berbew | d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe
Size

512KB
MD5

4aa527816ad919e84c0a551fd3b416b0
SHA1

e440f60a8882ceeadf1cd57619bae677e1a5c6e3
SHA256

d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96
SHA512

7b8292d2908173c05edd09840a6759d7c52a4d0ebfc1013c4f2d74756e558bd7446bd334ee1d4a2374073bb9b175f6ea2c8b2e59bac238826987bb83df864523
SSDEEP

6144:hWHV/t853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:4QBpnchWcZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
368	Lmbmibhb.exe
4708	Lpqiemge.exe
2908	Lboeaifi.exe
3216	Lenamdem.exe
4148	Liimncmf.exe
2656	Lmdina32.exe
2888	Lpcfkm32.exe
2416	Ldoaklml.exe
2388	Lbabgh32.exe
3408	Lgmngglp.exe
3028	Lepncd32.exe
2232	Lmgfda32.exe
5112	Lljfpnjg.exe
2148	Lpebpm32.exe
5088	Lbdolh32.exe
3484	Lgokmgjm.exe
3592	Lebkhc32.exe
2688	Lingibiq.exe
4516	Lmiciaaj.exe
2108	Lllcen32.exe
3164	Mbfkbhpa.exe
2512	Medgncoe.exe
3968	Mipcob32.exe
2188	Mmlpoqpg.exe
4348	Mpjlklok.exe
2976	Mdehlk32.exe
3232	Mchhggno.exe
1420	Mgddhf32.exe
1156	Megdccmb.exe
3428	Mmnldp32.exe
428	Mlampmdo.exe
4268	Mplhql32.exe
452	Mdhdajea.exe
2256	Mckemg32.exe
4144	Meiaib32.exe
1164	Miemjaci.exe
1712	Mmpijp32.exe
2392	Mlcifmbl.exe
4416	Mdjagjco.exe
540	Mcmabg32.exe
4832	Melnob32.exe
3188	Migjoaaf.exe
4780	Mmbfpp32.exe
3372	Mpablkhc.exe
1056	Mdmnlj32.exe
556	Mgkjhe32.exe
4764	Menjdbgj.exe
3208	Mnebeogl.exe
2208	Mlhbal32.exe
384	Ndokbi32.exe
4608	Ncbknfed.exe
4584	Nepgjaeg.exe
2384	Nilcjp32.exe
4480	Nngokoej.exe
2776	Npfkgjdn.exe
4940	Ndaggimg.exe
3180	Ncdgcf32.exe
4004	Nebdoa32.exe
3788	Njnpppkn.exe
4392	Nlmllkja.exe
1232	Nphhmj32.exe
2136	Ncfdie32.exe
2156	Ngbpidjh.exe
2132	Njqmepik.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Lenamdem.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Lpcfkm32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe
File created	C:\Windows\SysWOW64\Kmmfbg32.dll	Lgmngglp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6312	6220	WerFault.exe	257

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 368	2204	d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe	82
PID 2204 wrote to memory of 368	2204	d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe	82
PID 2204 wrote to memory of 368	2204	d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe	82
PID 368 wrote to memory of 4708	368	Lmbmibhb.exe	83
PID 368 wrote to memory of 4708	368	Lmbmibhb.exe	83
PID 368 wrote to memory of 4708	368	Lmbmibhb.exe	83
PID 4708 wrote to memory of 2908	4708	Lpqiemge.exe	84
PID 4708 wrote to memory of 2908	4708	Lpqiemge.exe	84
PID 4708 wrote to memory of 2908	4708	Lpqiemge.exe	84
PID 2908 wrote to memory of 3216	2908	Lboeaifi.exe	85
PID 2908 wrote to memory of 3216	2908	Lboeaifi.exe	85
PID 2908 wrote to memory of 3216	2908	Lboeaifi.exe	85
PID 3216 wrote to memory of 4148	3216	Lenamdem.exe	86
PID 3216 wrote to memory of 4148	3216	Lenamdem.exe	86
PID 3216 wrote to memory of 4148	3216	Lenamdem.exe	86
PID 4148 wrote to memory of 2656	4148	Liimncmf.exe	87
PID 4148 wrote to memory of 2656	4148	Liimncmf.exe	87
PID 4148 wrote to memory of 2656	4148	Liimncmf.exe	87
PID 2656 wrote to memory of 2888	2656	Lmdina32.exe	88
PID 2656 wrote to memory of 2888	2656	Lmdina32.exe	88
PID 2656 wrote to memory of 2888	2656	Lmdina32.exe	88
PID 2888 wrote to memory of 2416	2888	Lpcfkm32.exe	89
PID 2888 wrote to memory of 2416	2888	Lpcfkm32.exe	89
PID 2888 wrote to memory of 2416	2888	Lpcfkm32.exe	89
PID 2416 wrote to memory of 2388	2416	Ldoaklml.exe	90
PID 2416 wrote to memory of 2388	2416	Ldoaklml.exe	90
PID 2416 wrote to memory of 2388	2416	Ldoaklml.exe	90
PID 2388 wrote to memory of 3408	2388	Lbabgh32.exe	91
PID 2388 wrote to memory of 3408	2388	Lbabgh32.exe	91
PID 2388 wrote to memory of 3408	2388	Lbabgh32.exe	91
PID 3408 wrote to memory of 3028	3408	Lgmngglp.exe	92
PID 3408 wrote to memory of 3028	3408	Lgmngglp.exe	92
PID 3408 wrote to memory of 3028	3408	Lgmngglp.exe	92
PID 3028 wrote to memory of 2232	3028	Lepncd32.exe	93
PID 3028 wrote to memory of 2232	3028	Lepncd32.exe	93
PID 3028 wrote to memory of 2232	3028	Lepncd32.exe	93
PID 2232 wrote to memory of 5112	2232	Lmgfda32.exe	94
PID 2232 wrote to memory of 5112	2232	Lmgfda32.exe	94
PID 2232 wrote to memory of 5112	2232	Lmgfda32.exe	94
PID 5112 wrote to memory of 2148	5112	Lljfpnjg.exe	95
PID 5112 wrote to memory of 2148	5112	Lljfpnjg.exe	95
PID 5112 wrote to memory of 2148	5112	Lljfpnjg.exe	95
PID 2148 wrote to memory of 5088	2148	Lpebpm32.exe	96
PID 2148 wrote to memory of 5088	2148	Lpebpm32.exe	96
PID 2148 wrote to memory of 5088	2148	Lpebpm32.exe	96
PID 5088 wrote to memory of 3484	5088	Lbdolh32.exe	97
PID 5088 wrote to memory of 3484	5088	Lbdolh32.exe	97
PID 5088 wrote to memory of 3484	5088	Lbdolh32.exe	97
PID 3484 wrote to memory of 3592	3484	Lgokmgjm.exe	98
PID 3484 wrote to memory of 3592	3484	Lgokmgjm.exe	98
PID 3484 wrote to memory of 3592	3484	Lgokmgjm.exe	98
PID 3592 wrote to memory of 2688	3592	Lebkhc32.exe	99
PID 3592 wrote to memory of 2688	3592	Lebkhc32.exe	99
PID 3592 wrote to memory of 2688	3592	Lebkhc32.exe	99
PID 2688 wrote to memory of 4516	2688	Lingibiq.exe	100
PID 2688 wrote to memory of 4516	2688	Lingibiq.exe	100
PID 2688 wrote to memory of 4516	2688	Lingibiq.exe	100
PID 4516 wrote to memory of 2108	4516	Lmiciaaj.exe	101
PID 4516 wrote to memory of 2108	4516	Lmiciaaj.exe	101
PID 4516 wrote to memory of 2108	4516	Lmiciaaj.exe	101
PID 2108 wrote to memory of 3164	2108	Lllcen32.exe	102
PID 2108 wrote to memory of 3164	2108	Lllcen32.exe	102
PID 2108 wrote to memory of 3164	2108	Lllcen32.exe	102
PID 3164 wrote to memory of 2512	3164	Mbfkbhpa.exe	103

C:\Users\Admin\AppData\Local\Temp\d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe
"C:\Users\Admin\AppData\Local\Temp\d4224ae82192e6d0f34d83ed7fd881d356dee6d8baf8426a46160a38bc270e96N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\Lmbmibhb.exe
  C:\Windows\system32\Lmbmibhb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\Lboeaifi.exe
      C:\Windows\system32\Lboeaifi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        23⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        24⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        25⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        27⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        31⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        33⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        38⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        41⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        42⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        44⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        51⤵
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        53⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        60⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        64⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        66⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:612
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        71⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        74⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        81⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        82⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        84⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        85⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        94⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        97⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        100⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        102⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        104⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4492
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        109⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        113⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        117⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        125⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        126⤵
        
        PID:456
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1136
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        128⤵
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        130⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        133⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        136⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        142⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        144⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        145⤵
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        146⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        147⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        149⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        151⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        155⤵
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        156⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        160⤵
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        162⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        163⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        164⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        166⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        167⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        170⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        172⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        173⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        175⤵
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        177⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 396
        178⤵
        Program crash
        
        PID:6312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6220 -ip 6220
1⤵
PID:6284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
512KB

MD5
4a1df043519574bd17ab8666e83c2317

SHA1
957a36a11563b740c9e5fde13b4f2250fbeb6806

SHA256
cdc5019d99dc4bff752581a2ff60e0efaccb820c004e540560a129f2a219c968

SHA512
7e2e63339a793baccc58e1be8e5cf2a89df9de9f351cd86f118c04f91e6ec7df44a3b83eca6fdb86361b450524f14093eb628c1eb5cdc66d318d35aba7f4f172

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
512KB

MD5
22e492001baaa65db0c2124e0c8d9f9e

SHA1
472290369be60e4dc928a1a6563d915e316b9355

SHA256
a8f073f1ac81bf540408d71c52687ebae9d7a90e764821dbd8a3e196b2aadf3c

SHA512
f4de553f0c9786a9228b0be0caa5cf1ca38ea0f44ccfc66986b221aec6a3541d9253d1458324a353a376046ab8036112f59d20fdc5b1638f248010c02e17afcf

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
384KB

MD5
ec27f7f0c6a15ae6c2d911a1f4de5d4b

SHA1
9d33c6b95da30d4a423312e7650a3edae7d74c0e

SHA256
6d6383013445417a806db7505246faf9b109a72d72207f2e5cd8b4d0c0cac8f5

SHA512
67b33b3dd7a922802cee82bcfdf150a17e2118a3e390d94797419a9a6c52f9627a5eab4b95ae76c92bf6c9dd6e339a29d20a463481668650b90012e73096aec1

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
512KB

MD5
8a3c3db9a646ec2334f4f08c292eb984

SHA1
efd095c354e90c128a221334d0ce8a971a3d02fb

SHA256
e1e989ca670e191ed9fd751baad51f1a6785768552b427a2702882950098a598

SHA512
908d6c99d1d6c1b16563957409f63dfbc3bb23789b99d074f515dab0d9e328709f57b4e585d3f1f192b2516eac8b71b70c0d701347502af9729e3a3430c4afc1

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
512KB

MD5
747dbe7d495f558139bca1c9ee96d3e2

SHA1
c0fdbeb50a1fbf4cffb21f607652c699cca05904

SHA256
7ea02f5e5bf97b4574ceeca3faecd6676988041e1a3c7d3497fb18997e2c543e

SHA512
e29b83bd892c76d9712a758989ef968deebda0bf4fc3f6532533635488279bdd9f674ab705f3dc42cc9e87f168d44d3059a295000d6c43f2bde133bc16b5431d

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
512KB

MD5
4f30ed15113ee65c90c2fb15c0d6ee02

SHA1
beb3ef8bd7218a5a6a5b9cf1f813084cbb35ce19

SHA256
a660bfda2950ea52b61459065211660462fd7f950578f88a1b4b18b4db0ae3b8

SHA512
4a54af4fb2e3fc5d923b86fb08632ad69603a7d55829e9545ff69956970582b0978700018fad5d0afb5d3763a35f0fdc1930874f57103391e105f31e3cd852d8

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
512KB

MD5
e1b4633126e03a5996488aa3031cddd2

SHA1
edcac7b12edc5b8dfc6ef4d0bb3813464dcd74d7

SHA256
15b71eb5d861a541b6c6ebf49a498cdb0798074d37f28231460a72ad3dd0ed1f

SHA512
ebced357a5aac08da2f64aebfe6c12cfcb38272b6c044df852220b732eea1e2a73ee290253fa68e56341083f1b2e7a52d722db57900b331c40b901424b432c66

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
512KB

MD5
837ce1a246576343e0dfcff79198e51f

SHA1
df2cc9e7b56f7440ca33cc568fe4fe23c23e9bbd

SHA256
fb63a7f9b553e45159fd9ea246c66697896f6c80006d6eb4a8b29ca14c361123

SHA512
bca9fd8417a675d8509ef3c9fe7363c6500ad403fa1786c31597e5742c14911ae0bf092968163dba309d878a601f08dddf4f804fb33c5852f9afd82bf10cb3de

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
512KB

MD5
49989bd5cabc426f15417b94eb99519c

SHA1
8c5f39f69dc1f7047374811b85a9b457c16297ca

SHA256
136ce8cf4c15c723106d32aaf482a09e440f096975c8c05a6417602aa7c73e92

SHA512
9e52d66e76fcd7182fe072400122a44e3e20a33704641ef62a32f3e5fa4637ca377edfbadbc4d0125de10ab91b1b4bc6f077e89511c30c1e0f4cfd50ef3bd26f

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
512KB

MD5
d76a55431f0a302f7e7d97923e2399df

SHA1
d9758d5aba38581b17d19942b209499a11beb4c9

SHA256
e70542df39966de1d43efe8f9d77a883a888529ecac076ca58cd93c9a8cb04e6

SHA512
5fbf69a6ca5be14ef215d5444113cc471174caafe2c9b9a5f2d286d75d2745ac075cf127d74567db77b273ccd4ee98c0b860323d875831df3022ab2018d7538f

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
512KB

MD5
fb29526273508074e2275e3c870978c5

SHA1
98e6b24428cd8bd89ae0892b2a531ccf5ab7b1a9

SHA256
5c07f259cf9a8a83e02478f988aeb5c6e26a20f05a924d0bcce1e195521307dc

SHA512
ed72eb9ff54b812d701cc6505bde5c077c8a96940a5e5f9f042a8dfc2e3b96b0fad9b8e13e164b759dbbaa1fec09e6d0635f083c5ac4756cbc45f9b66ba37c88

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
512KB

MD5
88ab5ca987f8bdad53fcbfaa62f89a72

SHA1
0003f5f75be78469ed59d6792c679d4ebd9c0531

SHA256
f999ca8be92914feffbdc8cbeca24d20321f0ca163fed97a714de3b987b3c4d7

SHA512
e7cdeb6c4aeeee414dd89c5d33a76d0cbdade98bd10db26ab9b9de22bea1995b6f427c7438528edeff463e370d002179695c83d19681fbe340a59850b5916846

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
512KB

MD5
31b2114cdb8d3d630b79904baf968547

SHA1
4083d49874c6c2d8607b21170ee05702b96ddff2

SHA256
85eeb521b3a3fce827e22f3fc61d6abb0fd7db43b2ae63458e3e6d1e2991d15e

SHA512
013087dd0ceaec4f02488b1a874978230ec181fce5b93dd33255b8f41767bdb807cfcd77658b1abbd02aa78734a508bbbbb63bef8c730b62dca733f06c67b25b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
512KB

MD5
4458379d0995d19b71b536e37cd51e6f

SHA1
4b796690db1ba543bf026a0f6d6db28b45ae61c7

SHA256
da7050186a9570f6309932a2eba7e9e76c1d67de9613bdac62f8c3cf16469283

SHA512
79be3d9fe9f74971cbd6aed79f467d822ef61559326051f7dbe47612b6755cb034dd4c4adc819df3c0db79964ab5880c87a13f94df04892ec9b84c4288ec8b3e

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
512KB

MD5
9c1ba77c7d76aac6c7789853bda8c2c1

SHA1
fedab9eba46af16cdcd0b7534b420e9e636f1ac8

SHA256
e067f9390d7df191a1028557575365bf6e628bc6f57e6cd0eebd0dec228f93a5

SHA512
f4ffd72d2229ec5d8bfd00c6d3f6354cd0a5f07565a4e272f792910454ad830c506122672c5919be6f2974cc219b58af9456ffb8719a0ec847c08b0136e505e0

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
512KB

MD5
4dd9794a31717449d3eb6609fb4e48d0

SHA1
8190d317dcdadfc9e07281d318c2531d107ca8eb

SHA256
67d75a666b40d1402b102cb472bce5bedf984944d6d91d6a1a49d0b8ccee9af1

SHA512
3238908c9878a8c9b623c4ff5e447b51e745daad7915156ba6737a6f9d4c217eab4a78477090358d5663c9ef29966b694cfb1635e9b736568c0d797fa8477700

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
512KB

MD5
0f8a876a88f5cf9ea33092d42dd84b85

SHA1
c6232a5a33238f056028ab317b778bda95193aac

SHA256
3e46f346b586e0363c45b5d71d3334ab5ff45c592dcab923315883faf79bd1c9

SHA512
c1fd2b60656d82970dee06288cd6881a076c97b015292f7703840301e8696aaae96ea5144df5badde22907a59a23b38375578f4c6ce0fdbbc7928cdce17e4a65

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
512KB

MD5
37cbf7cf77b946499b16ffc597e921b7

SHA1
49a00ee67bbc51bab3bc584ea8f7c75b5a3d975a

SHA256
a971c32564c0cfe68da46789c6c2e9f47511bdbbbcea7c62fafca8ae5f91879a

SHA512
0c75502f00de68d1005066ee3a08ee047530598da1834564ec43e4739dfdf7abdddea187118e0c18a65292c9e6f402de4115d584477bca39865a58a18809a153

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
512KB

MD5
d9476a7a57981df5b1525ad32a5ca544

SHA1
622b6a388289f1966a55f1e5c0b210bc9d5f0c28

SHA256
28573a267ec6d0d15cf113f17f7ecfcdec4912d47ef771b04359bfe0f73438fa

SHA512
f69a9e3f48228e8b8ad747e1a69a2452dfe8965b248115c07fef43c732f3f2ec166b9041f9ab00cda12aca719ec7f3c74e4f5cc9288c9b6963e76b52eb516c64

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
512KB

MD5
4dbda31305efd7c8e80088ae999b941a

SHA1
2e07e3468647382adc17abb213dfe3a8898081d1

SHA256
d19870abf3eee0b0f930b54b7bb4480acf742cdba6851322e8b8d66069494ed7

SHA512
8848066cd1ed66b0e4290364941cc1282999ab3f1eb4dabfe3571d0f0770c1e2274e2ac26f7fe87727d178f9a543bc4c2399311e85b8f1081ca975ec9e219fcf

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
512KB

MD5
2477d442d30a801f1ca5034dfacc037a

SHA1
8fbda6137fd73d6bee9e21e4050ca7515445b9fb

SHA256
5ea9a94c656104805372c4011245363ca2864ff8b381dd8d69071db040c6ac9e

SHA512
19b27fa99e71d199c42478c6b565a0b87deef56154644599921b249e138a833619ea0b18d6a5c50763d3fe5c17cbcdacc2c1b913cafbc0a3562c1bcd0301833d

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
512KB

MD5
3cd22b171ca745e9c96ce9e9120a904a

SHA1
525587381ce9a44945bff3c2b8c86e059ac3f859

SHA256
6219224020df73ebb61fc620ce823e742cb4ce3859e59acf6d4e1b89a261f12c

SHA512
9113bbbd1105fd400dec57bb59a4e478423c274628f0e0b049a6fba38e545f3513c4254ee26b0547afd932410dd09ab8506fff8e969983a4bea1f9ad7f86d746

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
512KB

MD5
6d475d2bf6441e129bdd79c52bbb15a0

SHA1
2579d5c08ebae16c67dfe5ed4d088d5f2fe72723

SHA256
d11bebab42abc46010149cbd9763fd9fbe45fcf6a0b70d36b8cee25f7ad73da7

SHA512
1bacbd005acd43d92eae317b4cc3b148bba46e711fa67f7b5a9bcb7f65d4c5de2a3aca75bca18da35b53bba03cafbb830c9e189f1a1543cf62c79812bcc036da

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
512KB

MD5
53a488b2d5026e7009a99403283afc03

SHA1
85ebc30efb9814598ae8704978c63237d79bec08

SHA256
579c8fa1bcabe502acf825507de22194e5d7fe130676300a62d7b76f1d780338

SHA512
8a3cda5c549aee1023b551ad4948c8987b9ef17858b58eeb93ee4e2ff86cf3245c1944d903ee3da193ba96d67470fbc39bdcad83cabdc4991be3f6c9f776ed1b

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
512KB

MD5
ac8221cfa8b2daa9378987d90392c8ca

SHA1
333b998a43f6518887a3639d0ca8cd4837f65595

SHA256
14bda77be26bf8613b456503ebc0a329fcc8ddcff66c7ddb68851a0fc6908bd8

SHA512
ab3bd33ea6482d93a7ec7dd1ca0a1c6249097051dcaa663f0b5e9d3473d4918b2650c6789f77c5e349194e6eaaaf34f3d01db85669324b084c78c92351101717

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
512KB

MD5
a5985b2d5eed919a8aa168f707e0206f

SHA1
757f8aad6f872d8f0c892c4c32505c7bf881f920

SHA256
58fd290e143ba8dc3a948e9f7086f4b7553322106cbe673cba3ea0612060f5b0

SHA512
e61886be11ecef408d7aec971549df4b44135da69bb14904b04b482784d219bd54430fc45910358c104a728e6ff5664fa22dcb089adbc99a32a554332db7f8b3

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
512KB

MD5
a5851d058708c92415431cc17a567703

SHA1
aca68b66fbe6dc321917af4bd8d8214f292edc9a

SHA256
55feac5dfa603585c5efc292b349d709a8ca90e98b0738e8d6333287931fed23

SHA512
b6ad61fa47138d76d02f73cd7396cafd87d9e3577c173f9acff384f4c182890ca5323b2d374b8cc49124a620f2224868b606f9f72fab2b081cd4528a768200c6

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
512KB

MD5
db1cb4dab778bb89fa129e3e5be01b72

SHA1
cd3e840e6ce38c2015d0fd8f3d03384f6f04ee28

SHA256
377abe0f3c23348b273d0b8cfb69810bdfc5240d88068af02b05cc255ab1f4d2

SHA512
eb88a86219a9e265334b45be9ab19874cf644485be91b75554af2e566bf6d4afc7e7820c3e3d5ce0f880294221e6122ee60ab95e5034c0a17c71be82b7c3be02

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
512KB

MD5
55bedcdebf8d264534bdb1de0ccf4965

SHA1
805a1783a57b74316a95a1c2f7b163cb9dec0c15

SHA256
c5c23be8315b0bb38f0d590f204b6b4dd16190b146737f46e1e13aeb9abfbcf2

SHA512
a0b5481a23cbec2c03124c0e5c60fec4dee0359011ae24cd2ea95ff041ec33ba0d8e94b92c9555ed8e86fbf81e70a5501991b150c8057094303c8923be3c4a62

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
512KB

MD5
9c3ec3491fa1ce2aeddafcb377c2f591

SHA1
e9a38f3e10301d51dd89809faa6ecfb2dd8588da

SHA256
b34c0b6363299272f5b61fd2e68eecc7ae9e443d9cc1dd97b97403117c1bb751

SHA512
5be360dc1c827c8a889fa9f6e6191a6ff6923a4307ef11a53f0b1e38e5c1d06c6f19efc0cceb7c943115c8682e3825c3e62ff15778bea21bd1717cb53e7b25eb

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
512KB

MD5
f6577a15c5aff7062c062565c66956dd

SHA1
4f87987bf615386d107c0d62e6c927208d8c4d5e

SHA256
083c7a46d58e1812491e2aea9f16dc1bdfa03d80f9d70ea763e23d17ed8353be

SHA512
1a0c8c472532a2704ae3f9e600ec1abdd3f1a6d53136549d920a25faaebea029ef63f0ac0ff3f340849ae7e2380be601c6e61e13e26a301e6f627a94c3085ffa

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
512KB

MD5
eca65ddf60b17e8dd3765aeb5838666a

SHA1
ee3328691d5a6843a4c532562a3ef5506de58a47

SHA256
27a2cc838c8edff4732eb3cea9cd71b2277ff71c05c00a49f2b664c4cdb287f8

SHA512
e4648e66493a5725a9d085bfa535ec97f36484b3ecd8e73375493114f98e896e258aa9a4f36daef099fe76de099f36680ff46e3e8d6c870e081089867c02c470

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
512KB

MD5
d9fbee8141a599c962054daade2a65b2

SHA1
492a1608781d791d9d814c3a2d08e6791c6468d8

SHA256
2f265ba952b01fc68b0a7952e1af7d729e7aefbf85290b72c4ee740c4b23566e

SHA512
4a73d57e12b6db7fca989515730c1795757b7c600202f8cf470664bfdcae9e8c5151151990f6f7638b4400ff49b1cb8526bf4b6489ad58b898e872455933f0de

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
512KB

MD5
8398863228abf30a0d26994c2626e7b1

SHA1
d0eb99feef26c4ce17ce8e63d95eb2c85b2f0d8e

SHA256
6bc8bd793d66361923869c06b90c797d0b0ac644dc31b02e7ab7bab688af446f

SHA512
5a730f0ca34272bcf762377291d20e421b795169bbfa4d89dc2a2422adf7ff4aa579b6e8ef70a78f6ce66fc86f2fb70e07e069b7323ff3289bcaf8dbc76f1d8a

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
512KB

MD5
5c7c8e8436bed5fef57d40e317acc16e

SHA1
fe9697db8022ce6f98860da9b9e4e689e74dde84

SHA256
99b93291c659d94a83fba0e3521ebd7ba756937e86e7c4c1994e8b2389c40913

SHA512
42ae2c6ea686d3e8451918cce5c43c96c803eb29f0f07abf49448835799046969bdc7b51c3c05d4c303a35ca3589bd717fd0f731f8faffca99734164836b91b0

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
512KB

MD5
ff009b37ab65caa538cbfb9fd72ad9a2

SHA1
edba905f096789d5c00c012b0bcf6b1e2d323170

SHA256
1b1255caaacd242c0ab39ff0afaa5968eecf3203b9a06975bf18409672554853

SHA512
049bcea4a6d981861cab15f77986a16472b0496b2274398332bf6c960edb4ff74bf04d6019319e1b8c1ebbbbfa2d98f0631894375cd5416f54dbf9ec1ced0ac8

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
512KB

MD5
9e129df53fdd25bcd7b47df937dcd29c

SHA1
3a5edb33c62566e61a6dbf08d717cdeaa76d887d

SHA256
f1c892d808f01e6d8722b2a6a782bef1f9c378b19f9280aabecf551761e4e978

SHA512
738252d9b758e787d4235967bfebacaec084d7b4eb3b069be40839bd6919cce3480799db67e73e98dcae9ef9f32c544635c81269733407157abbe2294b5f1756

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
512KB

MD5
6e18d2fedba83afb86fdb44e2869ff14

SHA1
2adb30154fb9152016a03ac70c3af275c3daae6c

SHA256
b5c6830b942363fd2d07570ee3bf86ecf5db0ee6ecbaedd1ff4c01e914149907

SHA512
8d92f23640d9ec1c4854835306f73a28304b0175f495efa7196e7831f82ee257abe1ec97bb2b7ca07aabcad14e2577ac60a9cb3a68df90408b6cb414a735a2f6

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
512KB

MD5
d84e09e86a271c869675478a13649db4

SHA1
febf4fc28c7df79b829b388fce2092bd74e4cf87

SHA256
3a78302926d59fe842816da0a60859cf8e06dcf29575bd31a0e73d334135ebcc

SHA512
60b1a2c32a1a5691b7e5e00714792885a8772ebea4bb6cc7ad392a6292a5cdc642448c56f5bdb63082ef72756326bf4d01ec28ee611412ca162c0d1feebb7784

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
512KB

MD5
9533998e05a9105c967c53e8934c46e1

SHA1
b9f8c4195f709e3e89c8c0ddf7376577858e7949

SHA256
18e2742c058f5e0ea74340a9019cfc77d4bdd3ec8b8809a6c36155c8b01357e9

SHA512
769cf103862673033f6721df47e59cc30600c9861f3f1c047333d08c504c72b0e2a0c1111b7e6a88b8e61a381021f5495b4cfff0a6203c1d7fb60d978efdcd97

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
512KB

MD5
b489ae28d5e05a253bba1e6bd7087fe6

SHA1
317643249671daa43a280bc20d1963b43dea63dd

SHA256
6b041cb11cf037561318cc70503c032b079266b0db4e1f8a7dc5babf6d80a8d2

SHA512
3d249005178c49f66918a301edfd4536a18a9439e98f160659346062cedd762795621b13075d66d61e28c1f0095a044c91bf223fece220c2a8bfea6c8ad6a027

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
512KB

MD5
742f5501700b507c06bd2ddef0ed5247

SHA1
60a5dcaa4de602fad5b7b5e2995ba59812542846

SHA256
86bada8a56ff56c0101df66765e044e9278ca31be9471f3098e3cdde4cd434ca

SHA512
bf7601190178e816ffe77c212121800c06b263f157f51b0e3aaea42bf01278a8e116c5849743910ae74d6b73cd0cbbb6a2549fef269897bea47d4c9ea62c9b40

Download Submit
memory/368-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/368-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/612-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3592-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3756-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3788-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3968-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4144-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4148-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5124-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5164-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5252-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5284-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5328-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5372-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5412-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5444-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5492-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5532-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5564-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5652-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5692-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5724-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5764-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5812-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5852-605-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5884-610-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5932-617-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5964-622-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6012-628-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads