berbew | 91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a

Analysis

max time kernel
94s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
Size

96KB
MD5

a316e732c1f51d2213ab359bfbb64a11
SHA1

0db1660373a7146ef381820dbf89147d82ff8a52
SHA256

91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a
SHA512

be0da1bb5628d27b70dd9d65a825b6151a415499b3a59e90f46881bd35083b53f40242676ae024c42aa00fd63d128af922b2712242a517b162c7bc6e47c8f267
SSDEEP

1536:1yDDOrcy4cpDH5Jn7I2i282Le97RZObZUUWaegPYAW:ADO4Wzk21e9ClUUWael

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b80-55.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
3588	Jcllonma.exe
4064	Kiidgeki.exe
1536	Klgqcqkl.exe
4576	Kfmepi32.exe
1436	Klimip32.exe
388	Kdqejn32.exe
2444	Kimnbd32.exe
1684	Kpgfooop.exe
4880	Kfankifm.exe
2576	Kmkfhc32.exe
964	Kdeoemeg.exe
380	Kefkme32.exe
1040	Kplpjn32.exe
1524	Lffhfh32.exe
464	Llcpoo32.exe
4352	Lpnlpnih.exe
4424	Lekehdgp.exe
4900	Llemdo32.exe
1864	Lboeaifi.exe
4228	Lfkaag32.exe
1632	Lmdina32.exe
1508	Lbabgh32.exe
3804	Lgmngglp.exe
4792	Lmgfda32.exe
2176	Lpebpm32.exe
3000	Lebkhc32.exe
2572	Lllcen32.exe
336	Mdckfk32.exe
1000	Mpjlklok.exe
768	Mibpda32.exe
2784	Mckemg32.exe
3740	Mmpijp32.exe
3204	Mdjagjco.exe
2944	Melnob32.exe
2908	Mlefklpj.exe
4548	Mcpnhfhf.exe
3688	Miifeq32.exe
548	Ndokbi32.exe
2692	Nepgjaeg.exe
2724	Nngokoej.exe
1260	Ncdgcf32.exe
3616	Nnjlpo32.exe
400	Ndcdmikd.exe
1872	Nloiakho.exe
4392	Ngdmod32.exe
780	Nnneknob.exe
3292	Npmagine.exe
2304	Nfjjppmm.exe
3984	Olcbmj32.exe
5040	Ogifjcdp.exe
752	Ojgbfocc.exe
4788	Odmgcgbi.exe
3180	Ofnckp32.exe
1228	Ojjolnaq.exe
4552	Odocigqg.exe
3848	Ofqpqo32.exe
1104	Oqfdnhfk.exe
428	Odapnf32.exe
536	Ofcmfodb.exe
4460	Ogbipa32.exe
3032	Pnlaml32.exe
1240	Pdfjifjo.exe
112	Pfhfan32.exe
1352	Pnonbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kmkfhc32.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Kdeoemeg.exe	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Jcllonma.exe	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
File created	C:\Windows\SysWOW64\Llcpoo32.exe	Lffhfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Lpnlpnih.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Klgqcqkl.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Llemdo32.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mpjlklok.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5884	5760	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqcqkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdkcl32.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3588	732	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe	83
PID 732 wrote to memory of 3588	732	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe	83
PID 732 wrote to memory of 3588	732	91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe	83
PID 3588 wrote to memory of 4064	3588	Jcllonma.exe	84
PID 3588 wrote to memory of 4064	3588	Jcllonma.exe	84
PID 3588 wrote to memory of 4064	3588	Jcllonma.exe	84
PID 4064 wrote to memory of 1536	4064	Kiidgeki.exe	85
PID 4064 wrote to memory of 1536	4064	Kiidgeki.exe	85
PID 4064 wrote to memory of 1536	4064	Kiidgeki.exe	85
PID 1536 wrote to memory of 4576	1536	Klgqcqkl.exe	86
PID 1536 wrote to memory of 4576	1536	Klgqcqkl.exe	86
PID 1536 wrote to memory of 4576	1536	Klgqcqkl.exe	86
PID 4576 wrote to memory of 1436	4576	Kfmepi32.exe	87
PID 4576 wrote to memory of 1436	4576	Kfmepi32.exe	87
PID 4576 wrote to memory of 1436	4576	Kfmepi32.exe	87
PID 1436 wrote to memory of 388	1436	Klimip32.exe	88
PID 1436 wrote to memory of 388	1436	Klimip32.exe	88
PID 1436 wrote to memory of 388	1436	Klimip32.exe	88
PID 388 wrote to memory of 2444	388	Kdqejn32.exe	89
PID 388 wrote to memory of 2444	388	Kdqejn32.exe	89
PID 388 wrote to memory of 2444	388	Kdqejn32.exe	89
PID 2444 wrote to memory of 1684	2444	Kimnbd32.exe	90
PID 2444 wrote to memory of 1684	2444	Kimnbd32.exe	90
PID 2444 wrote to memory of 1684	2444	Kimnbd32.exe	90
PID 1684 wrote to memory of 4880	1684	Kpgfooop.exe	91
PID 1684 wrote to memory of 4880	1684	Kpgfooop.exe	91
PID 1684 wrote to memory of 4880	1684	Kpgfooop.exe	91
PID 4880 wrote to memory of 2576	4880	Kfankifm.exe	92
PID 4880 wrote to memory of 2576	4880	Kfankifm.exe	92
PID 4880 wrote to memory of 2576	4880	Kfankifm.exe	92
PID 2576 wrote to memory of 964	2576	Kmkfhc32.exe	93
PID 2576 wrote to memory of 964	2576	Kmkfhc32.exe	93
PID 2576 wrote to memory of 964	2576	Kmkfhc32.exe	93
PID 964 wrote to memory of 380	964	Kdeoemeg.exe	94
PID 964 wrote to memory of 380	964	Kdeoemeg.exe	94
PID 964 wrote to memory of 380	964	Kdeoemeg.exe	94
PID 380 wrote to memory of 1040	380	Kefkme32.exe	95
PID 380 wrote to memory of 1040	380	Kefkme32.exe	95
PID 380 wrote to memory of 1040	380	Kefkme32.exe	95
PID 1040 wrote to memory of 1524	1040	Kplpjn32.exe	96
PID 1040 wrote to memory of 1524	1040	Kplpjn32.exe	96
PID 1040 wrote to memory of 1524	1040	Kplpjn32.exe	96
PID 1524 wrote to memory of 464	1524	Lffhfh32.exe	97
PID 1524 wrote to memory of 464	1524	Lffhfh32.exe	97
PID 1524 wrote to memory of 464	1524	Lffhfh32.exe	97
PID 464 wrote to memory of 4352	464	Llcpoo32.exe	98
PID 464 wrote to memory of 4352	464	Llcpoo32.exe	98
PID 464 wrote to memory of 4352	464	Llcpoo32.exe	98
PID 4352 wrote to memory of 4424	4352	Lpnlpnih.exe	99
PID 4352 wrote to memory of 4424	4352	Lpnlpnih.exe	99
PID 4352 wrote to memory of 4424	4352	Lpnlpnih.exe	99
PID 4424 wrote to memory of 4900	4424	Lekehdgp.exe	100
PID 4424 wrote to memory of 4900	4424	Lekehdgp.exe	100
PID 4424 wrote to memory of 4900	4424	Lekehdgp.exe	100
PID 4900 wrote to memory of 1864	4900	Llemdo32.exe	101
PID 4900 wrote to memory of 1864	4900	Llemdo32.exe	101
PID 4900 wrote to memory of 1864	4900	Llemdo32.exe	101
PID 1864 wrote to memory of 4228	1864	Lboeaifi.exe	102
PID 1864 wrote to memory of 4228	1864	Lboeaifi.exe	102
PID 1864 wrote to memory of 4228	1864	Lboeaifi.exe	102
PID 4228 wrote to memory of 1632	4228	Lfkaag32.exe	103
PID 4228 wrote to memory of 1632	4228	Lfkaag32.exe	103
PID 4228 wrote to memory of 1632	4228	Lfkaag32.exe	103
PID 1632 wrote to memory of 1508	1632	Lmdina32.exe	104

C:\Users\Admin\AppData\Local\Temp\91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe
"C:\Users\Admin\AppData\Local\Temp\91694c7cd7237c2b1890f5cd20192861609d15c95f48d2ee27006dd4379c622a.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\SysWOW64\Jcllonma.exe
  C:\Windows\system32\Jcllonma.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\Kiidgeki.exe
    C:\Windows\system32\Kiidgeki.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\Klgqcqkl.exe
      C:\Windows\system32\Klgqcqkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        53⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        54⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        60⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        61⤵
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4828
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        70⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        73⤵
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        89⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4980
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        95⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4260
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        102⤵
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        110⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        115⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 404
        119⤵
        Program crash
        
        PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5760 -ip 5760
1⤵
PID:5824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Andqdh32.exe

Filesize
96KB

MD5
c9ea24e513f1e7d40326c665027fef02

SHA1
7a0d7f07d47642949f80174d82a206bb5c75b6d2

SHA256
3ab7bd948e966a97062b862074804b9666cc2f9eb5584bb393b56bdcd3b424e4

SHA512
05626d8742e9096d2b17baf12ef3196daef49435ed1d704c70c9c535ed51ae5493efc2c370175676d8e6275838e6e8e944bcb6dc591f289ca785bbbc1bb912f4

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
8571d4e9ede81f4ea3826af149643a68

SHA1
f4db36c3476696ae78257cbffc8f8efb617f79d9

SHA256
22c049976a5e6c9cd6013d88959344eaae715039e6a8a1645eef20f7d907dae2

SHA512
2516715510a6522e177a8a054414d7e170c738d2ab79ce1a5efd819a10caacda4e0d2b5725b77fdcbff370a7f96161c83ca2bb7bc8830264530c3d2437a862fe

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
47d627d2b070be3f684f0e0cb8a8a093

SHA1
11d813f5814e4878dc408c950a4637b4eff5be10

SHA256
156b895f5a1e481540a5209591bf1fcda3254b6280434055c556a9d6b817465d

SHA512
6a155a67f353bb50109a8db22ac4febfd4c3bff4df76c48a22606729bee0dfda5b256bda22bedacb377bf27ac1169e14828350ce5cbccc4fc575dc6e782c10f9

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
5f274e1623b3c369427ad2e93620488c

SHA1
147de75f370c37d176ad627053d1c5351b4840db

SHA256
d80cc1a48bc8418958ec55b40bedf19b3b1767b4988966844d61b5efa2d49798

SHA512
db01bc7c2ff3a86cd014b5f2287219efbcba4efd348de4bdbad3cd8b19997a779caac7feb79b5cc0d9d9ed911afe80c30e70c3620a21f49bafeb5be4675691e7

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
bc715520db156fff09ed975447848266

SHA1
057c011cd3cc393bd1392058496556f83d35fbf1

SHA256
982f88789e0cf3595b206cedcd51771863f3c63abd52ea17ebe66caff206b397

SHA512
d19631c8734881331ce04dbfd1b9d99ce20ea2de189e75a0ff9464f6c0324686279e621ba3f2428edf2c14e79fee01238a0722bcac3a930f1f41e53fd032a340

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
915471cfc80f595cbc044ca7239ece05

SHA1
9edd7717ce1ff99e28fcc12ea18b4df437fb1ae4

SHA256
f1b62d3a59d5b9461b9be660c43e5ccef32d920a8daafa9ad815472d09473975

SHA512
437ead713df1d75bc30b7b75193f4139bb0b24b864430d4aa91799e7fa3446881b3c4b417e4f07ec05b033c7de35c40867b8a4e60bbaac296bce7b9b498667a4

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
dc6f2579d757f0788f632bb726cbb41f

SHA1
5d48b28c17681ea4cfeba8077c8f4d1c4d5f5ca1

SHA256
bd024b00322d65d14dd3133f14c901fc390ca7db573a7f2c96ac1120870fe50a

SHA512
754155eb79e4f28f51c211e6f65e9bca0d99ea9f15bfe0070e2892f5c225c448d02a9b9d86a345be11be81eef08ec7de16dc9337aedf3d0a6a6b802afd4896ee

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
62bc3a7c3cc2fcac961830739301548c

SHA1
0a3517ddc663e8d14266d1dc0100b43810f6eaa0

SHA256
97d1c94fbc9febfc4cfe9a48e2796bb1cb0672776b7bd66c45d28ba71d0fbf63

SHA512
91504ab59f8f4b8db35fbfc12f002c0ba85a700d81b33ed1d7c39b9f71ab18a892782499b40fc9026ef9e66a339eb29b3b1a24b8a26eeb678cee085547c387e5

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
a48db9681c10c10e2b0a31e0234b7bd9

SHA1
cbcb7c5afa1ee59ff4f2334120d69b6fb13056f4

SHA256
3db97aa57026100d6480e41cbfecfa50d6c59403eb3579369667a779dd389af6

SHA512
a530f3742b767d297d3e37ffd8a8fc8525ee1e12452a19c2194267f463fd085e4ea8dc34fe5c60a9b2c139b7b03e06d5476199c0daf932f402eff1a280b76728

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
063f2779880856b1f2e71afd085e18d7

SHA1
eeed04c06a26b7b6b82d05743406c542cb1073c7

SHA256
8139b6004120282e167bc1ecebc270af56f0720064244a849438e8d6e205c491

SHA512
ec6a32c8b824aa8953d00486639cdae9dc9edf66530ad9e833584c1a0ad1cc002dfdbbc77f1dd02cf6d2fb87265cec204fc8e8056f01a343ef4ff0b8f92d9b33

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
1983c75e46b7621afcbb259fb2831f01

SHA1
4c707608a690e5080b24afaab659752346145fa3

SHA256
cb7d7833050c47e323d4ee9bdd838d188c48a88f95715cf8c51d83ac87681dfb

SHA512
241a1d3c25d8aecea66602ddaa67bc78b479d93d096e3ee9cf342806dc42900f618093b9af28b5e9e8fea7ce896e6db9e2381a91f85c51be8b4c02a9d6cfbea0

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
31be61e6d3129ad6f4c1fbfd0d92d9fb

SHA1
97fb62e3c8f3b2a2d6c8d44981aedf151e88eb2e

SHA256
997e2190d3ce157e9705e60259446f5625a5de2c8cbd1fb9760793fcd29f3ca1

SHA512
cc7d7571ecde98924ada5b746e368d7f8e9b14fc0876e8035cbe3d212229b1bdb44aa1d83f02bcda2673daad43a265fb432223754c3f1aec7e671c0886025c8b

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
96KB

MD5
b95a4a850f511ff87fca6a3defb6814f

SHA1
b78b5dc0dab69dc631034b0702db59b961bf8ad6

SHA256
4e696f5a7e483223a38e8ac09fdef3f4ae6af291967fe2ef25aa071714c9b35e

SHA512
344b700b1104b1f2a342d25bba981faaa654266b9fb8508758e70d984b2eb1b799fb919b41b61ec85ed7436045b2e74a49fc3b2e6a353190fef557e71b848bf2

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
5ea9f97d6a9bc514b10ce25dd39b28b6

SHA1
c079e2e21f7571b0a811c4c3434ec27921a3c591

SHA256
47ed750c208a346169f8d9728f0b55aeb9bf38e49d9b9b20561bcc9dd7e520c2

SHA512
9a08232e8a765f98e0c8dd468ab105be34f3ae250a233f1a30e9da72ad6f0951a918142922f6c0c4df765870dfec2456c98feac3c0fb4724b1a1676e5f1654e8

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
96KB

MD5
c8191100098598f2a30bd52152a82b15

SHA1
1d763f649f1bbb5555985325574cdb93dcd5b3a2

SHA256
06afb424c185d3aa7ae0dd83847b61520798bac13e69519958b75c1d950db246

SHA512
9cfb1d10926a40da8ce4ef524d3613d29ad1592c16f07196d205c5b41a77bb03739626992507e218260926e87fb3ef04c2a797e21c6d3fc9444c5d30be737ffc

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
0d533b7c63c69724714b6478234f06bf

SHA1
1eb64a934a536671f760e7da7ff6371503b60d42

SHA256
0cad524cf8e23bdfea4d572e0a5c176ff74974c2b2db5c312798fba27f4ee509

SHA512
7fd9fb9bb3301927a6a54536e3249bcf715e6e7743b86ab6b3c29aaf940f85b8fbff468e694c51cd193bdfa931f7cfe1dcf0256d788be5ed9f94f7a67c76246d

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
11dc9b9a03fa52aab6389284e85b24f0

SHA1
660df395e8e40c55afb8b63ce1ac1a36b88da934

SHA256
06b0e21996aa2272d915207e750f9abc39a0b99254bf0b8988d04db68a15b8b4

SHA512
3d6bbacd35befbc1fbb2ae0519165d26ebf8ae8de0b48eda0e6c24d9bc8328c677579090946e94523527d3a59bcaef97a8d8e06d49b579eb5f1c6adc20b6a9e0

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
96KB

MD5
9e10df214c333f717ad36d44b7bc3bdb

SHA1
96c33fa073842e44b472e2f3776fda7b126953c4

SHA256
06d9262461fe1e4d82a29bc52e396d3dc572831748a3db996b293d16ee7e51b5

SHA512
d5082290c1602f0bae0a31792027d2f6c76917d8362bdf7a3c48092dabf7de8477d963d430e5fd61dd77498190b40a7930bbfddb324e2be5402e3333ece47184

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
96KB

MD5
f17e992239177a121964f8af8c9cd95b

SHA1
c66249d8a0f3ed84ab50a4c76623cb5ee7d9b654

SHA256
a9cb7c0fd17b9598cf6b247b2065eed6bfce2990912ebbe866d551a652301f1c

SHA512
78acff69cfb08103a947ac4144080ac6bef8e6e9dc66f9b8a667e3a81312bc25ba0925ba181989f59ffde18e54435c28939d33eb6949394097c338e9d7ad523b

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
36e573e40fccdeeb2849facef68a7cb3

SHA1
126478ed4fabb63ff95585e00a525924e2699511

SHA256
669c61d3611135b9e4a56aa19aedeb2aa0669419bcd99ebeeb72f1f5fcba6925

SHA512
80b2f2a9233c36c4229c4227669e1126620bd562e01996a7ca03e98a844bf191dafa40c1c35247c17f43086a9db4b10c3b82d3b0686fe10ff242fb6cd18bc82b

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
0d46d48ac4a32370d2defb6be0890d88

SHA1
e7f9b13a40bf04faf9defa1b24aa247fd685a6c9

SHA256
c9b1815f9804ba84e4a7b0007cae2be14d954cce305741b0526d0dd4ff720bc9

SHA512
c1ef28a425c8b3003f584ef0a244c9d9f7079eb86ba8485cc9d410d06878fea5306fa4d84ecbff019e64d32bb22aafcb386869f7a0f2176562c1f2a9616347c4

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
2c97b86789990571c1bb3e42ed0615da

SHA1
c7d4acaff32861f73391d554715d164fd5c1da97

SHA256
0049a5063a6b33b932477a03870be17b75d506cc7669bfae5790428636f052e2

SHA512
194effd5b4d7463638b401372c007c5d73171fb95a0082e59701873fd9ce271add5e2b1a701b111413af31500cded2397c2286ee6cb050a878b3f03ab1342f8b

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
eae1c6e2cf6f2c57c64b6888c1d5407e

SHA1
74f644ba34bf7ade403e0141728742757de9db85

SHA256
e5546ccef58dc674b73a5e0a5fd7fa8ed159b00488cf1173a24d0e52149e00e4

SHA512
74cda5207eb8a2ee8d1a4f31109c1bd2ae0b08fc05984583f8fb4a12b9d163f1224c77eb3bb2706a7fb9d71476c863e5bbcbc5add9711073a7049a7c6156fbcd

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
8cb42e73466cf30bf0c03e566d44b353

SHA1
6d0f000643cac81af1534ec62a71394f57aab3cb

SHA256
5ed72113e88b625c4e362b0d4fb3fe9ec82b0b3e5695d2388b7a62889cc254ee

SHA512
c0d2c91bb1140074347a657cc508cd5e62031072b7d8bd70fbf0c0dba775903406cd5cc3875eaa2cb3e7f68b49a6377f3c2daac8d8d42026f69ad852be78b11d

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
ec89701729aa12a4753979801fb6276f

SHA1
d3d45c85773a30255e062be3b9c51afe8fa86f0f

SHA256
c442d87169142d4fe7a870a9431aef7517cb9b9ae46e1a93b84b8771d3cfd43d

SHA512
17b68d2b9fd75768386f5369d4bfc80f151873db5a24bed2d82e605bbf1d52899816abf691548328fedf92eea17a138affefc6514307be32e4b48ee08c0e6c2e

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
8284bb3d026abf4db56f4d1c7e48124a

SHA1
def3de799a39b9a825008cd459c0fa58309749e4

SHA256
e9a7b972058cf861085e39ab5bde4c8785cf0b5b8f453b9b5e68b19c36798614

SHA512
85a0f50d2a2db57c8204466ef52187b7da638336281062ba0f1ed8b40a233783462cdd1a59fa4250bf8dd721b3e915cb1604be722592f52fc10d060e5b98a1eb

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
248140e3cb047b72d9fe99ee61bb6939

SHA1
edfd397fb7a77a676139ea26c6ee323859fc263b

SHA256
554e82bd4bb1f29cd00f9db287890cb299eb415b645e85b48733091c9835de1d

SHA512
fd548a2e34eba3771b04f0ec52a01755168d890fa76eb5105ee1a4f9f21eaf6732683972924ebbeaddf8c3240f29239024c60df313a13680b6300d3dabddfb6f

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
22968d102c205857a8a179bc6fc14c9f

SHA1
0db0bc70fa40e2305aed5206b9b8192ce751e5a5

SHA256
40f69841d0f414f5fe021afb1efdb8a9f89a4ed4b0eed193eaf9e56f7803896c

SHA512
b88825bb5bc3bd9c930c7a1f7e481ee80cc154aa289ebdef1545977ffae9c501326b28b430bbe50fbae9f44ab82c32a17139d27f5647003dc2018b62399de3fc

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
96KB

MD5
e0043db8374f6a47c7b1aa067b3061c0

SHA1
6a6ba937a81fb5c5e5136c4cee40d65bd414827e

SHA256
d5c1829b833ef75968dd8dce1e09e8e942d435d4d278f0fa91ccdd9bb3633c4b

SHA512
e6d22cda7b75ae011603f8b5dc00ba55df712cb1a11521353e841bb4f3ddff4dc54ab0053288e1a1ca6e445ed6c3bc2f9aa4e3c24c8a65f85a13b9fa402bc341

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
50afe3943d771edea15a6df19e206a6e

SHA1
2d4fb83204c4286736d1829881c814c4b03d597f

SHA256
4ecbfa326a47d294171506b9b97046f1d95e443b925043d566e63aefb7d6c685

SHA512
4a28b9e86f9e674a3c602212de7df6da5f6cf33f405a612cebce1f0176cd361449694bd7e2fef561cf76a4b622668d62b3fd7d65ff2856e3d3f617bc79e6df03

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
5292381f0da64eedb59d2d7d6ba9078e

SHA1
b1f5584ca48fb98c332a11097cb1d08c526084af

SHA256
d1fc0a94d88b13e4ee502ee1df6fd6630d259434252ec8c421b5be8906732fc2

SHA512
c3cd89d1bdeaed6e82379df30f8237a070efce0445ba2a03758505bada1ec13c0b40f2d1d6b9ad0e54a886845debabfb0eaeb154f4e05edb945b49533b5084ad

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
ed1ef6f138f685e9341da996a7aa937a

SHA1
647593de840c870cfe479f4a97f94e660f625cf1

SHA256
df47e950102c98ad33e9e6dcd7056c4efcd579b8fd7252b208cf5921c5a2fd6d

SHA512
71e1745dd597193b51756d39b7e3c2d6278b4c96a4bd34578bfe07e1fdc338c9068c0f7a5b30ba43345d78d15a3b262ccaf0a5dd1e1d4a4c31c15a1345e25bd9

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
6d6a6cb565facbd194feaacdf649f851

SHA1
000b0df2ec19dc07fea3d2d81b1a5276598aed6a

SHA256
f84735e29f3a7e2ce3c0f198c618fb11a5a94e8427d159e756f5623982006846

SHA512
583f3749d36ef2c764a928335dc3c745285b6fab8f25e0b12134890e92aca2c6ab4117e1bf312ed80488680c84d2f61668bcd40d16dbc777a1a8d75b637f86c7

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
caade89be0b345bf02918488494e00d5

SHA1
ba9195f35b36c264f1a010b9624d57ad56d91b29

SHA256
b593f1babd6eddba9dc2e5817790a4af20dbc6685e406e5ad4e038c5476ca6a7

SHA512
6c41e093fcda69e861f27a37de2305989e6cf8bd1ababa027c93029d368b37c5da1f441993faba6d04a4f09777663a4abdd6aa84372d93fda3880619710a66fa

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
96KB

MD5
5c4f4a19a4a0288a2ff58b59cb7db19e

SHA1
de68dc7f82a54d41c83047d49018fe63a3017020

SHA256
56770aea144ff50c73e7b09876fea218964e39c588e95813586bce785754a80e

SHA512
199f5649d6f8c4b83b8cb1b1039b0671154257171c5356102404a1373d8b630a0ed63a50f4679ba96b1b841827b8be56b3815d677d101c65b5f24bb4a00bed55

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
ed12919bb900f83f336effe4f4dfa959

SHA1
e0f8214c2e13d6182b522cd97b852a6bfdf621e8

SHA256
8c6d5cdda961f329ba84ea7e5f8d32a8764d08c0fbd477fe20c347bfb268f8dd

SHA512
102bf1c88ac1fe8dfabe9f6b1b54e21348d4fc86dacfba769837983e3e36949d5d1e9eda232c7c4c3c1b17a0d72b7bb26c6225129eedd7eb26cf87dccdf25c12

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
2b39117fb85f577b71770a3220e841f2

SHA1
64fb9bb153b549cb3e6542d38cb99d609c4c4c24

SHA256
069ba1d3960a171c1274c42abd1a6fe22fb135e95b5bb5f0affd702664921de4

SHA512
21048e575088d2ec240b867aa9c51589b0c42cc01339b3ba0788c7ac6795518b7b2708390d6589edda08af9eac8d9346cda12c6b1962c7195b5e1f2bd7ba39dc

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
5dba823034b4a6bd9c321d1c5383ef7e

SHA1
0724bef95e69259f8cee98005d77ddf58dc610e8

SHA256
6c15e0ad7b0d00ccbe67d7479228c5495fdc22d948e7b3297103b3db486c2753

SHA512
a71b45efb558702b050b1dc03df8e918d46faa29ff4e35e4e8679dcb752f0601b0eb8a12a26b5b345bf2ddacdfe2beb7d140dc48eb0f73d696e32d8a71574cde

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
3160976be8f5ae796dce8d697ca93f99

SHA1
21b1bfe52e66afebab9ca86447178ef2322795cc

SHA256
a1177b7908f64ba1938417b0d705b4527293c1eb5c924ee850919d895199a976

SHA512
a1f58665e764644f799ef3b191cc3bab5568f6fcfdb512f4081763906e98fc18a4b86a1e2647f1a7f1ff098bc864d7a722f7221699f5efb55a2b725ad5a74199

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
d95f58d0f228f618ea5d31db3d4bf8ef

SHA1
8423b9ce0043fba97b2cc0f608f0e1c609b730a8

SHA256
e5084eca108686e6e751253693b62d2fa89f64d492a6bf6ba14a0fee85906233

SHA512
e782358bc3b889ddaa04df852e968b9b1328b430b1a0685454ab2e480b37d04b58513a021fa90a3169ceeff0062dd3699289776061cb5ebd3b4ab2259a9ce140

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
60963442239572b909361dbc7cf2b775

SHA1
d71dcfd9e81fdf0c40c909b0b46b11bd8e0554b0

SHA256
40c490d54dbc21b147b9cb00f35e8fbe98cb3b48474acc740432e6ecbe77ce4d

SHA512
c6280c1cbe4cabadaa72d8e40eb363f2c97437cbfb5429987fcd553415045c3b0f4d7827fee5f8307d12d6867e2fdd541d44f995c5537fdd487dcc97fecd59e9

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
056dcfb9ed65b0769302a7bca1c2fa6e

SHA1
b1da31f7937cfb83b43d5e2805fdb95e5a98a34f

SHA256
4e7d715c38dba2cafd2dc8441da399eb4636dfe0a80a04d243d7602a5b808505

SHA512
46312df41127f66e7290c2cf461cddc0d1a7794db487847869e06cd4f9cee392542e1ce6e31988448e0f7d54afdab50898d2e920a2539b68d4f7206a5394b1c0

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
97c3e1fb99c2be9ec9ccfd6d1d7a02b3

SHA1
6be6a6d47a71d5f429d9d115ce8b2b92160dc655

SHA256
07e18f8bc2d29f8b24f93c751dba1da3d524ea3e6f7c6d65fc5284779723cc7f

SHA512
8f634518c46cbcfd1892d0bfe5dd71da5bb6692a80474610f3313c87a8924e4f9d5caca4c35d19bff25a52f960522e52caa2ac90e0497f5c18b7f0051b2a054d

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
21d0bd2731c082b8d4874283af5b230d

SHA1
beffa7d7308c4e7c7c701a5205b9c09567e2eac7

SHA256
da56455301cdc8b7d46f906f6af7ae47722f198e72e7ddad507e1e89260eb597

SHA512
1d51394cf51a19df70b7239aa39a305e1278a7e4002cd944d525cc2ebd48c872c69a1e4fee25e69c21a0901a6e96ea80f99fb0d584faf762336a56822019b240

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
ba753049dbdf3cca5b47bb1b02c055ce

SHA1
d165dda8833d0c9a418f3e5d0099e0f7cd34aa5b

SHA256
a18847648958a3b039be5cce463e8c67cf0fdae14877baf8f1243e6816616034

SHA512
258ef635409db7d550b6e284106cd19142e6b771f35da3f49641b76a6938db15ee2f0e35bad49c5490e1c95972c9c4a46f80d16116de03896ec24f3d5d267aef

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
96KB

MD5
406c7034b63a480266275f6e91c36c96

SHA1
c17e2743718abc5a9f168024fa9de03161d18046

SHA256
7882d0f019f63917d82eebfabf533d4d6ec7eda2c6bf5b980b181a8071c3ef4a

SHA512
cb173351b4c4e0ae72271e9d9bbebb8f853939538470c5e1469d63cba9be21d76d3482e0501b6eab02822ced7b2d2322b226e5a520cc42c791ab8e923b46189d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
64KB

MD5
4dbb06e74ada37c57d8ccbced584dd93

SHA1
4c82c0d754b8c9662145931ad7e176c91c83130a

SHA256
b5d3c98dc634a639b600485fa9b051f31bfad2bddb9b1bbcbb431753929aa6a3

SHA512
d3292ba9237a0f3259ab9460b3ef889b2c1707911502a4cf4809f31faacd7ffa1edb05bc3f2a998c51cb1efe8ffc48a4568d211dcf0c06e88ff33ed4fd228451

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
c2abff63ebe04d81f8fc4980b53d3a56

SHA1
2ac8c1d2329e6f4a934fca3d99832124577091ca

SHA256
f0dfcef7222eb9c8a991aa9959b9f1e9bf766cb0fdb6f7b09fe0376a9805039a

SHA512
0789580528b0be5b40a7f6846f2717d43d541f2404b42ef43181ae80bed845ad854ab5cfedaed3a8e5f0e8223a609b54495390352f2b2cb2cf046797f718c10d

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
dfd6e4c3e5f82e6a96cf528b74cfda3a

SHA1
04dfa3bf829c61460866b05ca03032e7b563d2e2

SHA256
b8944e5e1494f81696956e260c490b48306dc83b78299014a4ea5cc7bf1ec23f

SHA512
e28ef622d6a3e4ff055c8ad8c9067a6de294f0e1f22f52e9fd617700bebb76e03bddccaf0f1bacf39a7e7a0960e3f41184ae9251eaacfb1df84fddb6cd168c53

Download Submit
memory/112-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/732-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-852-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-862-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-854-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-831-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads