berbew | 27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d

Analysis

max time kernel
95s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe
Size

60KB
MD5

0901bd1a12884ea989d0ed7f544b3490
SHA1

3088b34102d10276b4fd842a26af32e0294ffc66
SHA256

27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d
SHA512

eb3828ac6c3400b8d6e7cae97633cd086aa951cedd6d09abfdaf8140b71b1e85a82af4eca2c4d6bbfef5432462285f89798a9efba7fb3dc132e95ab6d9f14101
SSDEEP

1536:DCqfmFbx51fwLFBZelSPh3XcMD9A9KFoPbZ1t9Cpd2t7B86l1rs:PGloFHeQpncMD9AgoPb59Tt7B86l1rs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlljnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojqcnhkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfccogfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njgqhicg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojcpdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmbegqjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfccogfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcikejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqgojmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqgojmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkhmoap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lafmjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likhem32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledepn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgqhicg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfaigclq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2236	Likhem32.exe
1692	Lpepbgbd.exe
4988	Lafmjp32.exe
4752	Lindkm32.exe
3672	Lpgmhg32.exe
1104	Lcfidb32.exe
1864	Ledepn32.exe
4924	Lhcali32.exe
1392	Lomjicei.exe
3204	Legben32.exe
3024	Lhenai32.exe
4880	Loofnccf.exe
3176	Lhgkgijg.exe
5112	Loacdc32.exe
548	Mfkkqmiq.exe
1908	Mhjhmhhd.exe
3260	Mcoljagj.exe
1308	Mjidgkog.exe
2608	Mlhqcgnk.exe
2004	Mofmobmo.exe
3304	Mcaipa32.exe
4520	Mjlalkmd.exe
5012	Mpeiie32.exe
1760	Mfbaalbi.exe
4372	Mlljnf32.exe
4628	Mcfbkpab.exe
512	Mjpjgj32.exe
1552	Mlofcf32.exe
2096	Nblolm32.exe
2440	Njbgmjgl.exe
2928	Nmaciefp.exe
2816	Noppeaed.exe
4076	Nfihbk32.exe
4364	Nmcpoedn.exe
3396	Ncmhko32.exe
552	Njgqhicg.exe
5108	Nmfmde32.exe
2348	Nodiqp32.exe
4972	Ncpeaoih.exe
1952	Njjmni32.exe
2744	Nofefp32.exe
1016	Nbebbk32.exe
2020	Niojoeel.exe
4672	Nqfbpb32.exe
4736	Obgohklm.exe
3728	Ojnfihmo.exe
5084	Oqhoeb32.exe
4872	Objkmkjj.exe
4544	Ojqcnhkl.exe
1736	Oonlfo32.exe
3288	Ocihgnam.exe
3780	Ojcpdg32.exe
2252	Omalpc32.exe
4496	Obnehj32.exe
4420	Oihmedma.exe
372	Opbean32.exe
4932	Oflmnh32.exe
4956	Omfekbdh.exe
4776	Pbcncibp.exe
2240	Pimfpc32.exe
1700	Ppgomnai.exe
1416	Piocecgj.exe
4856	Ppikbm32.exe
1436	Pfccogfc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iankhggi.dll	Mfkkqmiq.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Deaiemli.dll	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Baepolni.exe	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Nodeaima.dll	Baepolni.exe
File created	C:\Windows\SysWOW64\Jfpqiega.dll	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Jgbfjmkq.dll	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Oflmnh32.exe	Opbean32.exe
File created	C:\Windows\SysWOW64\Bdlfjh32.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Bbdpad32.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Hmafal32.dll	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Likhem32.exe	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe
File created	C:\Windows\SysWOW64\Lfqedp32.dll	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcaipa32.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Njbgmjgl.exe	Nblolm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfepdg32.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mjlalkmd.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Njgqhicg.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Opbean32.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Loacdc32.exe	Lhgkgijg.exe
File opened for modification	C:\Windows\SysWOW64\Mlljnf32.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Pmbegqjk.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Lpepbgbd.exe	Likhem32.exe
File created	C:\Windows\SysWOW64\Diadam32.dll	Ledepn32.exe
File opened for modification	C:\Windows\SysWOW64\Loofnccf.exe	Lhenai32.exe
File created	C:\Windows\SysWOW64\Ildolk32.dll	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Pimfpc32.exe	Pbcncibp.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bkkhbb32.exe
File opened for modification	C:\Windows\SysWOW64\Ojqcnhkl.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ojcpdg32.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Pafpga32.dll	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Mfkkqmiq.exe	Loacdc32.exe
File opened for modification	C:\Windows\SysWOW64\Mlofcf32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Njjmni32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Ojnfihmo.exe
File opened for modification	C:\Windows\SysWOW64\Omalpc32.exe	Ojcpdg32.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Omalpc32.exe
File created	C:\Windows\SysWOW64\Lhcali32.exe	Ledepn32.exe
File created	C:\Windows\SysWOW64\Fanmld32.dll	Nmcpoedn.exe
File opened for modification	C:\Windows\SysWOW64\Ppgomnai.exe	Pimfpc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpgmhg32.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Egopbhnc.dll	Lomjicei.exe
File created	C:\Windows\SysWOW64\Mofmobmo.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oonlfo32.exe
File created	C:\Windows\SysWOW64\Iheocj32.dll	Ppgomnai.exe
File created	C:\Windows\SysWOW64\Qclmck32.exe	Pmbegqjk.exe
File created	C:\Windows\SysWOW64\Amnebo32.exe	Afcmfe32.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Bjfogbjb.exe
File opened for modification	C:\Windows\SysWOW64\Lpepbgbd.exe	Likhem32.exe
File created	C:\Windows\SysWOW64\Lhenai32.exe	Legben32.exe
File opened for modification	C:\Windows\SysWOW64\Nblolm32.exe	Mlofcf32.exe
File created	C:\Windows\SysWOW64\Nmaciefp.exe	Njbgmjgl.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Noppeaed.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6120	6028	WerFault.exe	198

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflmnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppikbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpeiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmhko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqgojmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amikgpcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledepn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfbaalbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimfpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbebbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojnfihmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmbegqjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnebo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmfefni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loacdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmcpoedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcaipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgqhicg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlljnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgmjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noppeaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgomnai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likhem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nblolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgmhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhenai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjidgkog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkhmoap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbaclegm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piocecgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofmobmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qclmck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdbac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhcali32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfkkqmiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfbkpab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcikejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lafmjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opbean32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll"	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledepn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajnjho.dll"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmbegqjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbqfhb32.dll"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmhko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icbcjhfb.dll"	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipimhnjc.dll"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbff32.dll"	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhcali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcoljagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcnjijoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnkah32.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faoiogei.dll"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbcncibp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll"	Pimfpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpgmhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll"	Mofmobmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Affikdfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbddol32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jicchk32.dll"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2236	3392	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe	84
PID 3392 wrote to memory of 2236	3392	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe	84
PID 3392 wrote to memory of 2236	3392	27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe	84
PID 2236 wrote to memory of 1692	2236	Likhem32.exe	85
PID 2236 wrote to memory of 1692	2236	Likhem32.exe	85
PID 2236 wrote to memory of 1692	2236	Likhem32.exe	85
PID 1692 wrote to memory of 4988	1692	Lpepbgbd.exe	86
PID 1692 wrote to memory of 4988	1692	Lpepbgbd.exe	86
PID 1692 wrote to memory of 4988	1692	Lpepbgbd.exe	86
PID 4988 wrote to memory of 4752	4988	Lafmjp32.exe	87
PID 4988 wrote to memory of 4752	4988	Lafmjp32.exe	87
PID 4988 wrote to memory of 4752	4988	Lafmjp32.exe	87
PID 4752 wrote to memory of 3672	4752	Lindkm32.exe	89
PID 4752 wrote to memory of 3672	4752	Lindkm32.exe	89
PID 4752 wrote to memory of 3672	4752	Lindkm32.exe	89
PID 3672 wrote to memory of 1104	3672	Lpgmhg32.exe	90
PID 3672 wrote to memory of 1104	3672	Lpgmhg32.exe	90
PID 3672 wrote to memory of 1104	3672	Lpgmhg32.exe	90
PID 1104 wrote to memory of 1864	1104	Lcfidb32.exe	91
PID 1104 wrote to memory of 1864	1104	Lcfidb32.exe	91
PID 1104 wrote to memory of 1864	1104	Lcfidb32.exe	91
PID 1864 wrote to memory of 4924	1864	Ledepn32.exe	92
PID 1864 wrote to memory of 4924	1864	Ledepn32.exe	92
PID 1864 wrote to memory of 4924	1864	Ledepn32.exe	92
PID 4924 wrote to memory of 1392	4924	Lhcali32.exe	93
PID 4924 wrote to memory of 1392	4924	Lhcali32.exe	93
PID 4924 wrote to memory of 1392	4924	Lhcali32.exe	93
PID 1392 wrote to memory of 3204	1392	Lomjicei.exe	95
PID 1392 wrote to memory of 3204	1392	Lomjicei.exe	95
PID 1392 wrote to memory of 3204	1392	Lomjicei.exe	95
PID 3204 wrote to memory of 3024	3204	Legben32.exe	96
PID 3204 wrote to memory of 3024	3204	Legben32.exe	96
PID 3204 wrote to memory of 3024	3204	Legben32.exe	96
PID 3024 wrote to memory of 4880	3024	Lhenai32.exe	97
PID 3024 wrote to memory of 4880	3024	Lhenai32.exe	97
PID 3024 wrote to memory of 4880	3024	Lhenai32.exe	97
PID 4880 wrote to memory of 3176	4880	Loofnccf.exe	98
PID 4880 wrote to memory of 3176	4880	Loofnccf.exe	98
PID 4880 wrote to memory of 3176	4880	Loofnccf.exe	98
PID 3176 wrote to memory of 5112	3176	Lhgkgijg.exe	99
PID 3176 wrote to memory of 5112	3176	Lhgkgijg.exe	99
PID 3176 wrote to memory of 5112	3176	Lhgkgijg.exe	99
PID 5112 wrote to memory of 548	5112	Loacdc32.exe	101
PID 5112 wrote to memory of 548	5112	Loacdc32.exe	101
PID 5112 wrote to memory of 548	5112	Loacdc32.exe	101
PID 548 wrote to memory of 1908	548	Mfkkqmiq.exe	102
PID 548 wrote to memory of 1908	548	Mfkkqmiq.exe	102
PID 548 wrote to memory of 1908	548	Mfkkqmiq.exe	102
PID 1908 wrote to memory of 3260	1908	Mhjhmhhd.exe	103
PID 1908 wrote to memory of 3260	1908	Mhjhmhhd.exe	103
PID 1908 wrote to memory of 3260	1908	Mhjhmhhd.exe	103
PID 3260 wrote to memory of 1308	3260	Mcoljagj.exe	104
PID 3260 wrote to memory of 1308	3260	Mcoljagj.exe	104
PID 3260 wrote to memory of 1308	3260	Mcoljagj.exe	104
PID 1308 wrote to memory of 2608	1308	Mjidgkog.exe	105
PID 1308 wrote to memory of 2608	1308	Mjidgkog.exe	105
PID 1308 wrote to memory of 2608	1308	Mjidgkog.exe	105
PID 2608 wrote to memory of 2004	2608	Mlhqcgnk.exe	106
PID 2608 wrote to memory of 2004	2608	Mlhqcgnk.exe	106
PID 2608 wrote to memory of 2004	2608	Mlhqcgnk.exe	106
PID 2004 wrote to memory of 3304	2004	Mofmobmo.exe	107
PID 2004 wrote to memory of 3304	2004	Mofmobmo.exe	107
PID 2004 wrote to memory of 3304	2004	Mofmobmo.exe	107
PID 3304 wrote to memory of 4520	3304	Mcaipa32.exe	108

C:\Users\Admin\AppData\Local\Temp\27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe
"C:\Users\Admin\AppData\Local\Temp\27b4ade644653f7ff438170c8d29b96545ce4099a50193dcf847034774889d0d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SysWOW64\Likhem32.exe
  C:\Windows\system32\Likhem32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\Lpepbgbd.exe
    C:\Windows\system32\Lpepbgbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\Lafmjp32.exe
      C:\Windows\system32\Lafmjp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        34⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Nodiqp32.exe
        
        C:\Windows\system32\Nodiqp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        42⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Pbcncibp.exe
        
        C:\Windows\system32\Pbcncibp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Pimfpc32.exe
        
        C:\Windows\system32\Pimfpc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4308
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        72⤵
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        75⤵
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Acqgojmb.exe
        
        C:\Windows\system32\Acqgojmb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Afcmfe32.exe
        
        C:\Windows\system32\Afcmfe32.exe
        79⤵
        Drops file in System32 directory
        
        PID:932
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        84⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        88⤵
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        90⤵
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        99⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        103⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        111⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        112⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        113⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 220
        114⤵
        Program crash
        
        PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6028 -ip 6028
1⤵
PID:6096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqgojmb.exe

Filesize
60KB

MD5
e8ceb62114bf00e00d1c94bfe30653ca

SHA1
297cba152604fdd066ae8e976dc1b8a5a8483cef

SHA256
c01949e6d34cb28820c6ad3cae93929104012ef3fa6dfa13fecdbadea7832e46

SHA512
82788fd36179cf06eb1e87cb89e8e3636e75fa8438871a71e26b03451e2d73e344e74f4a42937b4933e802e0e887e41a51b9f384cc56135ae63378b813b97a5f

Download Submit
C:\Windows\SysWOW64\Affikdfn.exe

Filesize
60KB

MD5
abe4f864928aa250d701063bce0d79a3

SHA1
167e8a5563daebd3026cbb9766eb9e33f7c4a28b

SHA256
2fb5b6624c5f96ca0d3581ec2d9aa1354edaafc1f7837e9826abc673060bb745

SHA512
b11513249bdf311f43d1e4aa4fdb7c58d6683091a730b7f0680d488d8db86d5edc95fdf19e307b42adbcc3620a43d6c33af03a8bec8e968a5c1ca1ebe1896de8

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
60KB

MD5
0158fd56fa13df0aecdd5850afcd87ba

SHA1
ca662a4fb54343723c11b4f54296b6ffe0505f84

SHA256
39d0732ba9694b98f5549715bfb3b11e4c1024aaa86e010f2b81b3b4f85604d9

SHA512
de32111abc8a8a6b3afc049096288b8348ef997723149ca679983a94a03cbeb405ce6c9742cc2987a7e3e20210c83387a54fc7df3b1ff60a5f787bcb58f4439d

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
60KB

MD5
07b045030c7a2232b212ddc85334f6df

SHA1
c0a109470db6bd34a64f777a3c1cf64c84fdfc4d

SHA256
a12b2122730074cd62c56d75b72b51334477e926a405f74d482ea21ca36e2db3

SHA512
5ab0833d01673330587728b11f89ecb08e4655fdf4efcc8b0b84ac84c29b5b823415d6740745c66c9f1e7ee43ec6c72935367cf570f9f93ac2aab1d4cad3e7ca

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
60KB

MD5
843932953fe01c2744e488cc41af51f5

SHA1
de33344e5422323098cf4854e10588fc779c16e9

SHA256
681b62606b05c2f4097b26a2bd67ef7ab21ea86037f6274bb61427faf1381f13

SHA512
9d675378e4582fea80bc907f5a55235c27118202ca2396d4ba97af990d2b07d8d133568427b5e0692738027b22e43cdb6d46de0a95e2527d5d67dde959c2c668

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
60KB

MD5
6110c20a577c60ebb45f83ac01d9de4f

SHA1
a0abe9709c6c276ed876e01d1c898e1cdb23a5ad

SHA256
cab687f50f639feb17477644cfd384483ae8fee0fc833f4c1d014c5eb07b4567

SHA512
e00b5c73a7bbfdfdea545673e8fe111206ee1a17fb3e38a73b3d333eb9136a94b1281bcc0e192777a3c329003b4726db81d9239d945b8bbf38d23f2a443420c2

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
60KB

MD5
04b2cd22dda9273ea4b337d620d77d1a

SHA1
62a0df7424ed74dae924a34fb67fd5144c6b22cc

SHA256
cfee94509b46ce0dc242bffe8eab1146cb7a4132e87b0844b3fe4c013e825465

SHA512
b4a8144f99c128f6339cdfe9b0f7cabac93266634f97e52dc8c3bf9e5db73f57d2ba800497b862281c5e2eeb6c2cd6ff5d5222a6a34fcb3708814f6957f60041

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
60KB

MD5
091e5d967f6055ba801a3b7ea67b5436

SHA1
b8e105c58714e9f7efa8c6176711b0173afc2bcf

SHA256
296850bbf321b2b0f4f4b615d151efaf7c9e8eeb4c268d5ea90cb21e6706c8dc

SHA512
0bb0fb53ca4ca551931536915117b6f4cf5231229f07b8cfd2cd41c694b7f82c3102c4be98e1790da00b6bfa96f1ab858f5c16f484a6b49e30a29dd30cbc211b

