berbew | 4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcf

Analysis

max time kernel
118s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe
Size

344KB
MD5

a77ff0a79581448fd4d0f20a7668f4e0
SHA1

857aeb5623a03e75c26c6f2f0e2d1286d00c4c73
SHA256

4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcf
SHA512

1e767265192d7e4b0a846dd501798aa6843f6101ec3659b31e38e33d6e0d889a010ae8fb727a8ba9de94c69ede59472dc412ef9e52a375a0ba3b3ad3121f899d
SSDEEP

6144:km1+IhWCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:klxCpXImbzQD6OkPgl6bmIjKn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4632	Llemdo32.exe
4264	Lfkaag32.exe
4876	Lpcfkm32.exe
4988	Ldoaklml.exe
2916	Lgmngglp.exe
2716	Lgokmgjm.exe
4436	Lmiciaaj.exe
4316	Lllcen32.exe
332	Mipcob32.exe
2160	Mdehlk32.exe
3752	Mibpda32.exe
3900	Mdhdajea.exe
3204	Mlcifmbl.exe
4256	Migjoaaf.exe
2964	Mcpnhfhf.exe
1636	Mlhbal32.exe
3340	Ngmgne32.exe
4400	Nilcjp32.exe
4484	Nngokoej.exe
1812	Ncdgcf32.exe
4592	Nebdoa32.exe
1908	Nlmllkja.exe
3260	Ngbpidjh.exe
3448	Nnlhfn32.exe
872	Npjebj32.exe
1620	Ncianepl.exe
804	Nfgmjqop.exe
3180	Npmagine.exe
4120	Ndhmhh32.exe
968	Nckndeni.exe
2848	Nfjjppmm.exe
1964	Ocnjidkf.exe
5064	Ogifjcdp.exe
4004	Oncofm32.exe
4392	Opakbi32.exe
4584	Odmgcgbi.exe
4212	Ocpgod32.exe
4788	Ogkcpbam.exe
2576	Ojjolnaq.exe
2448	Oneklm32.exe
2816	Opdghh32.exe
3640	Odocigqg.exe
1172	Ognpebpj.exe
4492	Ofqpqo32.exe
3736	Ojllan32.exe
1124	Olkhmi32.exe
4980	Ofcmfodb.exe
940	Ofeilobp.exe
3136	Pjcbbmif.exe
1804	Pclgkb32.exe
1516	Pjeoglgc.exe
4932	Pflplnlg.exe
2660	Pqbdjfln.exe
620	Pcppfaka.exe
3328	Pmidog32.exe
3520	Qnhahj32.exe
2180	Qqfmde32.exe
1444	Qfcfml32.exe
4920	Qmmnjfnl.exe
2136	Qddfkd32.exe
3288	Qffbbldm.exe
1416	Anmjcieo.exe
3672	Aqkgpedc.exe
4676	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Mnkhmbin.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Migjoaaf.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5664	5448	WerFault.exe	231

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4632	2416	4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe	82
PID 2416 wrote to memory of 4632	2416	4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe	82
PID 2416 wrote to memory of 4632	2416	4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe	82
PID 4632 wrote to memory of 4264	4632	Llemdo32.exe	83
PID 4632 wrote to memory of 4264	4632	Llemdo32.exe	83
PID 4632 wrote to memory of 4264	4632	Llemdo32.exe	83
PID 4264 wrote to memory of 4876	4264	Lfkaag32.exe	84
PID 4264 wrote to memory of 4876	4264	Lfkaag32.exe	84
PID 4264 wrote to memory of 4876	4264	Lfkaag32.exe	84
PID 4876 wrote to memory of 4988	4876	Lpcfkm32.exe	85
PID 4876 wrote to memory of 4988	4876	Lpcfkm32.exe	85
PID 4876 wrote to memory of 4988	4876	Lpcfkm32.exe	85
PID 4988 wrote to memory of 2916	4988	Ldoaklml.exe	86
PID 4988 wrote to memory of 2916	4988	Ldoaklml.exe	86
PID 4988 wrote to memory of 2916	4988	Ldoaklml.exe	86
PID 2916 wrote to memory of 2716	2916	Lgmngglp.exe	87
PID 2916 wrote to memory of 2716	2916	Lgmngglp.exe	87
PID 2916 wrote to memory of 2716	2916	Lgmngglp.exe	87
PID 2716 wrote to memory of 4436	2716	Lgokmgjm.exe	88
PID 2716 wrote to memory of 4436	2716	Lgokmgjm.exe	88
PID 2716 wrote to memory of 4436	2716	Lgokmgjm.exe	88
PID 4436 wrote to memory of 4316	4436	Lmiciaaj.exe	89
PID 4436 wrote to memory of 4316	4436	Lmiciaaj.exe	89
PID 4436 wrote to memory of 4316	4436	Lmiciaaj.exe	89
PID 4316 wrote to memory of 332	4316	Lllcen32.exe	90
PID 4316 wrote to memory of 332	4316	Lllcen32.exe	90
PID 4316 wrote to memory of 332	4316	Lllcen32.exe	90
PID 332 wrote to memory of 2160	332	Mipcob32.exe	91
PID 332 wrote to memory of 2160	332	Mipcob32.exe	91
PID 332 wrote to memory of 2160	332	Mipcob32.exe	91
PID 2160 wrote to memory of 3752	2160	Mdehlk32.exe	92
PID 2160 wrote to memory of 3752	2160	Mdehlk32.exe	92
PID 2160 wrote to memory of 3752	2160	Mdehlk32.exe	92
PID 3752 wrote to memory of 3900	3752	Mibpda32.exe	93
PID 3752 wrote to memory of 3900	3752	Mibpda32.exe	93
PID 3752 wrote to memory of 3900	3752	Mibpda32.exe	93
PID 3900 wrote to memory of 3204	3900	Mdhdajea.exe	94
PID 3900 wrote to memory of 3204	3900	Mdhdajea.exe	94
PID 3900 wrote to memory of 3204	3900	Mdhdajea.exe	94
PID 3204 wrote to memory of 4256	3204	Mlcifmbl.exe	95
PID 3204 wrote to memory of 4256	3204	Mlcifmbl.exe	95
PID 3204 wrote to memory of 4256	3204	Mlcifmbl.exe	95
PID 4256 wrote to memory of 2964	4256	Migjoaaf.exe	96
PID 4256 wrote to memory of 2964	4256	Migjoaaf.exe	96
PID 4256 wrote to memory of 2964	4256	Migjoaaf.exe	96
PID 2964 wrote to memory of 1636	2964	Mcpnhfhf.exe	97
PID 2964 wrote to memory of 1636	2964	Mcpnhfhf.exe	97
PID 2964 wrote to memory of 1636	2964	Mcpnhfhf.exe	97
PID 1636 wrote to memory of 3340	1636	Mlhbal32.exe	98
PID 1636 wrote to memory of 3340	1636	Mlhbal32.exe	98
PID 1636 wrote to memory of 3340	1636	Mlhbal32.exe	98
PID 3340 wrote to memory of 4400	3340	Ngmgne32.exe	99
PID 3340 wrote to memory of 4400	3340	Ngmgne32.exe	99
PID 3340 wrote to memory of 4400	3340	Ngmgne32.exe	99
PID 4400 wrote to memory of 4484	4400	Nilcjp32.exe	100
PID 4400 wrote to memory of 4484	4400	Nilcjp32.exe	100
PID 4400 wrote to memory of 4484	4400	Nilcjp32.exe	100
PID 4484 wrote to memory of 1812	4484	Nngokoej.exe	101
PID 4484 wrote to memory of 1812	4484	Nngokoej.exe	101
PID 4484 wrote to memory of 1812	4484	Nngokoej.exe	101
PID 1812 wrote to memory of 4592	1812	Ncdgcf32.exe	102
PID 1812 wrote to memory of 4592	1812	Ncdgcf32.exe	102
PID 1812 wrote to memory of 4592	1812	Ncdgcf32.exe	102
PID 4592 wrote to memory of 1908	4592	Nebdoa32.exe	103

C:\Users\Admin\AppData\Local\Temp\4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe
"C:\Users\Admin\AppData\Local\Temp\4205701409b14ec7ed9ded48c8dadf2b54b1cf6653b04243cde50e9fcdbf7dcfN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\Lpcfkm32.exe
      C:\Windows\system32\Lpcfkm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        25⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        41⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        43⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        53⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        66⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        71⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        73⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        74⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        77⤵
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4668
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        86⤵
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        90⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1352
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        96⤵
        
        PID:644
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        97⤵
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        98⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        101⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4208
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        103⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        110⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        111⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        113⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        114⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        116⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        117⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        119⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        121⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        131⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        139⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        144⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        147⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        151⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 396
        152⤵
        Program crash
        
        PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5448 -ip 5448
1⤵
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
344KB

MD5
70995abaf2ddef538b2ba4471baca808

SHA1
283f44c925abbb994177fb206b044977d20ded8d

SHA256
bf4805db0371c7c83d4dcebb0df96fe8075c5aa5e48e1b6bbf93a8022c509b43

SHA512
0a7244c89fdf635a2387681fc6762d745d8c0e8e4d8947f8f8f5b6a9375a65766d19cbb6fad2c441a00ac58307da84216655c78f7e981cf625d6448435b5ac4f

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
344KB

MD5
98e29cb5bdd71938b2c097120892e447

SHA1
e30a94a222da5ae6f000368b9fd164e0d29c70fb

SHA256
a035d542d1e988721cee54befb728d0dbd4ab09431424c292fbc264661d07547

SHA512
e18bc070eafd06b730f536932b08f35372b07c1c4e8f4934493f913e70b0aa1237a98ca9481855dd210dc694c7cb29f347aac2376d0c925f046811cb966c310f

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
344KB

MD5
40321401374bc83188cc8e47bf44147f

SHA1
f852e4c991f98baa79361146d4f7ddbd2f30bd2e

SHA256
6ac42553c7bc3b3a0cb34f2d3df0e679d758931e22296ac836563fca24a6cac5

SHA512
c1b2f50af90295993a2bb70360730e2340b101e03e136f1a914e1c1c77a146fde885be84df6013d71742f2f8ed16cc312cbaba3dedc0fa14b0bb8cfb7b66b7e8

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
344KB

MD5
d1c21d773d5b32b8191b2c02641f3190

SHA1
f82bdefbac695deac051d125c721c0ec9ad26482

SHA256
53bf59bd0f6fa7aeece3e6d02a2e05d69d4d576dea599ecad22b5b98ddab3ea5

SHA512
c7fe335ce33b938752f97adf3b3d9d25486863d25759a1cf181750bb98aa3644ed15e3f71e4c2b880535b4cbc8a27b786e1e115caa7daf8cc1597e9aa69e58f5

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
344KB

MD5
f5134d019dfc27068fd590f98d4b067a

SHA1
a8744735eb97b1fd1db96778b709ffeec8cf9412

SHA256
ff8a46a0c90dc1dc283bc6bdf2741c4baa6335ca099e42151b73d6874742d7c1

SHA512
3eb07a12ddf6fa061133998da4a896ee7d83fa0a459ca3c353d814dacbb495cb7ef51b8fc19bebde7916c02bb3827568753ab37e7b77ee2359c8df1f7050e6c6

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
344KB

MD5
8ebd43eaf50b26da04dedef1910bb6b7

SHA1
60b7230042e464957097813b40bd21b83bbffd25

SHA256
0e1cd6023174ed46dd670c6735d6885d67d98b760ce7e39d1fd62b74a80a363b

SHA512
2bb5aec5eba854ed8467fa56b809a5285baae9efbe7dcc02235cb6a37e39aade204aff00d988731963d8f0a74a303eb04b6dd3219d7ef5ef46409b12e21c4e7f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
344KB

MD5
14d58d1ef38a0ef7efdfbac54bf19f34

SHA1
3e262faed787cccb5fb468ac2e0e946fd2f4a6f1

SHA256
e44421d69cc064ab08e2789edd0b2c247a928b92b9a2b7443ac60d9cefc16d05

SHA512
613c42da6d1553d9ff06ddd8271310df2ae8de7002e720fd8b14a443ea979ec02a06c7615867efd3100f74fcf59d3fde8fa4d22c3ee325c442f7b1a488954a84

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
344KB

MD5
e602775cfe76129e7222667e9d5a8fb1

SHA1
862eada212914fec83343043984512447992e1a5

SHA256
d5db1ab3772705df578314f070ec23f0a53f8b48ee4d396e60f04c4e05642545

SHA512
a7fe14080fff901f283f1dba504a8b5174e9a77043ff12878aeb8f523813e9b73987b6d544b654f9e043f8e6491737de2f450de2c4a517ac61251383ab9bc2a5

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
344KB

MD5
6d30f4569fcfe53c024bdc7a5319ce74

SHA1
69df3e3c1c6709f09b64c54be175f4f52fc14611

SHA256
d05c2904acc3f748887b3ff88b659363bb646cd894e7ff7a40a35709768f05a7

SHA512
42b822d9aa62dd9c58a79ba3b47d6deb95be56ee6661953cd3532816ec63e1ed8ecd701a5721d39699030a13dcc173aa8ea404727eaf31886a67ddd61b1d71aa

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
344KB

MD5
7b5704fddbb6d6720039e8b72d3c5ebb

SHA1
d1a1e53ec0fdb7536fe4333af8b3193aca7cfd2a

SHA256
5bcf1d2f5e19e822c78dedc673e93cbf21a80172dd5d9fbc963d7b0ee4be3cd0

SHA512
f7a21289ba2ca679717649c031ddce5e91e22d8bbebf22af93edd6464f54e2f2024dc38fbd8318fc534ddf0fefdd10c704061bdd7101d4e4e53b1d4ef60e671b

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
344KB

MD5
eb646ddcd5b62134c8fdacfca8b94156

SHA1
a380dfe69fce9b66ec03e869dd7476d8711d4992

SHA256
12e07236ae9b77eb76491d2023f7b23a713d7ea227a78a5e77b46e08fa5ef8ab

SHA512
fde5220d96d8094ddc7e05a248ba02f14b45ffaa1f15ac1f9f4453addd86e558ea52f07c4d4825b121c13e98df7218acabcb8bd59cf6402d5d003d9f647bcffe

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
344KB

MD5
de472aa476ca0b52fe6a44503e16c7fe

SHA1
af6ffedb7626158b8481a473704dabf107717506

SHA256
93b590073a27c65d2ffa06053b6ee5168102051c58be46ab88b520e0dc4f32fd

SHA512
1372cc44cd8a49844fc7751b9290a0e597f4676e10347ea4e3959dc2f263b3ecfd55304badc57497720634533f8acf6be0f5d221dac01d3a4bab82e8025d45c1

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
344KB

MD5
b77735d0fe82b43b4e3a5621301e0654

SHA1
80471e3893b4d8f91496b58f1e9b5b451a2aa98b

SHA256
2d9b71b63cef6cde6eb976c13ad0cc35dedee0b24af7972168d851812b15ad11

SHA512
3da7ac2548f3edb482ecf1eb28f312fa0a47f9de53ac71302a7fe48f303a319019de883c15300762bda8ee350b9e11f396fa604391d0392483415e43587aefba

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
344KB

MD5
a8fccba39dcb2c13e358eac3b49c4247

SHA1
dd8851cd18376d6fa8ab2d94840f892855cbda61

SHA256
87877c5af2823b1626655621c133a619a795d4565905f0c5122607e56575bf92

SHA512
475d4d3f3304d7675dacaa23dc0bb00103247712cfc072eb7cfd48ae1c49f5edc5d7316d626f8b3055d4485ee2940345abbd83ce09ed02a7e5ee12140e5e48c9

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
344KB

MD5
d371e570f348d5037bb7b62890d6aa92

SHA1
17d5ddb51ecd3fd13344192673e1e6613ebed753

SHA256
1cbb5045d810cbcb2c5bc785978205a06c055a2c515adf6200ee27b69960ee31

SHA512
df315eb026abf96dc407766ed72495a9a0b9df6504a39e2058e8549e7fb3766a3264cf3e364e55791cf8eb5fd36d1f2e1cd3c2ffa52fd8d45d6bbeb6cb5e9350

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
344KB

MD5
0a93797e32e0f4423bb7246401442da9

SHA1
d4727f8a573e002b5c9b3c19622b6c0ab865feff

SHA256
305b8897eccfbe757cf9f94d67661d561c01b8c212c71c09a59f39eec516dc05

SHA512
d9706ba46fe7b9f67e51c55158dee06d2483e0d605a5122406b46c38de986515e489a3a8e780fec4d00c8ceb85a178b0d80c8d04e2c19be3e95657788139fa78

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
344KB

MD5
99313926947bdb82eacd526f5a88b972

SHA1
72ccfc420c2537c390d82673a56e7c04ac66aa81

SHA256
7a26c9eb3dfbec488de446acc85ac2af4928d34614716f85c9243d32efea4b13

SHA512
8d75681f342d87d94f00e2d63bc3c220f511461262b1fcfa13d6c367cc742d967657978e8b5ce03b48b2fcf70382b0ecab6f22c3ecd951f532d32594ad9e9bf8

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
344KB

MD5
a372b6c0f5c5032cbc4e81c799700a88

SHA1
0496e72c5d087d8eed1ff3659d12fcf125ddd336

SHA256
5e75b37764e64ce3d1e820f5a9b0bab7f83103f078ef248f4e09e12fcabd2c85

SHA512
5ec1eb43bbe0b2b351b83df7be71b2ca1bb9dbc592f8b480ecbee2416ad46d9620f46cde8a44b5696c5d13081e1d0d359886d23b56fda7b046eab4920b942511

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
344KB

MD5
c1eb0482d99e43fc67edf3a09a287e7f

SHA1
435565e721a81ba289449bc5fdc1bb4bee86e944

SHA256
969bfb1b42635cb45c9015b9eff92b931dd71ea031decedfe352e218d67315cd

SHA512
b89d1a9fc7ec0f2f1284ae3444ac9b969a20ebe16dc802d24f0f39b3b20471ed551395cc3ba01bae8ff6a71d71d59a160c9281d068903e81321bd386c1d251ff

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
344KB

MD5
c8affddab5f75c519786c5635ad36df2

SHA1
b0c634b814bd5dfb915743c6cb080b51f9d5c03c

SHA256
12742b4ab697eed836d99f0a8158e131a85ea2c10762b20467045e22df27b105

SHA512
a1bf9858a5c821662c7a3e0a338ac0d534c6e8fbf717ac7d36c7a242af1868984286da626f423de516b28797db3291c6e500ba206bb6042bf5080ae3e669402c

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
344KB

MD5
a88a1f4e84922e1d00e4e285edce2e02

SHA1
e5b3cb9b5b85b0b60f40a339e600be514818662e

SHA256
2c46c929dfc88c6ec6d0190d482ff2757d7f246e1cbc83abaf83d3569efda787

SHA512
e8c688b4d4fd621cccb19cfc758682427d4260f53b44f177b1dde6a4a161bbe395ce5339468d81d94361e23c946373d843e1f39a93db328cc000a93df2da4eb9

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
344KB

MD5
89be94fc2b86648859e815ecf18549c5

SHA1
d18eee7e7a8cac8d51d20d254636d71af7171937

SHA256
1f1b4e75a04f4f6664d248e8fc447a44b5543f73b39c4e728d9b73120a30005c

SHA512
c2317cd43d8d240546150ba2cf80633b7ecc212dc13447b766a63bd1d8916f6628047eea12edd93d0aab1e8785a5a85b94af2fc87992fde7ca965ac0a04b2385

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
128KB

MD5
fbc50c38cf4b112d04bc22f3d1f22b47

SHA1
952de599387c303c4c3b7a162cbb1d686b405dea

SHA256
8e50f764fd8867dd41180d08c6ea6a6503ef0e598904e67a618009d5d7a3a467

SHA512
b513db174ab8cfe1fc98d53ccf2a753dc0af09bf0fcd34de0bcba53c63cbd61ad1cca89c7a156f03f1a3631854722469a16707edbfc33d596bc8657d0a51f1c6

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
344KB

MD5
d38b3efda283429d90b02fd2c45ee23f

SHA1
a3273c08b61634864402e81c9b9189d5cfc38d02

SHA256
6626829adaf67e95f4344d6c6633990f8552255aee025682ef87b97d59a55f67

SHA512
12effb108a88be7d31a459a720605bd35c33bb898479a09e3a3444c687e1d1765a8c45a4c484e46eb664b42521a0e6142a5a4f4e88d464c2a568b0fb5aa6d928

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
344KB

MD5
a3c76aad5460850e404ace6eaca9d392

SHA1
f291caddc88d054e96f6907c6aaf5614e6f3e63c

SHA256
291f4f195d7a4cfe4513db7f22190c02f50bad68439ae8766d4e781b3c897fdd

SHA512
5e293abf380862593e11c0497327a1d93a15f7a56d402b32004e4d9e27219a1a398bbafc147bc8379547038e947ea509d909277d61a3c6787899c5e4c47b6607

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
344KB

MD5
6ffd0adee7601d020acefa79bb2ccf49

SHA1
aea62f9eeb9630bbff119591b4382940d80e2eec

SHA256
0df70a17b89c4de4f89a8e00e29b29a12af6848f2b62ca23427f4b3f1e169e83

SHA512
9b0c5b0ea525b155a59601f842c19d2ef746f3db511e8b79371d512d1fd91a90ab68c5d5bd74649237fa58939bc909444b3ad3e093dee939b93ee09409ef6c45

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
344KB

MD5
e97d5e186c15c8e1c6286f0fd1790fca

SHA1
65ff2f48f04b787e4b76ec88cfb600feb45ac774

SHA256
6b7c405a418bfe13e163f1fd62be3f5090a6abb6b39ddaabbad1a2e34d2603df

SHA512
f8bb0c49cbf8004790e432e7bbcd3e0fca34155bbfdb1c5f1be545932fdc2c6310c65cebc8e25d103886b60f2da81d3a1960ca829ad24a6770ab48fc4bc1ac36

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
344KB

MD5
47c710b91cc09a9c67787642f8fdd2ca

SHA1
c2901b4078b6fb08e6e4e94ea05cca35f124f028

SHA256
067fe977d732a1aa92d8e1247a8f74a166f33adfc9f94fd766e663323c92afae

SHA512
123358799f4a19dbb24abf2ee0559071245df733382c7cefa2e47fad0cff47633d9806ccb5312a68f8106b71c72e34e9455f9ef9758f8c0e8880a35a1a262428

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
344KB

MD5
020909bcefbff6593f065e5092f3aff2

SHA1
1e3282246dace224c0f95f89211a90e7091a1f5e

SHA256
cc66aaabf4483c7e71e9768e13634a03e25d5e39f167927f650df127ba149552

SHA512
af6ece535f5c229fcd9538b63f991c7fedaee567a9553c76184a2f2b69a051c495922d207acd6195d541d94e1c8fa4a5abd03a6273f950ca45a2108c6d0de696

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
344KB

MD5
53a6f24d8cedd4bd23609b10ade98b6e

SHA1
ef14fbda484d82227d829cb0939a2d69972a920e

SHA256
df19f17969a9cb8db1304b5905b322718cebde6b4d98c25960e301ad2433d8fe

SHA512
ed919215a50761ebd7e256b8c7af1c15c171cfc0d916e8db033831fd4fa783e926b3424bc15efa7419afa1c48b040fbfd71ff3cc95ccee47852f962cab3b1254

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
344KB

MD5
c8d32d88895ab5c230e9e7805c206998

SHA1
28dceb350bee686d404b77e3c969c01dd54a8455

SHA256
aa6f22b3fefada95b018ec36eb40b2f64b8d98ce8e12bea5956f2442d06ee3b6

SHA512
5df475ad54efb655c0b45246004a74f00d128f085dad5de287b71108da60007cf10d3c4958623786354ac77e6ae0f61c37d86208c3591594e8ca9fac34405470

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
344KB

MD5
fe648ae05a0f561986c0d45dc418cd92

SHA1
61f2252c4d0c27091d581100262ebb13ed7b3260

SHA256
7f5c11fcd2302aa5f4456b387984e3046e4e8095913661231db8adb47ddb8f26

SHA512
6ad054faf274248b7f227d17066a9d4eae585cf1fb5eff581fc5a7eb2b449db9290634914054a2dfb851730f7764c49f17b6442f22d0a8c411ac3360f6a1f9b3

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
344KB

MD5
57c1efb2c4c007790f257d1afceee0a8

SHA1
5aeacc750ce48561b24aee43b1281fba3eb1170b

SHA256
4ed9175fba67097a215b892b61843397079dad66b15ef93033bc30c8dce66d8e

SHA512
b5ecb1ea259b53c21119f21ad2b82851e5ffba530cee606952f8f3d6751c399cf615cb36c7f9d9eccc9f0bdd0d7fbb5c826d50b6f6eadd66867ffb54cebbbcce

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
344KB

MD5
b8bd833b9e7c2f931d0313edd61b1148

SHA1
d1b9fe0a4f637d096fdd254aedb638cd579b8db3

SHA256
d895b68e4d9fc174ac314e367d0252b8acbe80a7abe6a676dec495fb33f73663

SHA512
b67c75d0baf79beb71b45e495f9ce75b15a7fc1c74aad16a2802c8710bd662f984f59ab576b07540997e377dcc0981a844376db866de157803b9f9b14be0d6fd

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
344KB

MD5
1f9df91386c34890d85758dee17e8878

SHA1
9646e208549cee0540da7ff170e7cd7db8a70b51

SHA256
30f46bf7d26d241a7c16d170b11bc13f85c8806227519abcb7921e63ed0b9059

SHA512
262c11c1af1815ce4cb8d152554779e7dc341fbdb1c2a61fee5f0084c73444ffdd2495ec4e8c709993222da553e0daaac28f399a8ea6860ca7d7be01ff6d308e

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
344KB

MD5
ffb035e98e5531d954859fff786c8d6c

SHA1
4f64025746f88a03fa32776eb2b12702e6e99a63

SHA256
d111a4474efd34c5c99910c40747d28c70888372a97cb393a8bbe07f8ec14d22

SHA512
ac49321d2c3e5e8368cbb1fa938785edc99e57338ce06d24393ff2a4ae0bbcd859553775326ecb12135333b6ea1a0a8b14b588e243d1093d46b438204a7c6b5d

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
344KB

MD5
b2e94bd943a74b1176c896fa7151c4e7

SHA1
679b505e557cebfb160ab33cd8fa02e9b46e3192

SHA256
1639197e0e23204159c4c30c430b0592b80d71a1a8102a54f9e504c8b17cba0a

SHA512
74e389f379942ead2381d7ae9e28cb3a5756fb0bb9de1de06e146e1f7f1a5fdc82706714afa08720bb1d8d1f04b58b1e03f2b6f6311f0caa8dd4e51ed0408c5f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
344KB

MD5
382618a2fbf3f5e8511f6ba694ecefc7

SHA1
d6d828575b29469cbf8ef26ca66c7a08130e809e

SHA256
1c15e6585c36c50cb94acb2b41198875d126b2d4f3e75d827827843ab521573d

SHA512
0a214c46225d4c37664f6028b2953628fd970c78f6fa74d449c563ab819aec5f38444e3a82c8ffa76596b7d82c2dd33dfcac4dddaaee084e14899b00f8fc12cb

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
344KB

MD5
56223683ce7e7a4527431d3ba454ae27

SHA1
ed9323a2524f46019819092d1438e5498ec95927

SHA256
d1a61fb494e4c18b06274bdb1a4c6a6dbd1bd6daa4625218a6b799cea64d9a17

SHA512
9ccfd64e76bc98cf5f448e5328e7a93bd1d91185d2d786f8685934d657435ad58661506ff8c47e2798d3cfc8657ba4f8ed8d0f93183a9cc12a740138d101c0f3

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
344KB

MD5
96f369caacad8f3af6bff47d8dd70c21

SHA1
9b6ea45fd5fe0d0cd34fd7507afb381395dab575

SHA256
922434bd1880c57f5dc09198e2564501fdddcbbd74b195f8270aa364e55373ac

SHA512
cadf95f86af0ff980112571a269322615a9750a65a97c120b24747a495b7561b7c066c96a47faf6d7a5de0f6c8c2834be62fa5b0f65ff57eed6d01fab46b7e35

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
344KB

MD5
97c766cd204e8f843ede2703b3117778

SHA1
b47e716dafba8d48096447bb87afe25f9a27c812

SHA256
fe3f9864aaba134901a3979a3a81d506135bc17160a99de8538af40e9fbc93f0

SHA512
96b6a2425c0fa3dfb8c946053f6fdd35d952b5ece9c0575892d240c48c83abb0f67587b14eb24ac5862b32260175be56837f16d92ed9f03f6f78cb0682907425

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
344KB

MD5
bb6bafa82fdd2f17466ad83a5f6b05be

SHA1
a393a4ad173d4cd615111f22285b9ee1cea45caf

SHA256
0e6997cd14a3eca257f405f0b3d4173c0bbc43e2b8eb0956ded72a3bb0bdb281

SHA512
307cf1537a8e9d5722972228469535e2bb732b636084eea29b7302496907d9aea5c542b2d32f28b0629caf4ba677b098e8e35b0a13bacbdcf476bf488a0b6031

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
344KB

MD5
d6f1d1eb82a3665e47b71393a92b2ead

SHA1
9f0a81baea272ce5491b91e2c4a30f1cc5e46422

SHA256
e07b269d437a42f7a9e13ed22216a1c1d464b71c43ef8862f19133d9f2a99455

SHA512
a84ef3975756ae86a008d9e2b0cf84bf9abcadcd1f1455702bec3920d29c87f3ca14e15eb4b729de89e2765e0db03e443ed9903156143965dd8f36242f14e066

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
344KB

MD5
73b71bc2177fa5be724f88ce23052f9c

SHA1
c8a884acfd24771a2c75dc179f88ba3cfd5317ad

SHA256
c2061f64b5e20827d35f26d4bc2f74cc0f767bf95ddf4243512d135898f72d20

SHA512
d5c5fafa68e88a4f972385a076ea1414fac42dd064f644d7a7c159d37878f65143b88de5ad208012ccb3254b75eff7bde28ef1f74d25cd64b43277c87f232f43

Download Submit
memory/332-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/804-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/940-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/968-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1172-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2176-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-1129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-1146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3204-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3448-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3640-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5392-1104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5744-1088-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5820-1051-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads