berbew | 21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe
Size

128KB
MD5

ee42b9c07873af4c78c4ff99136f34a7
SHA1

08b59c1cdcd609fb3cf7dc87d9f956d3a5c388ad
SHA256

21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11
SHA512

b361e3f5b1bc0796aeb64559a519eca8086211f00032a52f06dd05d210471bbcf2d858178304c37c559f612de681f7c1f7cdce8bca207211f15fe0fd6fafb1bb
SSDEEP

3072:bbDrGcQDdQeSBJqoMHWipPEOyPxMeEvPOdgujv6NLPfFFrKP9:bbDrGcQtwcoMHWiJyJML3OdgawrFZKP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3952	Lmiciaaj.exe
4036	Lphoelqn.exe
3632	Mgagbf32.exe
212	Mmlpoqpg.exe
4224	Mdehlk32.exe
752	Mgddhf32.exe
4876	Mlampmdo.exe
1688	Mckemg32.exe
2636	Meiaib32.exe
1012	Mpoefk32.exe
2256	Mgimcebb.exe
3664	Melnob32.exe
1844	Mlefklpj.exe
3324	Mgkjhe32.exe
2792	Menjdbgj.exe
3636	Mlhbal32.exe
448	Ncbknfed.exe
1060	Ngmgne32.exe
344	Nilcjp32.exe
1224	Nngokoej.exe
1212	Ndaggimg.exe
3936	Nebdoa32.exe
424	Nnjlpo32.exe
2732	Nlmllkja.exe
5092	Nphhmj32.exe
4756	Ngbpidjh.exe
3656	Nnlhfn32.exe
3132	Ncianepl.exe
2868	Nfgmjqop.exe
3008	Njciko32.exe
2564	Nnneknob.exe
5112	Npmagine.exe
976	Nggjdc32.exe
4476	Njefqo32.exe
2356	Olcbmj32.exe
4880	Oponmilc.exe
3752	Ocnjidkf.exe
220	Oflgep32.exe
4488	Ojgbfocc.exe
4228	Oncofm32.exe
4024	Olfobjbg.exe
5028	Odmgcgbi.exe
1404	Ofnckp32.exe
3792	Oneklm32.exe
2580	Olhlhjpd.exe
1652	Odocigqg.exe
5084	Ofqpqo32.exe
4220	Onhhamgg.exe
3536	Olkhmi32.exe
4044	Oqfdnhfk.exe
1092	Odapnf32.exe
1300	Ofcmfodb.exe
2676	Ojoign32.exe
1700	Oqhacgdh.exe
2484	Ocgmpccl.exe
2284	Ogbipa32.exe
1612	Ofeilobp.exe
4296	Ojaelm32.exe
4324	Pnlaml32.exe
3320	Pmoahijl.exe
3000	Pqknig32.exe
3352	Pdfjifjo.exe
760	Pcijeb32.exe
3348	Pgefeajb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Mmlpoqpg.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ncbknfed.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6076	5976	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3952	4312	21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe	82
PID 4312 wrote to memory of 3952	4312	21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe	82
PID 4312 wrote to memory of 3952	4312	21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe	82
PID 3952 wrote to memory of 4036	3952	Lmiciaaj.exe	83
PID 3952 wrote to memory of 4036	3952	Lmiciaaj.exe	83
PID 3952 wrote to memory of 4036	3952	Lmiciaaj.exe	83
PID 4036 wrote to memory of 3632	4036	Lphoelqn.exe	84
PID 4036 wrote to memory of 3632	4036	Lphoelqn.exe	84
PID 4036 wrote to memory of 3632	4036	Lphoelqn.exe	84
PID 3632 wrote to memory of 212	3632	Mgagbf32.exe	85
PID 3632 wrote to memory of 212	3632	Mgagbf32.exe	85
PID 3632 wrote to memory of 212	3632	Mgagbf32.exe	85
PID 212 wrote to memory of 4224	212	Mmlpoqpg.exe	86
PID 212 wrote to memory of 4224	212	Mmlpoqpg.exe	86
PID 212 wrote to memory of 4224	212	Mmlpoqpg.exe	86
PID 4224 wrote to memory of 752	4224	Mdehlk32.exe	87
PID 4224 wrote to memory of 752	4224	Mdehlk32.exe	87
PID 4224 wrote to memory of 752	4224	Mdehlk32.exe	87
PID 752 wrote to memory of 4876	752	Mgddhf32.exe	88
PID 752 wrote to memory of 4876	752	Mgddhf32.exe	88
PID 752 wrote to memory of 4876	752	Mgddhf32.exe	88
PID 4876 wrote to memory of 1688	4876	Mlampmdo.exe	89
PID 4876 wrote to memory of 1688	4876	Mlampmdo.exe	89
PID 4876 wrote to memory of 1688	4876	Mlampmdo.exe	89
PID 1688 wrote to memory of 2636	1688	Mckemg32.exe	90
PID 1688 wrote to memory of 2636	1688	Mckemg32.exe	90
PID 1688 wrote to memory of 2636	1688	Mckemg32.exe	90
PID 2636 wrote to memory of 1012	2636	Meiaib32.exe	91
PID 2636 wrote to memory of 1012	2636	Meiaib32.exe	91
PID 2636 wrote to memory of 1012	2636	Meiaib32.exe	91
PID 1012 wrote to memory of 2256	1012	Mpoefk32.exe	92
PID 1012 wrote to memory of 2256	1012	Mpoefk32.exe	92
PID 1012 wrote to memory of 2256	1012	Mpoefk32.exe	92
PID 2256 wrote to memory of 3664	2256	Mgimcebb.exe	93
PID 2256 wrote to memory of 3664	2256	Mgimcebb.exe	93
PID 2256 wrote to memory of 3664	2256	Mgimcebb.exe	93
PID 3664 wrote to memory of 1844	3664	Melnob32.exe	94
PID 3664 wrote to memory of 1844	3664	Melnob32.exe	94
PID 3664 wrote to memory of 1844	3664	Melnob32.exe	94
PID 1844 wrote to memory of 3324	1844	Mlefklpj.exe	95
PID 1844 wrote to memory of 3324	1844	Mlefklpj.exe	95
PID 1844 wrote to memory of 3324	1844	Mlefklpj.exe	95
PID 3324 wrote to memory of 2792	3324	Mgkjhe32.exe	96
PID 3324 wrote to memory of 2792	3324	Mgkjhe32.exe	96
PID 3324 wrote to memory of 2792	3324	Mgkjhe32.exe	96
PID 2792 wrote to memory of 3636	2792	Menjdbgj.exe	97
PID 2792 wrote to memory of 3636	2792	Menjdbgj.exe	97
PID 2792 wrote to memory of 3636	2792	Menjdbgj.exe	97
PID 3636 wrote to memory of 448	3636	Mlhbal32.exe	98
PID 3636 wrote to memory of 448	3636	Mlhbal32.exe	98
PID 3636 wrote to memory of 448	3636	Mlhbal32.exe	98
PID 448 wrote to memory of 1060	448	Ncbknfed.exe	99
PID 448 wrote to memory of 1060	448	Ncbknfed.exe	99
PID 448 wrote to memory of 1060	448	Ncbknfed.exe	99
PID 1060 wrote to memory of 344	1060	Ngmgne32.exe	100
PID 1060 wrote to memory of 344	1060	Ngmgne32.exe	100
PID 1060 wrote to memory of 344	1060	Ngmgne32.exe	100
PID 344 wrote to memory of 1224	344	Nilcjp32.exe	101
PID 344 wrote to memory of 1224	344	Nilcjp32.exe	101
PID 344 wrote to memory of 1224	344	Nilcjp32.exe	101
PID 1224 wrote to memory of 1212	1224	Nngokoej.exe	102
PID 1224 wrote to memory of 1212	1224	Nngokoej.exe	102
PID 1224 wrote to memory of 1212	1224	Nngokoej.exe	102
PID 1212 wrote to memory of 3936	1212	Ndaggimg.exe	103

C:\Users\Admin\AppData\Local\Temp\21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe
"C:\Users\Admin\AppData\Local\Temp\21a0915750e05b18443f82df86958e3a951f59d1c4932a9595220f78603aeb11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\Lmiciaaj.exe
  C:\Windows\system32\Lmiciaaj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\Lphoelqn.exe
    C:\Windows\system32\Lphoelqn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\Mgagbf32.exe
      C:\Windows\system32\Mgagbf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        32⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        34⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        39⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        50⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        54⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        68⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        72⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        79⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        82⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        90⤵
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        93⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3840
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        98⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        105⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        107⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        108⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        114⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        116⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        118⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        124⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 408
        128⤵
        Program crash
        
        PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5976 -ip 5976
1⤵
PID:6052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
128KB

MD5
60f7237967a36be1efcc8fabd1823d5c

SHA1
051a250e0c99182682eadb0a6a3e2d74cea1c997

SHA256
7866b2465c82897f9d67066e0cba337c2bc7de58f1d866ba43aaf0c83ba3dbb5

SHA512
167480c1ef1d91651628b213c08783891c1fba8777aedff7382ad9d7272ee63f2bfa6140c5d583b7b29c876c3a8a71b5d8fe07198158030d817ae83c7023b5ca

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
128KB

MD5
11d9eee95bbc33f74cd3628b89d19b0c

SHA1
68bd4bcf83f3267a1662b04b5ee8d63382c72421

SHA256
361c667318083c69a714ead849f433b2f22caa4aee11c69edd3e5be214021cbe

SHA512
a911e0363d88e2430dec08b898ea735a4ef489eb2a8f8d92b7aaca8b73853a6c97d37cc10b059dd78230b75c919b566e26bfd730736e3b8f590e4592d482627d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
128KB

MD5
df3a150550588098cd5cfc312f3bc338

SHA1
0263e8c31e6e65d338bb9674d2b43f104f5f1bd5

SHA256
270ad9e0163035d42e180cc244bba144d112f9273289813aef665a2668f36907

SHA512
99ac0375d95a792fbe7e2ac990270f23784c05a6745db73236cec8f507d727a88ee0955d0e019be03dc5dfcd0f741424c89d5d38fac78ebc4d3977ebc11ea88d

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
128KB

MD5
db11f29f2b0a1af998e8e11f55d01fdd

SHA1
9c3ac06675beabc12ccf2c050e26edf9ff3f22c0

SHA256
cc72f8f13cc70f7ea8b1c8ddeedcf05040ededdc6b9ab0b43f704d5ba4ac7a8e

SHA512
ebc4d84bd2467081442114ba3a916f9b2c0113dea90339faa4984fd4e446aaf5d85708a2ba1a382fad550222a16467cc9af01c09688d07738f8157672550624a

Download Submit
C:\Windows\SysWOW64\Blleba32.dll

Filesize
7KB

MD5
0a97107d3c2969065cdb5bc229540376

SHA1
7c202b7e2fc93228e26d8456120a081fa4f775a0

SHA256
8e40a77f17a58090ffd03df846ec1c4721787fdf7ba6112bf4dc96b893b8045b

SHA512
20f21001a30444bfe3eebc14334502e0d371f9ad44fe2efd802926022ed26ab3b2f67d766f83f2f8429765429dfa4bd6477c9f09a17dc34a0902b59e17c11f85

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
128KB

MD5
593ddb77f7162cdd6013cd25ee701367

SHA1
951b9c10bda1bddb4c72a7037033723f0239a255

SHA256
00cc4bbe09970e3c9619ffaa822705c08d7b865bb7bfe1402ac199c01158f2df

SHA512
4fc9ffc253a825045a67ef72cbbc2a25850d3d41e25f4541ce77b1488ec4b4c7e0be9a3653fff1033cc13cd86aeac4214070a25d86fb6e3430982c5d63691fb3

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
128KB

MD5
2e2ddfaf31b61920320ac28edc1a4f61

SHA1
846e77392cc8026ac0b01bdb8760f93d9089a100

SHA256
1328c72cbde3fa0e99f84893bcdfc80a251ea67b17faba5682460124fd3ac44f

SHA512
9a4adf3639618e036e5011ee3fff5df6d0d5d6a4dde2498d5fdb466750ce94df673961d5f6741b264c061c184f0d3ef5f355e078a7594932d11db3257d528371

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
128KB

MD5
cc3ab31e8fd26501e734863437930a1b

SHA1
424e6616e309f759b010d2d0a17f1f693c6a2690

SHA256
ced895f73269a66d23ce0ef75de62e876f352de1711bd37b6dc1e18ff03820f4

SHA512
441faa8ecb4de155b7d4d35f5640425786e0f058ad7b062d59fa4ac92b9fde726e5b94c99a6dfc8f8cf92173c7ad8e97a1e8c76d01f3750d69e6bdc69ab90c4e

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
128KB

MD5
ff059543ce71db9535d49db2d7b0ee08

SHA1
e6e8e917c4af3fef4b9dd58cd7db68763b32afaa

SHA256
69391e0c7a6f7cb578958073c5022aee6d632de9b5ff5a7c7b07a7479bd74edc

SHA512
f80bddf7cabbab4ce3a11db735c5f0df141f9e83baf92d349b69f2f36fb68bfe7701fbc32af480b6e77bb377c95a3081649ab9a13c2112073eabd40965ce27d4

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
128KB

MD5
2bb3835a65527aaf8bf97b5435741b98

SHA1
0d82de0c9e678abab3dab6ae90dfa54c126dd6cb

SHA256
f62247a8926d9965df65a25dd74a4ecd5552ce780b751974a5a1153059f2c90f

SHA512
d7e71c9eee77b19c5375691f4a7f668a0ca4511cab56fae9d258cb625c01980eb1a78e618e7780cb3b90cd8d11f4ce7123b8daff235caf8637a19c74042446df

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
128KB

MD5
3a7f37b412ef293ec4e83bb47e6ee201

SHA1
19e5ccecbf6ffe1d030e7b19df26a05b0bf21ecc

SHA256
c7790999e5965efa7ba887a05532fefa43f0be62bdf8301c81fb97d309110241

SHA512
c72d2df703ab7dbe154bd4b4af677d96ed0ed7dc2708462a224b1bbaf47f829ed9f65308ad17efeff002304bac3ffeb6c233c3dbd31431d9cbe7271a9c4855d4

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
128KB

MD5
34e2614173cae93ff62896b4874887a2

SHA1
3dc1d9509598984a5aed75b2405ca1dc942f4527

SHA256
6a8e7b8441132356554f750235de73fdca015bcacac1569f8316364fb496c2c8

SHA512
4ba18881e22de7a8c1a5a8b39bb592e0729668488caa72b8f7ce9a83bbf51dba6892f8f35513b973b9c1ef8add29e70eab5a297d9af60830b0a0df680ceab295

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
128KB

MD5
896621cef2670b06c9d5c8bdfe7ca525

SHA1
8b6fd445ee20f4710bf22e297327e52d7bf989f6

SHA256
33ea2c8bd9b129920ad15e0b8b632d3135d3b06790ac97b12796558d0cbc8896

SHA512
4ed0028c3dea5befeccd8b160fb9e9057b1e3ec103682ea7d0b0a7ace1e5f00e5aa2d8bc64acbf608b7cb7ca818cb5812b1a8c5360ed8662ce5d8086b83a8760

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
128KB

MD5
1d1797ac8e3ffd499c726afecfb56765

SHA1
62c2f5e1b560661e7df824546b8326d0dab29402

SHA256
5e8a89f8f0237f2b5c1f15be752603addd7b64c70b6ebf55f95388f46cabf388

SHA512
c2c7140749826099d897eb47dc0f61a4d08de3cb48ce2ad3fb6fa2ada38eacd6b26806ec8658fad3697ff1311fa66d369198214f3ea70068a2394d95854a8b89

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
128KB

MD5
4cb4eb22dfc1485c83db4074dec8fd86

SHA1
f3c857cdf359a5d6da3fbbf58b0a636f018b3ae6

SHA256
ef82ce1433235c3fd72fdb0ec2608f37371d08f687afba07a9538b048dd46d1a

SHA512
e05aba9549995409b4e70c60d0d2c9e2bfb0e988c980c057d0774a12355544ecc4cbb99183165ebdf226f128483d1fb00e38f2c755cc063437a2b1916dea0749

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
128KB

MD5
f447e4567175d5cd69f63532f7566689

SHA1
12d55ca65857d3a6a74e1457c2c17762f0520640

SHA256
3f67677cde19bdf238dbec01bbc6145298028a6d8721118c1fd8a0574384726a

SHA512
6feb8aa915b7b9bdc2806e96bdebc6f6f1d9ed672e202af0d5ac2f197cf008f8648992a2c8634cedd018f8241b1751d4f444359bec046a9b42ee462a24faa6cc

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
128KB

MD5
5e465f8ed7ce94c75a8fb0d3c36cf0a0

SHA1
e546caadc42b2c9496fa0856f4ebf246e961206c

SHA256
3544351caf43f477303731b5851938589d54468385eaaf82bab502d716866ba6

SHA512
7e40190c187e4928402c1d6bc9f7bddc202c41510a5ebbe6ecab723f5000631ca7130c423e6b4cd4a3de7ee99b7525b52df2ae29951c392d408fadf964e3045b

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
128KB

MD5
86443fbbc249df40803f2ec287a083ca

SHA1
a0e1c7dfadcc08a634faeec54413eb5abb7e2a80

SHA256
04272988b7cfac9047dcbd622d81345f1ba6ba6e15e7f5e7896ce7c503ea51cf

SHA512
ca9fa40004c037964ee5b6f1d36fe0612424e891ee7f39f95f1fe263c788a7f03d974b8fb34465412886a4e968b511fde7a94da65f3098275e95652557a6a224

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
128KB

MD5
54ff1d9b9a01589e15a74c4800aa21cb

SHA1
4d1501ab907a8c5cc7f1735a9fe28195a78ecf4b

SHA256
884917dcf9f2d7d540e85eeb884f7d0d8e5d232615771f9c61dc9cd88305ae03

SHA512
c8a82181da31b8adbc8fdd782e8b057ca60f6460f4ccb23074c5de39d269e2d58feb26b7e3cd375f0e3c27d731ba022003763991420d3ff61a638acc76f4b9ea

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
128KB

MD5
2487d6dc61848ad72372d2dfecbf67e3

SHA1
0bc23c08283abde6fbbf5a0afc02c6da44f2abf0

SHA256
f30af7e9161b4992fee14b01b7428f06e0df94a2eaf8da025076c9c84f7dc1f8

SHA512
3ac1de682cffd8a9c318e7c99025789d5c0380ce028339596615d2b878da8294e7b35f6135a3ceb445548d40890387f1c1cc00108671fe3ca3a88ba863abe0f5

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
128KB

MD5
df09a6c1f0a1a3759e2cee9fc255fb23

SHA1
82d303883b33d5cc790121a99624503bc33fda37

SHA256
7d43f95a3bde79fa0a3647e9cf6b080b83c5d9091fbc9d710c09e4daba9fd4ff

SHA512
1f35ce4c3d288ae281f35f63c5d0a13f6d107b295188c5aba3d89d2a0943605ea82c58f13405e1c12793abbb2eb81a0526ade09b7fe0514d8e94f9cb58d428de

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
128KB

MD5
35ab213ddae0beb447c149e265d981f6

SHA1
f6676d0807f474075bd15bf5b8f6e57e9930552a

SHA256
40b6b125e0eac2dfc4cb4a86e6d6c99f8285ff14c8945fbe78f03aba2c86aa77

SHA512
5d38c5006479a99dc33c7e3bc9e4f8da3434f9ac6320c06949e0abe788bfdd507fca6b3fd5eb6d8d7de8aa3a6e7fb4c24b0c11c769083bd85e413d757f4baa47

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
128KB

MD5
0410dddca57c261e78fddafdf197ccdd

SHA1
3b85097fe0bf5639e29549b02d495b1778fdb483

SHA256
63b2ebeab4f04f958f75b5bf2f3881072fd868526047a9ae1afa9b5c5d2f5ce1

SHA512
a94c6f0605db3e3d158871c3c4b60469a7ed22adf19f9b6b11ea4faf17991501be4b245c62d2ff43f74322c23315c6ce783c3eb15db876496bda6640a3ebedee

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
128KB

MD5
49b30b5d237730c42a16aba775978c70

SHA1
1ff1dddab6775e3e7321fa54c602eb028f7b1536

SHA256
596a5eb55cfe12d24b5849ba53da9dd09e3dfe31de386677cf830c39d43221d3

SHA512
65e5281268e4038c52a92cd6d1d5a2bf21aaba7076a891a90e0da06bf881ed46f04cc6dc8b0adedad99abe0d12533bb2ca670ee2be68e2813443093611951d33

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
128KB

MD5
24be282f06fb8d8974ffef7860ed37c2

SHA1
9dff9b1ecb012fba78dfb4de79f40303ed6539f1

SHA256
a493e54fe16de169432676f23e81794c6f0d977364124fd0043c2eafe22012c8

SHA512
7ed8b305df3a3335fc9aca1a477c58d3fa250327eacd8a88802bd04f5184a2569da7ffd6c5845792a94b5211f2c88dc36113d8cea754bb3f28527b87a10c19f6

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
128KB

MD5
c1bbe723edb5e381aaaa6c51ea9d469f

SHA1
115138ebaae6175922254a9d33650d2d304bfe14

SHA256
dcef4e9c3770d77682acb82c01da767dbc25cd4e89b472cd989cb0e007fd5767

SHA512
cc5c7f27bdb2fc688d7ba3a978d88cf564a29f75d2e0b7e0b63421e541fa4681f910fcf11fabe5d6f22292d487a513b0baeb27ab72d7bcb06428b8c142d4f254

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
750e71c45b97d05bf3d4b07a720e2454

SHA1
537608031799ef36f81d6c310d0877840ecc89de

SHA256
0b4799c99cfa580aa830e70dd4a6ff24b30428a9216e22b16be4678175bc4e31

SHA512
61d745c9fd90da57e9abd89cf1892cf147932033deeddc86f4b1bfc505b9399b5b835121ecfc8dbc4bf72027f8115d402b4562673ad019c1bccbc4fdc0a65ad7

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
8eb1eaec09e6413add57ab72072ed0b3

SHA1
f35d43d57ad9e69756f422215bbe62c6f5ebe57a

SHA256
eac3b4ba848fa980c91ddb1c4feec826fb3e31c05a63f8041dc3429162ec7b60

SHA512
dc0982b09828719a9a6d83b04354da85002714c48f976ff1b3fcb8f0cf6ad4deeae35ca21211f3cdf8ba755e4e4455159906078bd1c01fd23cea8826f2f1bd32

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
128KB

MD5
6fc5323062d4d733cd98f1e6d90692b0

SHA1
d7877173a07d919d4ad09b1e11ac0ff82056f9ae

SHA256
0ffa120683b829f8e7a40dc2ca22c6a72760983501c0d7d6ecc4bdc88d2dd360

SHA512
af945b764c874875cf248d6eec12c5c6c2a4d3bb3a794c832feeb842f9779d9f017e352863bc79375396423f24385a99219ea59451be7920adb4f48d2fa2633e

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
128KB

MD5
6ea27d5582f2bedcd2a2f370e180ab1c

SHA1
53d969acbb92ef5ac993038398c7287d671d2d32

SHA256
12351a12dac5e4a95785135e36fa6ffe4580ab5c8a1b66dd2833642580714ac9

SHA512
6bfbeaa3d524c75139fb96ea69c53b365ea8d3469edb112a10a7403c64dba55e26db3322816e733ef931a89847b49e8de1df273eca5b80aae45932ce0da84733

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
361c1ac06dd2baa4ff9c0af77a0218dd

SHA1
fd9012b461389eee76fe31a06bf7bf7e6bcd9671

SHA256
7fbeb618f14bb6a2392142430dc88b08d31d14ffba3369613ab7d5d42aa13e58

SHA512
92d4aad4bd4c3734f49fe740031acd81fa554f08fa354c506a4aa6074131e3997a9adcf1e3fec85991558f15404723c347d3925be403725c4c7b715f395ae394

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
128KB

MD5
9da906c7c511ca8a0c96d149d0080218

SHA1
8fb5810bed1b27a0cd85d785c52ac8c518175de7

SHA256
686e48850fefd7f6a91e2e6b77299118161b6436cdb449188d89e7226962bb57

SHA512
3876a83b90d129d31b20c1c8599df12788c0a5c96de26c29f51dc23f3fedd695bc79088613d78ff804161dd5e69dc7c47089abd888af40aa59641e1435ac2c13

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
128KB

MD5
9b717efe00bd87c3c4fb4a1a0f18da15

SHA1
26d8e994a0281629abdde1f67a01b5c9cd2d237e

SHA256
74cc1550879eecb333a3ccf6eed7ef1086c70e876e59dac66630555cbab6780d

SHA512
766c374450f60a72eaf43da3db28c6fd4982622dc01f9e19bae0fea1cb7a1095c427edc0866c25eebaa73ec6c0e3b33dd8cea843b22b0666ec356221b88bfd2b

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
128KB

MD5
8546e2778919318073252642af52a227

SHA1
242c83888efbb97f43827e20c63b077524bdb80b

SHA256
fc4ce6720b49ec2678fb79a674b503453b78a6b708083e7aa9025d824d7ca8b1

SHA512
fb8299bf35bc9a3c0ecceb630c395afee62a02d566287640c1ffb29ba465e2b981ec510e436288810ae566b717d808f6ed49d76383fbeb71f25c84a76c34130f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
128KB

MD5
d5ed625d3f1e6ddbf06c8b724d91302b

SHA1
0e8a4e2dac8175b142caf575c950f37e3ae7ad99

SHA256
74df7aeb6990831c2d6f4b96402d4cc55bcec0de751c9ebf4a4bfbbf145342f4

SHA512
8d2fde7b140b28bfeefab992ffc423780e7dc0e7661f6543c641acaf6f5a83bba3ffc7412b7beebc8f953a3c742acae0980c30cbbf44a8e429a24c132ce083ad

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
128KB

MD5
c4fad44eadc76c3a19638648314905a7

SHA1
afc663f327961ad3d0aece05ef0ec5d24d87d85a

SHA256
d0bfd97f32d675e2139a57a4c3e99e2aeb6891838234453ac3cc6a9bd3d8d052

SHA512
e98f112aa6f3c754de780cb8c227e59992ec30007c4d327aaa22fc11d49b81064d95d1ef82e825381ccf0a13bf0d708c337d1e8e5a02fc3adb596d992df6bf6d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
128KB

MD5
261e6f806f154939ee6c3e4b8ba28eb1

SHA1
98b3531b28b8df8390034255b8cf3da483db5c27

SHA256
9ef03ad3cea69bd0e5344f5ed098f75bc2a02590c8b54ed8bcc6b0396ddd852b

SHA512
7dc7f87bcea4ec0d659c233ab619b7613c290619195913da82a87f436829cf0c9a3ea3a872fab86aad791330e10afffe7e4235a66c782ef8fae5d55132c37e28

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
128KB

MD5
5afede6d5b74e899e71efa8b4c43278b

SHA1
995aba73f2ef69f4f8756333c797b095a47f3a4b

SHA256
737c99ba7241064efbdc083575b8fff7088aa21ff29bccc7cffd151cc1fb8177

SHA512
59dfdd7613ba1fde67daa60c43dca3aafd05cc0905ca9d0a80f0fe6f4b28a1f206c0ebb5fb7777b5a19d24ae3576608d5d7c8f778fff66bd0c2ae27a6a62b029

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
128KB

MD5
9da0d5efba1f010dac1f2dbea552fe0c

SHA1
1d787df446f809187ce8d01b410082698ac2f64b

SHA256
b8f285d12b96b1181cc1d5d4bc3c0daf316055c38f592e3f088a80612ff68744

SHA512
3baf89299f3e6cb4a07467f4240ecd881c6f750d47077249dcf704c824ce0584db699c848c783a40a088212d360d0ca4b4c98ea22acc9153459e35a8608e1df3

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
128KB

MD5
85f0d7a56c6635dbce0583b9b3e7ae36

SHA1
3d88dfb903d4d1685dd70b299fba369274ffc41a

SHA256
d348822e6f72cffbc103763a560743a0e81f9cabb2a89d99a58ababc709714d4

SHA512
6fcc5752d7f2fa0d03783bd61ee19b02db1e743c6507d3dc08be876cca5973e2766abf478590dcebaf9a168b913c6d83756effd50927859d98cc7d449b7c3c4b

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
128KB

MD5
33be759def41a88d2d69572c88edee57

SHA1
a5fb767851fb44d84a6f15962a99b1e7aff8ef0b

SHA256
b168872e71aef8d6e1b41674ef7bd1ce87ac45281e05bc1fd0553f91f0dc1014

SHA512
5538da0e0e4b386500643e2cdcd5f4b8511e33548e4cee9d2b7f41b15cdadc3a62a06351b99931447c61ae9f54c479f5dfc4f147c337d74bc2ebd35ed613ea57

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
6d1cc482c452e2736adf81e1a87d3915

SHA1
5eda71b2c33615330211ac4148c8521222f0be7e

SHA256
ccddb5cf40716c66fb9d1f6b4664a7a09d1a5390148afbaf016a417113568fbe

SHA512
1f08e543160c365cd0e4fa20baeb8f46ba13d481bafcfb11e4f99c22cfe608194229f4b0f80b9d60de481b1bc2132595c3449f8766a4aa99f402c4968700cbf2

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
8514ba00d65e5fa5e9dd27dae761d0bd

SHA1
98a89d4fa8e677179cbf7b5c8b8a09c40b82ca13

SHA256
111245e2d71714377ad5a6c9ca373c4b36b74952d8077d1ea95e1696763b341c

SHA512
54c8a0cdef9d6b5a3fc404f9776157da55025382a9a74377e48949c50f6bc0073639dd231fc102d7b0cc72ed080d5de2eaaa00fac513e7cd29f7868c29444814

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
128KB

MD5
5c483cf3daf6a1d7e00f4d0db46501cd

SHA1
d20bc1e555e701c16220679c8b2249a3ad55ef10

SHA256
e9237bc5ffc47359fd42a226aaa4d2b6bf6e91b0899e58db62188009724dd115

SHA512
f8bfd1577ecb97498f31f2a0c05e151c33de65c0316cf1b53587904a418f45c7a32f5a04971e2c14f9f17428cd286438e99c6aa23b92eb101e24c8382d37272d

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
128KB

MD5
dea029a77e7ec73f1cce5a93b51516a6

SHA1
af198faf2d85aab3ab7f34b33f945d62592079a4

SHA256
0451427da1d7a587a7c405215088bdb96217e17eb9a47a9e358265849bc031ef

SHA512
4fe090ce1ae927584c2fafd77c21c93d3fb25fd85deb432934322a129f2f4165c75a0218854d625575de6ef795169f8259562ceafdd5d25190d3da4aba9e9de0

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
128KB

MD5
e685e62b33851526d55b9b8b77172b22

SHA1
8f265a02ec64f8f41272f6df3ce01cdbd729607c

SHA256
11856eab96f670dde8717ccb1df80f22d90d6d3ef044d1cbde450ef7158b27ee

SHA512
4c70ca6df0b778605c7850637c6c4cca1cebe230fb720df1226a8e133a5f2a3b4cdaadd7ba51fb179e58f84c4f5cbdc71199c19cac916bdac46a03fa1187e837

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
128KB

MD5
8ae6d43c9ff2e5abb0bbe79491f1376b

SHA1
36d62e3c41ee3c8caf078fe30a592005e3b7467d

SHA256
5c2ab54ca38a6d128ebaac8e4ef6ae0fdff1a51111453d1ba13ec9268cc1aee8

SHA512
35db905e7f6eea2ec21fb79e88edb36c6f0cefd8c0166836fde8a695bdbd47d1116a2bf77ba549160d0e13109bdba0e6dc4315fb1ee8b08eeaa9c1c392c347a2

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
128KB

MD5
8f7bd30026c64e5d1733893de65b5506

SHA1
f910e3490c3746f155eaa9fda1953f6dca66c20a

SHA256
33b4610575d953f2feb1de87612a83ac4517bb8a961b009eba8e580311139687

SHA512
9030f6b2b1fcb520b3c20097f601047b8a6faa246d0195a5152196d759822ea47ab362d78ad232dd831c662d177ac3f697f8757b73c8fccd2407186b4476800d

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
128KB

MD5
a2a5a5fa901e577ea550d66fc86ee13f

SHA1
45588d62ea10b91435d873b71a9d57df87869f89

SHA256
372225796dd5ae135d6e439bbebad94d2779b5b206e5ebc1064a6bab0cec6aac

SHA512
299e1c523c4cf234719bfd294cb0759febff15ea833735547c613932aa20b2d77b43a51184e5e8419fcbf98b42150388b6e5d7d6d479d407437ed22520c74d57

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
128KB

MD5
3fe4b335803282309cb71f9623ea487a

SHA1
f0a8a7f52d263012072b4c2f1d75fe7151ae9eb7

SHA256
f1ba58da49e92c59bf4502b7a54b4d2bc2a40018f88cc9aed563009b60f3dd3a

SHA512
a6b6ec29c97c14031cf215ecd19c8113d4cee139393867e1d22ba67f6063b916c2828f9459fa2bfd50843435ba45c3ac81e64597cfe40b26d8dae104e3e0db7f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
128KB

MD5
da71fd6f0aa67932ce3058f1ad32267f

SHA1
f0847d3ad0897ba2578f8fc06b07f8b46f7289d9

SHA256
f53ce8308072106c1b22de03f2af4ebf39045e2ee658910689b38ce665c30f1c

SHA512
7be038b70baa3b75281f9fb133a6cfb9cb41f26a852f604abf1ba53ca69b3165cd40abd788392d0ead4f8c1d4b47fbac0d235f6e66bdc4292500f729cdc9d39f

Download Submit
memory/212-115-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/212-31-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/220-321-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/220-390-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/344-161-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/344-250-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/424-285-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/424-198-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/448-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/448-232-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/752-133-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/752-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/976-355-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/976-286-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1012-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1012-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1060-241-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1060-152-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1092-412-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1212-268-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1212-180-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1224-259-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1224-171-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1300-423-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1404-356-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1652-377-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1688-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1688-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1844-196-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1844-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2256-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2256-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-300-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2356-369-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2564-270-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2564-341-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2580-370-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2636-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2636-160-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2732-292-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2732-207-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2792-214-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2792-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-251-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-327-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3008-334-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3008-261-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3132-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3132-320-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3324-117-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3324-206-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3536-398-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3632-106-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3632-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3636-134-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3636-223-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3656-233-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3656-313-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3664-99-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3664-187-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3752-314-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3752-383-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3792-363-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3936-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3936-277-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3952-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3952-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-342-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4024-411-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4036-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4036-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4044-405-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4220-391-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4224-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4224-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4228-335-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4228-404-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4312-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4312-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4476-362-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4476-293-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4488-397-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4488-328-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4756-224-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4756-306-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4876-142-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4876-55-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4880-376-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4880-307-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5028-349-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5028-418-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5084-384-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5092-215-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5092-299-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5112-348-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5112-279-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads