berbew | 5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe
Size

288KB
MD5

e21a7a6359b4e9d8eda8680343a1f2e0
SHA1

2580912845dcb8635b9a33914554625ee04f5be0
SHA256

5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438
SHA512

c28458dafd1471d6d1bebf51fdb75ad2f9d186face5239ee327ab2f38867c5ac3d62878161061ebdaed9d9208ec1ae7d98983859d5fc5e37d1a853281316503e
SSDEEP

3072:wVIGu13ISawxiQA5G3F/Eeq7LDT1Yx07KlFYzqpCZSLMi5lQvuIbuzj1DukJFv7/:wVIn15xir5GBf6Ll+wGXAF2PbgKLV9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3228	Llemdo32.exe
1780	Ldleel32.exe
3592	Ldoaklml.exe
2216	Lmgfda32.exe
2916	Lgokmgjm.exe
2752	Lmiciaaj.exe
1880	Mgagbf32.exe
3640	Mipcob32.exe
1932	Mchhggno.exe
1856	Mibpda32.exe
3148	Mmpijp32.exe
4580	Melnob32.exe
3212	Mcpnhfhf.exe
3136	Mnebeogl.exe
2404	Ncbknfed.exe
1392	Nngokoej.exe
1064	Nljofl32.exe
1016	Ngpccdlj.exe
2828	Nnjlpo32.exe
1976	Ndcdmikd.exe
2020	Neeqea32.exe
1664	Nloiakho.exe
3016	Njciko32.exe
3516	Olcbmj32.exe
2180	Oflgep32.exe
804	Ocpgod32.exe
3308	Oneklm32.exe
5020	Ofqpqo32.exe
2092	Olkhmi32.exe
1376	Ogpmjb32.exe
4544	Ojoign32.exe
2496	Ogbipa32.exe
2328	Pnlaml32.exe
4412	Pdfjifjo.exe
5008	Pgefeajb.exe
3276	Pdifoehl.exe
1796	Pfjcgn32.exe
1228	Pnakhkol.exe
2984	Pdkcde32.exe
3184	Pncgmkmj.exe
4756	Pcppfaka.exe
1868	Pgllfp32.exe
464	Pqdqof32.exe
3140	Pgnilpah.exe
4200	Qnhahj32.exe
3404	Qqfmde32.exe
3032	Qjoankoi.exe
1636	Qmmnjfnl.exe
2660	Qgcbgo32.exe
392	Ajanck32.exe
5024	Adgbpc32.exe
1812	Afhohlbj.exe
2108	Ajckij32.exe
3448	Aeiofcji.exe
2928	Afjlnk32.exe
4312	Amddjegd.exe
3288	Acnlgp32.exe
2600	Ajhddjfn.exe
2604	Aabmqd32.exe
1340	Aglemn32.exe
3792	Aminee32.exe
4676	Aepefb32.exe
4368	Bjmnoi32.exe
4876	Bagflcje.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Mchhggno.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	1416	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3228	1120	5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe	82
PID 1120 wrote to memory of 3228	1120	5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe	82
PID 1120 wrote to memory of 3228	1120	5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe	82
PID 3228 wrote to memory of 1780	3228	Llemdo32.exe	83
PID 3228 wrote to memory of 1780	3228	Llemdo32.exe	83
PID 3228 wrote to memory of 1780	3228	Llemdo32.exe	83
PID 1780 wrote to memory of 3592	1780	Ldleel32.exe	84
PID 1780 wrote to memory of 3592	1780	Ldleel32.exe	84
PID 1780 wrote to memory of 3592	1780	Ldleel32.exe	84
PID 3592 wrote to memory of 2216	3592	Ldoaklml.exe	85
PID 3592 wrote to memory of 2216	3592	Ldoaklml.exe	85
PID 3592 wrote to memory of 2216	3592	Ldoaklml.exe	85
PID 2216 wrote to memory of 2916	2216	Lmgfda32.exe	86
PID 2216 wrote to memory of 2916	2216	Lmgfda32.exe	86
PID 2216 wrote to memory of 2916	2216	Lmgfda32.exe	86
PID 2916 wrote to memory of 2752	2916	Lgokmgjm.exe	87
PID 2916 wrote to memory of 2752	2916	Lgokmgjm.exe	87
PID 2916 wrote to memory of 2752	2916	Lgokmgjm.exe	87
PID 2752 wrote to memory of 1880	2752	Lmiciaaj.exe	88
PID 2752 wrote to memory of 1880	2752	Lmiciaaj.exe	88
PID 2752 wrote to memory of 1880	2752	Lmiciaaj.exe	88
PID 1880 wrote to memory of 3640	1880	Mgagbf32.exe	89
PID 1880 wrote to memory of 3640	1880	Mgagbf32.exe	89
PID 1880 wrote to memory of 3640	1880	Mgagbf32.exe	89
PID 3640 wrote to memory of 1932	3640	Mipcob32.exe	90
PID 3640 wrote to memory of 1932	3640	Mipcob32.exe	90
PID 3640 wrote to memory of 1932	3640	Mipcob32.exe	90
PID 1932 wrote to memory of 1856	1932	Mchhggno.exe	91
PID 1932 wrote to memory of 1856	1932	Mchhggno.exe	91
PID 1932 wrote to memory of 1856	1932	Mchhggno.exe	91
PID 1856 wrote to memory of 3148	1856	Mibpda32.exe	92
PID 1856 wrote to memory of 3148	1856	Mibpda32.exe	92
PID 1856 wrote to memory of 3148	1856	Mibpda32.exe	92
PID 3148 wrote to memory of 4580	3148	Mmpijp32.exe	93
PID 3148 wrote to memory of 4580	3148	Mmpijp32.exe	93
PID 3148 wrote to memory of 4580	3148	Mmpijp32.exe	93
PID 4580 wrote to memory of 3212	4580	Melnob32.exe	94
PID 4580 wrote to memory of 3212	4580	Melnob32.exe	94
PID 4580 wrote to memory of 3212	4580	Melnob32.exe	94
PID 3212 wrote to memory of 3136	3212	Mcpnhfhf.exe	95
PID 3212 wrote to memory of 3136	3212	Mcpnhfhf.exe	95
PID 3212 wrote to memory of 3136	3212	Mcpnhfhf.exe	95
PID 3136 wrote to memory of 2404	3136	Mnebeogl.exe	96
PID 3136 wrote to memory of 2404	3136	Mnebeogl.exe	96
PID 3136 wrote to memory of 2404	3136	Mnebeogl.exe	96
PID 2404 wrote to memory of 1392	2404	Ncbknfed.exe	97
PID 2404 wrote to memory of 1392	2404	Ncbknfed.exe	97
PID 2404 wrote to memory of 1392	2404	Ncbknfed.exe	97
PID 1392 wrote to memory of 1064	1392	Nngokoej.exe	98
PID 1392 wrote to memory of 1064	1392	Nngokoej.exe	98
PID 1392 wrote to memory of 1064	1392	Nngokoej.exe	98
PID 1064 wrote to memory of 1016	1064	Nljofl32.exe	99
PID 1064 wrote to memory of 1016	1064	Nljofl32.exe	99
PID 1064 wrote to memory of 1016	1064	Nljofl32.exe	99
PID 1016 wrote to memory of 2828	1016	Ngpccdlj.exe	100
PID 1016 wrote to memory of 2828	1016	Ngpccdlj.exe	100
PID 1016 wrote to memory of 2828	1016	Ngpccdlj.exe	100
PID 2828 wrote to memory of 1976	2828	Nnjlpo32.exe	101
PID 2828 wrote to memory of 1976	2828	Nnjlpo32.exe	101
PID 2828 wrote to memory of 1976	2828	Nnjlpo32.exe	101
PID 1976 wrote to memory of 2020	1976	Ndcdmikd.exe	102
PID 1976 wrote to memory of 2020	1976	Ndcdmikd.exe	102
PID 1976 wrote to memory of 2020	1976	Ndcdmikd.exe	102
PID 2020 wrote to memory of 1664	2020	Neeqea32.exe	103

C:\Users\Admin\AppData\Local\Temp\5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe
"C:\Users\Admin\AppData\Local\Temp\5be5cb6602050e5cfdbdb4b005006806fccdd33a0c3f22f670f927f85ce4c438N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\Ldoaklml.exe
      C:\Windows\system32\Ldoaklml.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        83⤵
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5104
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        88⤵
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2156
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 408
        103⤵
        Program crash
        
        PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1416 -ip 1416
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
288KB

MD5
c409d1db75550b99827179e2df78bc14

SHA1
19ff6ef23fb87bc0bbfe3d1259ca808cb9632c8c

SHA256
0f37aabf09fd7f62e8d57b3256cb497c3fbdc396a9020e4108863ae11804c787

SHA512
45a8c98579dd354e5ba41eae7e0b05b2361d4ade531d0d71b369fa41882040407e0a94b898fefa910286a8380bfb092b8f5d4cba6c158819552c8da2c1079389

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
288KB

MD5
666db2d41dd9ff79af3653e70ebd65a5

SHA1
24b6d05a70e3040769bce746484cead11ff09d23

SHA256
ed69cece2d471acf08d66dd346d2d5aba8ca239b86f89f0a5e5cde046d4e2c94

SHA512
288b8eee354d1db9175df623dfd2baa66bf78c7b863c793e4b9c3fc4d0ca0cfc589a25a77601814d66c66704ad6cc8753b97d376de9a9427c32dfc373fbfbbdc

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
288KB

MD5
22c80e8f1f3294915adeac783fbdb0e5

SHA1
6e0b441e870243d80322ceb615f63a7ab49a8538

SHA256
64b60220418c4af8fab369d83afb4e750a36c600a44d3fd2f168917cb61329d1

SHA512
de43e8eacef344481c845732ccf39e85b954cda955fde4b7a78e2c3b6a9a6fb5cf247dde3668fe0d06d65739ffa5a7e7edf78963bfce5580e741ad3a7da9dba3

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
288KB

MD5
a06eef343789f42f1fe99b8dcac4827f

SHA1
327b084be28547f25414a03d32ba69413546626c

SHA256
a339bc484d6378e151cdce4e6c353b9521a19da97253d3b81274823ca3f8ae74

SHA512
98925badcfbd04bac1f9be829c43113f8305dd3a93df2813d145e8750852a69d18ab793fbd39fc36f4b7eb6b7afc1a27cc4923c26e444d628d79a65f6ec6fdc7

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
288KB

MD5
7f4cab16293c369c7d32a7e37f5e9841

SHA1
b86b0e44f1638f8863e7e3bcb1275108219230cd

SHA256
93762b40016b7aa0a818f14307f047424e72e03b100be1578557023dfcd409f9

SHA512
93fb6cc8b2fbc97138bc29a08d46690e7ea68574b1110324a2cb8493acbc3c8276c4c2262aaedaaf510b7118ed8e7817933aceeafc918a9f88f46cd5254353f9

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
288KB

MD5
15b032549903f5cd218c1a80bcb4a077

SHA1
3385847d7c1cd02146b02f11b0496c120fd452dc

SHA256
35e3f9252d8f2856b644fd6f188fdbe7254ec9489cc0ae328332f2d14b17a403

SHA512
ff61b9e1df4f5d4874a17cd91887abda9f9d1b63404eb132be5c9f7996745603e5a3320d4852235869fb0fc1b3ffa465532ece29f5da97b8fc54676e0e6d5959

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
288KB

MD5
abea177a647679cd967691a198b707ea

SHA1
6aa4073fbf18d0a90496bc1e285a68d29eb47f80

SHA256
3b712d27989ec7c1dd8e881ac670333a21ef4db196489b97322d38dd3ef2fff1

SHA512
1257a15d156689b9924532cf595aeac9ef4e4cfc584c4ecb5b22d3f1cbd041da6b3ccb1d29e1672bb46ffe647e2a8e84f846858042289c280b0c28fe16490c5c

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
288KB

MD5
98563d3ed5c1364194a0c885df70dc4a

SHA1
a4c0282d098d36bb4b2365f0deb1580912187d31

SHA256
6b6edda22e7a486dc9c20c929ef09c0c19ad72c15f43d64456a4d823b53f22e3

SHA512
17814f132343045527f7c03a4f6f42eaeda7f8495c48fe67602554d1c9e1f808c745b7274ad7555d43b9c8dabec45ef125c29ea2a8ee7d9ac32daf22b86b4af7

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
288KB

MD5
1890b591256e011b6eaeb3b94fe53e2a

SHA1
c3c7d42c0576997f5605dc53e27869005cc6bb6c

SHA256
5cc2b0c8cff3d11eec5b4061b2ecc47c2ad3b0df9ea85cc93ba43a01e61ea4e8

SHA512
5844491f0a97a567036d4695094f1a5a6e21a7c7e800f7e370e8bad4137511cc973b3c5eeed53de481f30427ff932d04a2497cdfd03a587df79e0e671b42dcda

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
288KB

MD5
8d6cbdbf85e6981a83c58840e641c371

SHA1
95f6443d398e72e71284611c0fcdb91a93022000

SHA256
eb40545f256a7c8cfe5f2f88664b03ea8443d65d1191b14b4ef2d617a1a221ff

SHA512
3cbacb4896489bc523ae1b00dcbea94abcdd271ed8b0c8e0e05ecd255cbe1e67f63c2cd6ce951cdc93ebb809fbe31cbe0b254069ad516c9d9cec722f8c7d74d4

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
288KB

MD5
5b389e81d1b69492962513d30116dac7

SHA1
a26b801e22510d504fe9202ed6f0b6dc33edd6b6

SHA256
f1b4184e023d1b9c6a1787d6fc9bfc5ef578160be8be5c798a6faa4bd12e290d

SHA512
08dc93f9107112f980225c1c3694e57ea5aa359bc4334af06b68ae43a7f31536aa71c541e015d4ce928cf80f7a58e05322aee4b34e1e8d05d5596d916e030ac3

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
288KB

MD5
02f8ebe8bc8f823f88c714c0c8dba29a

SHA1
45c3b2f80753000f5d66d19683cd59c6ef65c33e

SHA256
e10b8b5cd6bf761d01a67c554d5d2239ab60088ec035a5ea5192d6e030ff67db

SHA512
37d07c605ab20cf7a48f6f40d3436183092014b0246ad512edf0b809daf2b64fe3bb9535cf2ba056932b38a59ca81d9254850052fd797fb3644e93d563fc900e

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
288KB

MD5
78ab4b4351077959ab340144fce10fb0

SHA1
3542fd86718d4608a4846beb8c0071a5d66a7a5b

SHA256
51a6e5c5aea5519a3dab52ea348d885598de23bcd57a0719e16757d1f57ce7eb

SHA512
3c374b58b1f6a5d1fca2babaf6e809df1be13524aa84890ece0182d940a5cf74611fe71fd38868d08e0e695f69e273bb536d6fa9def00da2039eb6b365b9213e

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
288KB

MD5
fc061b2c34592461a440847d87578288

SHA1
a9800462ce0952f1997864d8ba7662813ea959e6

SHA256
257ba384731f28efbd12af4717770004926ea80bce3e6e84108a15d612061bc1

SHA512
6bf5b863c8b43e1a9e8d441d2ffad4bb0e2ec70ea504faed0d92a05e168b3536d934b238a5f66a7890c9b86d73a64a494a0c8ae2ee6b6e78b8c649098cf1437b

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
288KB

MD5
9dc3b25914bbc3ee7aabd1a6aebfc323

SHA1
b684cd3dce3e4ab99915d7a72c9f05625d9ee86d

SHA256
ec61fe135fa737db28b046b79f4e6a2e138b813145fc88dff5d97a45263b6a4b

SHA512
0d5e4e7e5afddb355633bc95d6411a4b5578ea4cf5d74b723ad0bcb6d225a55ce3222af19e9a11c7c6e100d0cd89ef80ffdf4e7010b86db88996dd45e766f66f

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
288KB

MD5
e81b61a2aa4d86794bc5cf131fa915f9

SHA1
b2b015144794cf7a27f2b6b2b2d9bcda79e7e52d

SHA256
9e1563aff599657b87fbc1bc61e07a80122216b69170b1694de0d706398b270f

SHA512
4ddc3a50473766b2fd25937cc9e9af21faef81e9f7226ef7e673c6ce18c75c1b9fbaa6d473ebd746bd16bec2dccff693382f85b9e546257a423edcf596bb34b4

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
288KB

MD5
5b357d2c28e1ac74b774a0078b50419b

SHA1
1395acb3d2862d969a9d1dcccd7663880c0bf32d

SHA256
c5d39450538d7e12adb6d3fc5bdbeaebcdb9a07caafc6d6d8cde1d303319730a

SHA512
d70255c5e74fd342ea6e0ed846bb3c185913fce4ef66376340aff250cac3ea7f96da6fe75f2c540e332b7963b6c2ad9c7e074f40b45150aa16e4c7b4cb7ac5d2

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
288KB

MD5
42ddffe7182bc5315c140f7812f030f2

SHA1
c8b028aa2f83772f83b7a3647fee2019df940b86

SHA256
21f07753a9125cba660313fa65635afcc5d5ea6773d7e22aa2ebf6d57147d24b

SHA512
e1891389d5419b50629fe96d8167b5bed64ec90b8b7abd981d2b490cfe106b2fa33df3500bf9f73c7c62126c0ea28f6e3e89fd272091d135a05c801b671bf700

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
288KB

MD5
761211422463a9c076398c85522397e3

SHA1
f06fc3028024632063704c3abd65639efbdc805d

SHA256
6aa3cefa05e00032303ae09a4eabf5fdd58e15cac536c86c48b13414a3c484d2

SHA512
231ae68cd43ce3f258597d4cd06dbd31f5b2112f82c4a82f560b297d062cd0bb93457564e660c0bfd2506010273c9ad1d8e7853b9331058edfb25f141a8724e9

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
288KB

MD5
88f88bd64fd815dea49b4cd6bb67016d

SHA1
32d8a19afdadaa7ad30a785a6cc22f6bbbbc9add

SHA256
8cda6d1959daaf62b1c7bd6a67a4a67d2bd41411df18c6e2d74c9eb1a830433c

SHA512
ec84068055dd6021decd6dd80f7405f23372333708c9ef2112227fea5dac4d5bd1fc297d353c3512b79ff31460803b101b0dde97f402cbfa68abd06bcfd71008

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
288KB

MD5
2b81db494b505852e7e92ddde35aa3fe

SHA1
36f9ce61bbd3cebea45099c14a16ec681244396f

SHA256
12f4425f5c2500386bb10248d9a83e5247e2ae4911001cd6f0d50ec4a0195df7

SHA512
4a3565a2ba4331437ce630fd4d9d064a9558be3759d3f2c52311162a0f0619188be23f1dc2fa7e8f0e71c18bf05681e6fc506d78d00a4c7739aa8fdd61f12fd3

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
288KB

MD5
6346f1432e4d9ad8661fa4886655ca68

SHA1
ce33765d1fa5072203868dd23ffcd456139eea2d

SHA256
e5bfb76a5d61b45328fbb010c933fc2395af03e690b3b46a77f772b3906cc64e

SHA512
9fb6dece63b64d1922b6368550aa3ec4d95fcedfbe5efc0ade9edee43715a4910d4a902f2b9bda5fe707d5ffaa031b2599e3f615c8ddf5b1f5ef79fc0417a28c

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
288KB

MD5
041951b39b05782ba66a539df5e1f535

SHA1
1ffa6cd2f5fd28657dc2788185a7e8940b165f48

SHA256
0daee785d26774684e61d22ed6f3e016b553f6d4bf99335eeeecab585f677abe

SHA512
fec3a5c730395a9a81c80e9b6bf3dd0f9d27ffc8faf6f16b22c7da606c9238af1624248f3eed639c918c7aca5a3e58d1d12a95ea4362878dcf9c495d19e5e192

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
288KB

MD5
d596df9af41a8df5c44c4df0f79254f0

SHA1
559d8d57087193c4ddecfe0c97ed4c12c3c35141

SHA256
d05d9fdaaf853991e44a1df686725c4dec187e3daed8140151bd4d2d4a3a61fe

SHA512
e39345718f885ee958e8ed5f99ce8fa0b1033dc5a2aad0b99e9666565709b0d280d9568a96ddde5d7c0b029ddb136fddcc77b117e7260770f607948cf4e4b145

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
288KB

MD5
d2ae9f955b097bef60d613cadd1bc79b

SHA1
c520d9db3facb27bd2f83e338bd617242edfda42

SHA256
1b7dcfb0df8b3c1457e3793890de12fbfdcfc69dc7f4f75f94f37df43d626e47

SHA512
8ade4e24deb5b30276e2caa72f7258cdb2c0ca1583e40a22385f3aa76fa57276dcf05d5ff8a9bf6fbdb12dfb9d8367644deebfeb4a071efa4dd78f0b320a2a26

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
288KB

MD5
a052ffc3bb1ed1f1645ec1814b1eb73c

SHA1
81fe4c6f4374001d27123f59cdbb73fcf3f55d71

SHA256
69192e279fa388523e68756d7082546c7312e680bbd32ec7e65d81bd838c97ac

SHA512
8f388938b04f2c4ef97df9310c91dc5d1ff35d66856341ecd7bcb24db197f675d27ae0035823b394123d3a3ca6cc7826bda876309f243d5d4a0625e812e2c297

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
288KB

MD5
aee7249824c607336da9cdaf3a9f1462

SHA1
c8cef20bb83c335f4a7e1fa1ed9268e6b2c504f4

SHA256
124b2b401065cf5f72fecd98f4b7bdb0dcc53333ae7ca32cfdf1d7ccd7267e71

SHA512
779fa75f51b06801243df4d541e3cb8b771c706cba12226997a2c66a81d776846c4a48f43332c817bf0cfc4403fbfaa63ec8224a9f22777cdf5babcc2ec683ff

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
288KB

MD5
cbb7d799c7e7f1e0004d3dd8a442fa9c

SHA1
a4399cebf1db5587e1f89f0c6b5c3ca192063137

SHA256
5b8a0ed211810c1594c82f3ecc0770d0980444d2746747b0c2a31c30ee2671e3

SHA512
607c7413a14a1bc25a605f9a4f166c440f4a81178b10c0052bba54203b12e3d38dbeff6d7abcc98f21eb5d6bf483e0a7bf81d05cbdc9631dca51e9616413f363

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
288KB

MD5
61b7c7f0824102f7fecda5a24b4ea38e

SHA1
e2d62247d52f193b087e4afe7b9449838032ae60

SHA256
98895a328d2aa5e850bf65f0d2871a32e2220cf7a38bc41a0ffbbdcebd6d154a

SHA512
cf5ba736908caf22a0ff5253de1ebe7539fb49ec728bfa2d17dff8d111f30b35d4bbd7ca872141674cd0fc2bd4b35c1e9d3123898ec94aab4c527183dd91a4e9

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
288KB

MD5
86e1eb47e740dfe91c2d16a5f353c313

SHA1
6b35b4dbad6d5b8b29327daca8e76226fdad4aff

SHA256
b204de0b7ade889e788913a694211ea97b99fb228f0ae7a7376c575cf6832d8b

SHA512
90a3990ed615d3f090aab65a795be7d78776956b8f96aa94950e3c20e83d01d7a4aff47edbcdb64acd7495c3ca395d03acaa698c7ec44b5ab50582294c6732b5

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
288KB

MD5
d4c861848b861dc5ff6976cf5ece8f55

SHA1
c7ea9e0c061f35176ab5151b77f842f9dc00f12e

SHA256
6bf7b5339a07c29f866f58d911a1704cf99b808b2a0cf7143d8d5b71f9666d9e

SHA512
7bc3b91137d07b2d9b7018fe03092b708fe75dc093b2b9e28775d5e28b67d40af9f030e293505e6e80f6ae936bfec5c6a46f6f1a0a1f6fc08ab58fe6db6f7397

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
288KB

MD5
956742aaf001e43fb6fa5f2997cf67a4

SHA1
fd646647a957cd2a874dff1c90dc683bfd33ab6d

SHA256
6b72b6547007114a45231969932030135c972b8d59ff1c7ddfbaebfd3b08281b

SHA512
1eb3ab4dd7dd5251957375e3c16fb6f91fef06f01f42d48a08be82c9435641b28632689458aefaa1a4618244ad99e30f8463ebb819faa9d8f83bf16bd7990ee1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
288KB

MD5
fc9c66f008a195a877b46ba4d540e0fb

SHA1
7f5e9494a3e154367fb8ef3e3a517f4d3c9ff60d

SHA256
08db332762995b91153291810827d95ee2cecdbe487360b7c73fe5b88051a59c

SHA512
980edffce4ec1bbca90a41da64cfbde8864e738e5a25f5c8c33a463fdd605de3066f875d1ce68ed018c2746b05f62408b967d81f3f5a181e4dafb5679d2b28e3

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
288KB

MD5
a2f96794c816df9de00548e9e327c246

SHA1
404927ae8e297159cd259943dffc8bb1235ea7b3

SHA256
578510f0d241a514f4ec8887a6aa59f37977225771f4acf1cf43d64d1eeb41c5

SHA512
2033047d8adf81b7e48b2d0cd03eb39149cbfd187e0463e38a794c86041cfeb218421157144c614e00d0d3a13aef2e69505bd4d08c92a9ce8308a7d016c03a54

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
288KB

MD5
a16b77f835f864eaffa7e7f591eb63d1

SHA1
ba190ee6bee4f8f6aeee0b6d6e394f4928ee9206

SHA256
a6ebeb06e439b30bbe7de2a9dc68107e302eb10e1ea535069bd13c11635921a3

SHA512
7900014c2134d55de9a3f1a7618340753869de5ce30b4c4e0e9eadd193d28855cee507407f50c09660ad5025779b0bf08c0a494c12a6fce1ab507da78f50b2f3

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
288KB

MD5
3a8e3f6d7c66ad3a4cfc3abcece10fb3

SHA1
71298e23286a96361622baa4facc7d1a58b08c86

SHA256
8d10c10a6c133211cc74b073171f19fdad3ea3bc2da5ca2dbbe605edc3b897ce

SHA512
ff3605f6511ea1054f37baffa62efc523bf010153dc75fbe466c2df191a3c1049393bf79f93245c4d34cddebd75563ecd18302b4038a47715a9fd8b22344fdc2

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
288KB

MD5
f4309aef2c9a7d75ad93c57777153841

SHA1
aea7fe79c210129e51315479acb84bfa776ca166

SHA256
d30f3462d6434554198204ed98c3426fef6af16a47bb7e1cc247c5dbfb4b704f

SHA512
5afae1d54689c7128cbb591f390edd3610e3123e6156b7774c4c61654ed8c0c7085ee8a8b92742780009e3af62a5774845d94044f9ad2b0d1327bb0433dcdafd

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
288KB

MD5
bef8385221719bd6994c2a1957243ebd

SHA1
e76e11981eadf65a3e347f92d361fcd0270d4d1d

SHA256
82c83cd12320d1a845046f803a17f97e56e6f5c1600880b5ce8ed2b1c605e601

SHA512
02d103245c3ca94aa64c42cab0a4f8313c947483581116222cc09c9bfe1f7faebf83c7d695fc94e161582928d8c7fb9cfea88fce5dfac931d1a7374dd6489b31

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
288KB

MD5
7566de354506c24b842c1a0ff16774fa

SHA1
3089e921b3a2397e2fa85ec6e758c364e72eccf8

SHA256
dc6247e2a834ef241c04966bda1b5382ede6b387bb4acef730782dcc0238ee59

SHA512
9604b445f68fe218aa6dd1ca2b3ae20be2483662a4b17a62da938dd2cba18ef6c9076e48760f5af86656f81622afcd01e1a414d09e4e303c9b8f4ab288ace5b9

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
288KB

MD5
98ff5f3d829b05d39a54bb1a69a58abc

SHA1
173c2005885985bfd20a6ec38469a90718f5fc8a

SHA256
425aad22028dd001868107b504833b0e68b8bf6e0dd09fe79d9c72520ee9a12b

SHA512
266ab9ae261294d94cb950d7dad991e47438d4831ff051f4d3350785ac9449ece3362ee70bb8235a00b8da1b2267562e847dc8fe1d7ede18897559ef82e1fa17

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
288KB

MD5
8a1ef35a862ed0d517e30f00a594eae5

SHA1
83c55d7ff03e9156b3b4b240a08b60326d082dc5

SHA256
77e147965e06e90948a57836b4cf2c462e7818779fd40ba62b98a1e92297ec3f

SHA512
f38ac1636d1e2358c506925b6b014aebf587d0c13cb837cc886a3983f6168f3895238e35404b5a5377b4a182ace652cbc2675af8d0c42bbf2e0eeb2818acbce0

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
288KB

MD5
36e5f20708b17076c8447bf6ec324210

SHA1
43defe0acf19418603b53636183742a33c4d0cbe

SHA256
dca255e14848f893254192e9194768b0f55c7399b1fe50008b6066c31f05f889

SHA512
5e7e7d17c3144ed94d0e4070b491526ce90c39ff8f057d968435a85ca33e58260140093d587213fe9381db94f111f444e65168357e89f9944bf5be62f8ede2fb

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
288KB

MD5
c808119f4db285340947a5faca9643c7

SHA1
cd4de7f6ba3a3d6717cf1e193b2bb5bca7f8deb6

SHA256
fec3e9e4638edb89506ebbb65203db48fc8654f5fad33002798f8e3d71fa74a5

SHA512
c2419bf410c57e55d5ac12a5535f1805523b4d501303151c3c328538b8da380e46efe8b2696139af32a9037e7e9ee4ed57c96f8a17615be0c5620a481a58b838

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
288KB

MD5
973145eda3ae1ec74d165bc2e786db09

SHA1
70b1a728b7aaea86365401179cb226bb55741828

SHA256
07636f5404d89fbe7bc29a36374145c15f413e8de466506dbbbf0f70182169ea

SHA512
72072a892dffcd4ffb606df99d7e618071cf6d1394bd74f808d996be6384f796d1d0f87029cacfb000e4d2ecdd7664004ca9f2e02cf280b43bfccdde0795cf3c

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
288KB

MD5
261803e9a3b56b9899b55bd0eabc1fda

SHA1
0e58ac60c129d1bf3476bd91e90c5df57aa06a47

SHA256
aeed7c016d24d90a3a13a63ad86ab4892d626e776d283e19570c1816b62b9591

SHA512
94d5cbab7880375270476fa2e0bf7e2f1c2a6a17d76ba9499b15fb0e59146f866b8a22312e4d1ec4a322d77eaa9c2ac28e562a5dffa63c104e18c218d49762b1

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
288KB

MD5
8b69218225b08892e65fced8f0fb391d

SHA1
8d604bbd522f65c8cb4e4af918494f875aa912c8

SHA256
605bed6b6617a286c730260bcb158aa2fbcf7e9f3845b7f4c63e123bd2d9fda8

SHA512
075d5c9f0a5566e4cd15b2832a8d70fc85b36c5587d41e33eca85303c36f084cdfbc8cf1dbcfc2c21da124d5566789dff390430cae17c3fefa9a7c057b186d1c

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
288KB

MD5
3a50f5fdb3c23169f07b2e12d23390c3

SHA1
6f546b6a71b9f0190d10f8146a96aef66271f59e

SHA256
48c4901a9753c68699f58b3aa036d77a967e294fdd8bd23e20cb96b1667a7d51

SHA512
d9ce7bd51f795751c9caa6ad707ba14f7507aa96b0846d58d4e01ff5870b2c141226fd55936976527e54ccbe1ac270276558ed28da051a4600658d3fd11fedc3

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
288KB

MD5
6e87012aaba55bdd3ef49bd5305d247e

SHA1
16db0b58003aca70499aae7218b56b903f942449

SHA256
5e7099088ad9f855ef56ec67da09626a19b2c727dd1603b686d0bd071a2b4e4c

SHA512
63fbf3a8010846b13e34b0763046a893675f1766c2439e3288a6b1e3308ae75be79d07190da2870c0469923742f00750c86c5f82e99ef620d2a07324ac2b4445

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
288KB

MD5
fd28c20e3c133c8518ed59b7a3b891c0

SHA1
e68055bf320f2b48ed1c179557df84d2004d1f8d

SHA256
9d40fda28fc6d6a599867b12b7b1e134738de6cfb4452cf1fa3718d574307693

SHA512
29b48e7382e2fced445635d59548764c1add7b9bc584646257e0c95d9c37d58307020b59eedd3a894de305a5836fd943095c4be1ef76989ef3cf0bf82f400545

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
288KB

MD5
6fee988eb0eae365f31866b2a172d534

SHA1
0f0d28d3f69c0d0ac32d8eac39532c46349b3a8d

SHA256
27a5bbccd8d25e4efc8695fc0b96bc18e23efae615ac5ab21ebb6cf571fef0ae

SHA512
b73f4f9c5779c09d6d6004a3e27f8d9be64f7ac671ff96f56a2a4b3dde850f4091edf7aa0c13d3cb18b1551b8e64c15bf720958480a18daec4454eaf01c045d3

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
288KB

MD5
f9488b485e6f82ccfe134d0f35d94617

SHA1
179e5143961bffdd38b671acc4259f73a7317052

SHA256
c5e50daef7157cf24a2e8f2fcd7c34d7452e1994ecac943d6e7fecb8bf5b37a5

SHA512
96d0ff9d5f1c64a1598b7a7d71738422a3fed8bd9b2e599fb31a233fca44926cd169bd2ff41063a57ead52dd3389f580f1b18d640e6c260fbb9501de91b8eced

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
288KB

MD5
96d94460a7ab235b32fe3da2a26272c8

SHA1
2de9ce83da3060ab42ec3df445d2b4d24cd34a5b

SHA256
7778163d7f07ee009f94ff462f6b9ef302f053b5c599869f6c28d61cd114c67d

SHA512
843bdd6ddf58ce6963e8d7d018791a1b02bd8b83f6626d3d31ce4382cae7b906b231d53311123f0cc239e7b1393a591c7ca00662c9acad7f82f75985b3141729

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
288KB

MD5
902000a40e9880b89f199d4b6a9e05e2

SHA1
4271159719e322e8af5b3632bec32b3514eb82b2

SHA256
50bffd9c7be160a60212a3270bfcd0ee66e8f6937643cd0eacd1a9c6fec5dec8

SHA512
3ec4f8a10a1bc82a48179d7210ed034b659c852993438ea61567cef97d24956fbddb2d81436d98217c043baf1e22ebbb1e78ae5788e0df6680b7b771f1340fdc

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
288KB

MD5
85829ec59fd9c4144ffd8d443c9be2ee

SHA1
0a61d8b38055ab2abe193d95437a3bbc9b2ef9a6

SHA256
698d65f0854590172cfd3366c29b8acef3a326d825125f50b274763f5189a47a

SHA512
2a091153b54edc98c0c2a70c56ad880ff9520e6f5d9b8eb8cef951b4679075fc525a2129113e0b7925256149c076cf1861988def25ef52b6e0498caefa9effe9

Download Submit
C:\Windows\SysWOW64\Qncbfk32.dll

Filesize
7KB

MD5
99f94ebe9506df6d7c08f15ed33e571d

SHA1
3b970127753ef81e82aa7f2838c75b33e1e90b29

SHA256
3298b65407618def251593576d78784ec795b6c4b8312a6f105f4e0cb683bbfd

SHA512
c0e0f21c287897df15384507f4c1cf57a3dbf6382d64655cadeb8c57fe31b678d54fdd92eb418b4f54d22e1519bc7847ca5c5bcab1867f5f7063751a53433efc

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
288KB

MD5
ba1e48f95ff32263d8307e3c66645d1f

SHA1
f0a462ae6d4c515f9a99ba93fba93608f525291e

SHA256
a28c8577b2f5e6dfc502cfe4937e9fdeca78213f7cb1c0b977cdd960bce9d3de

SHA512
03dbfae91e7f5720c5881088c609e3a198b7b4d2a7530f6461d4fe9a35ba0494b6e866cdef672547cc0e134e075fe7853868e730f096e775e57d32c455d9c0c2

Download Submit
memory/232-490-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/392-364-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/464-322-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/548-526-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/792-476-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/804-208-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/940-478-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1016-144-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1040-484-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1040-750-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1064-135-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1120-544-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1120-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1228-292-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1340-424-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1376-240-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1392-132-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1468-579-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1636-352-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1664-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1684-712-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1780-558-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1780-15-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1796-286-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1812-376-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1856-79-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1868-316-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1880-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1880-592-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1932-71-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1932-604-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1964-735-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1964-532-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1976-160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1984-466-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2020-168-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2020-850-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2092-231-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2108-382-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2180-199-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2216-571-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2216-31-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2224-552-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-825-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-262-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2404-120-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2496-255-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2496-828-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2544-711-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2600-412-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2604-418-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2616-572-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2660-358-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-48-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-585-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2828-151-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2916-578-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2916-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2928-781-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2928-394-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2984-298-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3016-183-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3032-346-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3136-112-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3136-864-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3140-328-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3148-87-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3148-869-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3184-304-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-866-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3212-103-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3228-551-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3228-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3244-587-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3276-280-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3288-406-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3308-215-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3404-340-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3448-784-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3448-388-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3516-191-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3592-23-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3592-564-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3640-598-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3640-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3792-430-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4200-334-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4280-538-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4304-520-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4312-400-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4312-779-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4368-442-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4412-268-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4412-824-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4468-502-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4544-247-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4580-95-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4584-545-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4616-454-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4676-436-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4756-314-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4780-496-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4800-708-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4844-518-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4876-448-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4900-460-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5008-274-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5020-224-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5024-370-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5104-565-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5116-508-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads