcd5ccaea861792a074cbf8a5d67fd84abb39c3f2ecc5922c6c

SHA512
b4b29729d84db595ccf7501df7086c5cfaa6f8ee2675d48fe3995ac3fd43b8510206ada919bc5b592b65218b0bd995887c932094f94ce968a4e770c9ddb9518d

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
72KB

MD5
8fdc283c1a03a77aba4d3d783791cae0

SHA1
da325e06d4d953869d933712305180be033cee56

SHA256
179804c12cce7a65d2be57b910cfae389b07c9692b24094a5edfc8235e65e8a9

SHA512
33175c788a0f852105a0e830c0cd90ef454061d65902b29fc3997e4aa18536fa2df44becb419646c0579769dcc9b792f511afe821cb9c136ae7e0978b528ec1b

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
72KB

MD5
173e9175e1ac005bacef432634295d68

SHA1
02b329a2ba928ba339802487d7298c48017621dd

SHA256
3bb9e9d008785352a7c464fde0fd86dc2057307d50e6ba436ab62f516d352e89

SHA512
79db798ab1ad73838f45297f6bd65943aaa97e90ab93c61148b53f71210e2d3d548a007a756ffcea7cb333dad6eeb9cecb8a1db81aab068f8f549c3550006bdc

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
72KB

MD5
a7ee758d5c595dd3216097e2178d9e36

SHA1
abeaabec85ddbfc7c12cb6eea5162558a6c06c36

SHA256
2f0e691c3fe8cd19cd824b171e2cb5a455a60786212a92a076dd495c50185dc4

SHA512
e7d2b420d5846d34112c872f9c17a4f546733df6f5643c988e7e715ab0245ce75577de93daf1378e49cc73437556756f4bf6466b32b0dd29b159e067fb8a43c9

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
72KB

MD5
55879f1d3cb9758ff9b6771104936f8c

SHA1
9102aaa18701bfc3799e147395b55ed7620001a0

SHA256
ee2397ddcc7a646b8a7c84774536a8fba4b6df82d37d73709e97de8a1a96fc4f

SHA512
dee278546790761bd8b35ca804f8ef4af5cc257a6ffbc4679f76d635bc72563533df194c7b873eea688640580f112ebdec7517d50c4b12814bfea0a319c2b1dc

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
72KB

MD5
627fc36a7f54d85693cad515cce7862f

SHA1
44de606702567493745ce1fb4ec71466903a3159

SHA256
5f5ac62cc0b77df370b575c2314b94bad129f074da46df5ac94342292749eedd

SHA512
e89ee517d5b6c9703ae120c8b2c1450fdc52bd7a5e636b11c66329ea41418bc67219b0c26eff1d7578764d4b573b894063e81b2d523cac50b60bbe32242463e3

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
72KB

MD5
aa5ee81a80157d006963d56cedfd2a30

SHA1
2bd9b19eb8810ad14829642d54cbcf2edd65bfb5

SHA256
12f55931afd163c378b6d41c503bbc41799835ada6f3f395004712d02a7b081b

SHA512
b8a1ef5c7cc27f9cd06ed198d236f8f0e177f957b16ad6a05dde30843970303a454b4ddfe1a41c9ac7f1e41b3787f9e5cef7f29aca6a07b1eb7ac733ba4649b6

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
72KB

MD5
6dc58260fac0b15309f84f0b622fab00

SHA1
28cd6e044411f45dfca0f96c965b833c22d33566

SHA256
c149bb75f71ec2b10c2ec50e977d2b0416625fad8fed6263587adfccb75a05c5

SHA512
4dda4c2d4b3f1acf48c38c53f3da35d68b8577bad1c8623cd25de344cb58928b82e4122dd6c4d7dd2bf9e58a12924e279ebc06dd9a1d07c7893335283314d05d

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
72KB

MD5
db9c138f0537506c35ede88f18f68d01

SHA1
60e2611b934cadf64a511313342c69a3f3431e18

SHA256
6f56bdd51d436016b65b7f1737f2e095d150921987ac8f399e5f19a83b145ac6

SHA512
b16c25673074efe9587865f11302247d5254eb795955f8411a39b82ede5db73ff53a189e90a8d9c684f5174b6248a53a870bad136d437ebbf79e45ccb048e625

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
72KB

MD5
ed71bbd3364c5f546a45bd70433553b7

SHA1
fe7c999dda5a9e6b365e4f278f9557a95e02d09c

SHA256
4da3146f8719859f30a075f1b3ca63ceded0c64fddd1263f94fdb162d130f55b

SHA512
af9baa3715cfa78ce98905ce44a2fdd92236be45289c321f50156b94c79e676bfef361830ac7ce9905af846b7c1a6920307982d2bdaf3cd04d9604a9d58dd292

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
72KB

MD5
e3f33c2148db1ad0ade6fe61b3d3d5ee

SHA1
ca0c84ae551b60a589c0c38376d44b9411a7131a

SHA256
e8cb9884b5579a625dac31b317550b154b19e3d5080920a850c83be3de910b1a

SHA512
1b88a11476b53a3e0fe9390b263e798dcc7c10eed436df275696730fe4d06ed3bc3d566c9948d66767b6b94fe8c461476ee04d2c71be9f0f6e2560ca1573b171

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
72KB

MD5
2b37601859d095dc27e4168396d9c8c4

SHA1
5c617115daddb517261c6cdae6c8078625c181b9

SHA256
2329fc85cbe193f5659f1890b686eb33d92580a15d0bde126f0d2a6d0aac4627

SHA512
a787f5108dfe40374307a1dbd19c0ac5c5de4e48b41348e39ac549ebec17a4dca0eb49fdfd49aeecbdade5f52b33825a7a80a753d8f39f2199dce6e2c6b86d60

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
72KB

MD5
473f9f6851cce1bc2c672f090bf77098

SHA1
8bc9d4ff65c1e7b579ed359b5d6b18ad6f028fe0

SHA256
d396c407e40aad3064266787a9926d8aa1f6f68638b6c7d6845cd77d70cabd7f

SHA512
f26846833e00f9dc5890f908dbe68f734a4627557d151981a89b4ee6ec9aa321238183373c6f1c6cabca65c1c4f68a479c2b4b3decf78ec6ec48e7c3349f8104

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
72KB

MD5
425cdfd891b43a61afdfddfb0841ac15

SHA1
212b110bd14eb41834c87dc4074404ebde7e59c2

SHA256
0da66487812690e28d914e0a00f0136e99aa57fe565e8ba0dd43fe4897c80d3b

SHA512
c4cf49dfb2d12bc917ddd0ad7f121e3312a8335a55e2217805d4e134ae948b34739972079c2dab2fbb8b6de2d8ac0d3743db8f2fc9af3e7cf002769428b55321

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
72KB

MD5
2068afcf459102410dd84e6d0992093c

SHA1
887798101f9624ac7750293d1d141cd3cda7f47b

SHA256
76f28a6e222380b899c012a292e15eb0cdc97157e39c55b5158da037c19632af

SHA512
9f2b2ebe9fa0fa00219a6457300ebe61210e5497bd85b4ecaa8370a3a1b1721bf07e5018f95d69d3db17fa2be3409dba8172cd82d52145a6597d54b8136c0eee

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
72KB

MD5
bf4633cf325bb3768b1b9313d321f75c

SHA1
fd7d425a06ddfb4af79a377d33e7274ae5c867c6

SHA256
2368a9a8321b08e089587bd7b73a4b99e36fe420b8de38e765404336b8964156

SHA512
26e7a803a5ff4a26318dedeaa80ca32b75f0af7009a5f20bc7dc757cafa9b851a2e80c5123315b4b718994d2a2bc7e918770af65e7535f50d003accb90333ef6

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
72KB

MD5
5bde0b303427aa1193e6930cbfda34a4

SHA1
cd69bb67d97c99a81acf19727f6b6fbb84647327

SHA256
d82418bd0cc1bc565907dc3c9eb6063bcd45f0e966dec4bc9b35f80567adf99a

SHA512
61fac2fc54f77dc09ce3ee225d66df78eb7532c9e901d1c23008ecc67ef3b722238a63254a5ba0b34a7092e88f570e820ff912867089d0a005190ebebac267b5

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
72KB

MD5
71cf025664565c2cdec5833c904472a9

SHA1
eceea98d0bd88ec778f102343f887dddbd483c50

SHA256
f8d861aa0e0696d67df90e89e902c8041b1ab27790280ab0c6313abd63b0ef0a

SHA512
f363be8fc729829b6763d859c0edb597d70e64a779ae8dbfd9e7eb39868557c27fdc6c06242e828481bd48e74f86278268e58fc690f7a4cfa49128f115a93efb

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
72KB

MD5
4db16d315f1117018ebd6192cefaa993

SHA1
6d18c864acf033969cf7789d7db34a0d5ccff9c6

SHA256
42a5e526498d68fa395393a7eca237dce13b7fddaa5ec1107d603d66afd3dd9a

SHA512
69cc62a20de4bb4dd0db7b6f9caa86d3bf4ac6ffefd2d2ff3a6cb1a23333a47e98f3b9d52209b5f915433caff1dfdd3e463993c561c671aa03f6fa58f364b26c

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
72KB

MD5
bdef827c999f445a525e18d1dc7478c8

SHA1
1978544038fc52cfe3d09e85186d0d5783e981bb

SHA256
c039df3c831b36a267e1a222295a88b18cb29eda3278a6e22c1fa2b592adb93c

SHA512
9d4aee37149b2d7843b3565dc724ab4d37f32fb1b3592750e10fce28513a6243aee084fb5d6672d27d81995537b89b69e024d9d999442f700ed07ffae66b39ac

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
72KB

MD5
9b9354ce5924e6af3f962b358d405821

SHA1
4a97f4df29b04da6c8ccb619208c8c37261f7f5d

SHA256
c2fb5263d9b8293588b887699464e18662a309a4a4ad9ccd45872a42ffb642b4

SHA512
cf1064ae7c053017c95159182defec1b5a2f26b384143067c803c43aa8a991d4fb297dd4c9c5726ce6c3a0384cc86ef251ac1d85af774fbbf5ee47b88a56733e

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
72KB

MD5
c5adbd423b586d83e2c02b5f44f881c0

SHA1
996f42c5421aa2cb700edbee12b2bae0042e14e7

SHA256
57cf35ac56d4d6a16a637b6c92404f5e87a07846decdde09d482f528438b4407

SHA512
2b4708c723053d8ec1a3cac467383fc8c0088e50b6991d8ac53c6bfc28ad33b81c85ba68f8ade8906ab7cd0ed4ec25e702a3663e9b5bd2dfb4736e3b829efc06

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
72KB

MD5
e84c49faa7f13bc65c3a2beacbfbdfc6

SHA1
0551c0fc4070b77fbae9cfbd182046956e8aa6c8

SHA256
c1547e1441a82111ea286d00ee07eedc5b56026576365928628fb3c1f7e190bb

SHA512
40b890908b10c44e8e59d09fae7fd0df31d5d86ea719d1722b1cf8fda535b8b67415976558ab19ef9ebb69ff15e6d5e1505c9e4315909d662c21351fe01dcd66

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
72KB

MD5
70f894ac0ebb4072c9d926c8d7c7bcf5

SHA1
2d37859f93ecd29a38e942928071a578132d1bf0

SHA256
eb7bcad0f3f6cef64aab6ae6a2f3e1ca07861518bedc6fdc9def4dcd4ee27ab6

SHA512
c73b42932c4dfe2017b6bbbec2ccd2c83aa732607e4e10104058d625ffb2e5c197d94803be4f40ab56ddd732412c3fbe2e2ed071a0a7b69771201c035d1ca8c7

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
72KB

MD5
670c53318f2a5ac9522a0d0251ed319b

SHA1
56538932a97a93672cfbbd37905df1780fdbbc84

SHA256
1dfc9e848802238add57f7929385d3121de43a10fa8eb384d75cbcb846d0181c

SHA512
cb8357a7fba72d495e494e462e9c5f186d4c07e03a3021b33a3ea0fa56205c443e0b221c1c5e10d33e5338fb9edfac8e374ef8d4f1df37acce7d9cb631c0a176

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
72KB

MD5
cba60f17a96b5303a2e51ae15cb5ccae

SHA1
08c7f140dd324215868d469a03c7ff16ee869a47

SHA256
7e9ceb1caa3b293f13fe3fdb2ec46a4076b58f9501355a78c4e886b21b5b1325

SHA512
0d96576a4139ced2e473bb400fde9f99bba73281b4048f7e2af83ad17b6094d1b23a40370a9d0671334070c0aede513455dfc5d84dec073ada1a26cb03aca307

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
72KB

MD5
2e14a3e44a13a4d2fc7bbe8393565634

SHA1
39fabbaaf1c6469f768a3c3d6bed6e7fd5c524f9

SHA256
ede468af4bb2ca33e45637e51990598cd6594fead80759485aa8f26e063e1eaa

SHA512
7498ffda26ff776a09aa1823cbca6edca0357abc1ad4e6d8e2d7b7e4432b765655cd210f0bef06f7056a8b668b5d84927ecc7ca3c4278a0ed0ea70fdc3051cf8

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
72KB

MD5
e85b27169881e94430be7eb254dd6cd0

SHA1
e77f722d68eebed131bcc39b9301e40b5f718511

SHA256
874692eaf3c49f858486317d0aece4299019c601e9944e87aaf4693095be7db1

SHA512
c8fdb94ee81cdf662bd0c17523c05c89e81b04df9351f87badf11ee48c4e09843c5fdc3c55d08ee6ef084b276238524843863f39792969aa9406f77d1a4e4b48

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
72KB

MD5
d11b1d63ccddcc99a4cb96879c72899f

SHA1
c274b3a96b56ec66d18fc196c8f7d57d45016623

SHA256
576c92bbe6290796ba029e840ef8471358ddd79b2fec2f9ef041451a84115905

SHA512
7601384bc7aa6db4d5123d88ba94d3b79a544357966df664223453aefbdff19e3e1a0af896e2a8c515ec2d08c674794a6253b24647ca5f9f9302ba9ea4531ea7

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
72KB

MD5
8f29895faac488d70a712852ab0ab205

SHA1
a2717af52b6e13ec4102428203857d5282c263bd

SHA256
1208c173b482bc5f9bd3cc64ac1c1ac2be6e40dbbff910d8a70c09300899c573

SHA512
b03aefe77df1b8f2ff54f128b43e3b8d3f1e94d8a7f379a5d3d04889faad6aa7dbbffce447a7cbfc1883d154a7ee7dbf4f45a5ed20cd568ddfc29a6bfc3eab29

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
72KB

MD5
8c2b5b9505dc57e4a830b035dcbd22d6

SHA1
7a972892ead3c6307f6f1e8f224323fb38012591

SHA256
f6a56fab0621ba2999eb35a1449662b15c2a5c98b2b3a5464489d8ea21ada0a4

SHA512
1e84e4312b27418be2f32fc70d446dea5b9e196a1e6afee9675f17bd0429162e02cf116953cdf50625902a6e5ff76184a343cecc28e9bd03e1346acd586163ad

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
72KB

MD5
144d012700c74b8abe89f7ab65886397

SHA1
bf97d88bf7fc9fb8ccf971090c5984dc1423c35e

SHA256
ccc0b1b795891f8b0ed7ad73f86f51a815ea7f4ce7c4aed7051a15608ead3ebe

SHA512
2345a822b047aef5e3b90b3ff5ae4b6a8f6793afd0d88be241dd3092909da31ce16da3e3657534d9fae68bdaedbead3fbbcfc52a7616df10946a5ae821d910cd

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
72KB

MD5
48281a3a9b137c2d7afa3fc45103867e

SHA1
2f5e5df1653eaeeb8d6da32639e19c040e156732

SHA256
d60f89d84751c48ef081f7cbc80b9fcf2fbd8dd05cde5ea63bcb3cdcb08de268

SHA512
13aed7b0e30f7137845f99b2eef8c2620f501d9bed9239608100ad233481c298ffc05171ad56989c1cd2ee57b478f06be224591c21d30a77712df3125141c61e

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
72KB

MD5
7f98e01d5e2c3f0e4cc13b0d7e293487

SHA1
ad555ccf1c72f5cb85590823b36687c860392b19

SHA256
b0c1f6f092b1998da29f86e8d82772ba5286f4e8e2751975c5af80c40f8a3e9f

SHA512
fead03d8fdc93a382ccee39bb72de11eb79a46c7eb09614892da73121fe134995a6af123f8dbfe39582faef85f58fc30a280fba7e60bcb244c517c817b3a7daa

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
72KB

MD5
19e0dcc4182294ca02780d38b05c5fc7

SHA1
053668433873202b663c6ec46c9336bd64248219

SHA256
4ca3985d4130ede768758ee2c5fa3b8ef6ae42e405c9a68aa38d7910edc04ac0

SHA512
104be58440547d0c8f9bcb7a93a3584dfe4ed6de2c9024a4aa8a30963124ccabd486810a4596ae4b26ff997cb562a011259b89c1c0bcd29f3887b8816357ea99

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
72KB

MD5
d9fb684fe2a3dc89c27be0fe9ec70ade

SHA1
1c1fd8d16446fe725577aed0debb572221ae1d2b

SHA256
1085aa28d5e4a43eed41ddc004b39869a731e313171ebadf244f5e9ddb4f4d01

SHA512
1d78b4a3366d7efd8f7af848abc51f7dd48c1d8613c5517e28b253ea503cf322535ad126ba3ee15de35b08659a92df8d6283cc61a8c0ec93224d32916322fc2c

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
72KB

MD5
b2797aa36d191c1d3199414268d85778

SHA1
b3099762ba7ca68056cf1a3c127f4c573cb10cbb

SHA256
af0b7bdca89bf45ac8f955b9000b1d4ed210b0d094d534c6f69fff688f630d61

SHA512
f27cdc86ed75236b15b97073ea80dc39fcb1051a0ea2dcb295d2611fe54c6b5752b447665b8a4b7623b1f1fa14d552d92d1d617058c93cd4d2a5058f33020336

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
72KB

MD5
9cd3267e91bb24c314b0ec9a12e57ff8

SHA1
504de5efefed053c7fade6f546c83a9b54a0e57d

SHA256
a47c3a7373a808dc733ff1d8a2e93292e33d03366958439f17424df52c9dc277

SHA512
5bf5e7151aa28f365d77377e1ac1bf2cda7f9b7f2a30ea308680b96e354b2a46195706260cee66ad907acd8945d091525dfdf42667e49db6dd0a2f7494aa93e3

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
72KB

MD5
95e43d8be243ac3d13168580f8a4afc7

SHA1
9c4efd4d50b1a712d7bb0f066ff25083f9a6459c

SHA256
d054d928acc995e73244858ccce45a7fde1c48ed37b7a74afd1e849be817c2fc

SHA512
6ea49b353f80a5bff1afbc678c53cf094e549d94b1c0c6e700909d7ab43b68954188485d6309e1d2421cd9e4c1ff5eb431c4ee7940d690bb6ad3750cfd070727

Download Submit
memory/112-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/212-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/228-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-833-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1528-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-926-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-853-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3360-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3580-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3860-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-858-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-824-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.