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
60KB

MD5
51fb729cf804f458688eae87ac3fc543

SHA1
4b1a6ed28fe301caa0900004727e6768ec533b44

SHA256
d487f234b55b22ee8548916fead1d4d6aec30ef2e89bebb9c829c7dbc3b1c77c

SHA512
380bdb423bd6d8143547d53e1bac8a0e1fbc4693c28f35be5666284693af7c90f3365de827bbe76f99cc08e2f0b013590d28d025850c4e93aae1499f978f39c2

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
60KB

MD5
0d9c9f1fe7a1e09dd1dbaf18ea4f3f14

SHA1
a58988c3c90672f8284bca5a8147b72643765b41

SHA256
b3d353ddf7273542efc37f5b29a1da5c14da29194fb5e63fb9399b7f3eec8861

SHA512
d2e348ae085f8ea3e1c0384eee8e958b458e18b421b6424b7eb905dc8c45ffb199d33dcefa877d8200d65a7cd683b6f302cf6ff0d6dfd08949e817397ae9e3b9

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
60KB

MD5
94fda6b96bcae1ae266d6c95247012e6

SHA1
2c09c812237621de9832fdf2ad0e5e6bf2de5edf

SHA256
828c6def303e53d8f65741449c5db2fb5508bf7fc3130523040043026b9155b3

SHA512
206beb5bc4cd0e09be874dadd9c639e822f22c474b3a74bec2eb23ca0fd77623b4532379084e01c0b51243ced10bb492484181785f16cfaf006324e15a128f29

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
60KB

MD5
7fbdb2cdf25e41ef8511dbe979c22207

SHA1
ad8aeeaf1c734f87ae3ba8e09dcc971943b0ab7d

SHA256
98f3e352d78794f5a72dd99c4b5b55cd914fda3063d872a566d38acdb170c054

SHA512
010073649df762b007eda8a4745035784ab650555d2c9818bb15d6a5555cd575db7f51c50d7b3b358bfe0f84ba66a587ecbb0d3166ecfbea015265d4692b4eb4

Download Submit
C:\Windows\SysWOW64\Lafmjp32.exe

Filesize
60KB

MD5
ea8666ecb6735a2184e35c6690862fef

SHA1
1c3d8a09adeb63530c44101a8122972251b583d0

SHA256
e465784bb8cecf39d67eb0f846d42c30ba2511ae7e701e8b3518e0a9887f7d30

SHA512
89b9fab4248bae34cbeaea1854ec63db01793b7659f73e4a1bce1d48dc47ba8595f605ce31f60775281ff577adaa917b6f0855724f30330339e52e9aa384231c

Download Submit
C:\Windows\SysWOW64\Lcfidb32.exe

Filesize
60KB

MD5
52117478cfdcb426dff6476adca21d6b

SHA1
61b0e681102cc2568a2ccb49cf7051051ba4a47b

SHA256
fbf70c03da4cdd41d161c646716a8d8beed7325b35721e9f96edcde8d7ed1ea3

SHA512
d2179f1fb1d612a160b3b6011fec8868e34c533879c535f112e7119c0d9c1329040be027c33c3de3578d41855308b8dd2f8b7ff0e550812d99b6be99ed6e0f16

Download Submit
C:\Windows\SysWOW64\Ledepn32.exe

Filesize
60KB

MD5
48581d8334f1025752d7dfd34ed3ef73

SHA1
829f12797b4497c0333c4595199824a440070d64

SHA256
0c3b5b71eae7b2bc0ad8f9c72ea62217b3a389823ec8748405e021566cd5df2f

SHA512
c2fd508fc226a7629f202d9da3056119d7c00aaa0c7a454c92bd2de4bf3e6bc0bceab985b7a64c0bc34e16659f7b59979321d779a8042dbda24081d8c9f7a1e2

Download Submit
C:\Windows\SysWOW64\Legben32.exe

Filesize
60KB

MD5
0d10050d32612b9e92fb0f2d89c3427e

SHA1
19e34b97c8952ecaea1df0cfeffc07985bda9366

SHA256
7c066d81bf9ae2a5321a89324e678d619b9a937298e19b1f152189c44f93e7e5

SHA512
57ae8931d585711a1241f75cc588eb5af539526b5817c17e6b036f93f3b37c8b11179a1404f674fdd6c1b189369eb73831a8c7234d41d9c8da9d5701fe23cfc2

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
60KB

MD5
0d6cdcd1e775fc8a63c7c78ae4138a6c

SHA1
1a8b2045fced0d33c663dce93de1bc2c0534164f

SHA256
09baa90da60ac37fc73129b0c93bb9fdaaf233ee86855c7e819cac15a50f820a

SHA512
bddfc301c03eb7ed7a8bffce854a668b63b3f62082f186cb2066f6814406e25ccfbecfef080c04610ab6a2d7c9d787b41f51029dcc84b12e285968be400709d5

Download Submit
C:\Windows\SysWOW64\Lhenai32.exe

Filesize
60KB

MD5
0ae64b79b5050f2dadbf0aec969fc122

SHA1
df07cc20501c695a0a57afe77ebc65119e0091b0

SHA256
6a2615d19d65bba0590d3814bb216003fa8b1659a52e715e8972c8094e84b06e

SHA512
84b7546ce5312b2f47d6f5d7fd56868ede65b4371265c32c95e14b61e2b8424ba2f311aa25b59a165408cb0baf629ba6e2e019f38024c616db89132874af0f42

Download Submit
C:\Windows\SysWOW64\Lhgkgijg.exe

Filesize
60KB

MD5
a999c1f65d458635f9c3aab8fe05a367

SHA1
c662207fb7485ccde5f79535773f854dff289e51

SHA256
08817d06d31a2ff86be6291b1025ab02576a6ed411e8a3f1940fe4d919240e75

SHA512
7e2db701b1db64135a3046b44136797758f799fc722b6a5c019bbc57c8253961ecba64cbb2c2cf0d13ed130e872b0904c13e8dcaa297b3dcef3793075c4e5141

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
60KB

MD5
8d094b62dcf1a3b1a1433d1a4aa76f7b

SHA1
59b93e3420d55ab35831ccf2419c42f3197bcc56

SHA256
0c31905722ac748de84c6a0110eba718da69a80ed5fd770c88f7781e154448df

SHA512
21a490a17f211e3422583b1f87a5736ee66b7acb352baec534f539e181492cb57747e71136407e4b4b12dc0495606e351608f315bacb2ffbfeb0debc9b8f26bc

Download Submit
C:\Windows\SysWOW64\Lindkm32.exe

Filesize
60KB

MD5
b226104d96cf46afc4b846d31c51c94b

SHA1
df7a50f0419139b504ad2920e5261d24bea9833e

SHA256
1ed01874800e0853df8b09dd68fee665d26c2df09e70e62f68d4aece0882fec9

SHA512
2149ec2094d7a3987632f75869ebd43991c2cad8c950ac5d674d55522c1b973755b4f58bd92254d14fc5f9acc914eacf6f94110ee0c1d0b3925479415447075c

Download Submit
C:\Windows\SysWOW64\Loacdc32.exe

Filesize
60KB

MD5
1ff6500698ce6b6013b97802dd92fa3c

SHA1
efef77b40edcbba77fac005ba0c6cb13b47abaaf

SHA256
8b50afbab23fad0b755526cd7526c065e9bf58ca303e707a7b3dd5561e72aa07

SHA512
9317580c67aeb5051582f49bae31fd1fb852696877dc004a2639c7aad3fce4d216af5ed63ddb92c92a986aa79a3bfe9409701fdeb4b9b781cb588e069fbac369

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
60KB

MD5
08ff80da5bb6a1f018f9afd1c3e06e55

SHA1
9b4ca62ae3ed2e68d274ceb8c4db2caddc11345d

SHA256
f0e16806b96a48db6054a8a7260c539148156ddba314677c8ef6bbf3c42cc325

SHA512
84cc1c1d2800dd4cec99dd22cb5c3dd73c975996f046bb7a8fcc3ee5851ecc0051469e37518ed6eaa9efd21e270c6df0b18b44a9e8e2c03ab60da1edc307488e

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
60KB

MD5
b4d25c6f3f37199df822bca8a8d76356

SHA1
d4bba16833525270eaceb2be43610e0c86e74a19

SHA256
6622229ff9c86a1aee80b81e9d981044c982db99af87421775eabebc95618861

SHA512
de9fa7c40efd977a9d71a722628b94bfa17937e57b0beecd206d93b9e275d854f6c60b697e04601c27c33e2175bc018973ce9ddde13daddbdb187761a329e212

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
60KB

MD5
9ba31e74941388888fa4d19aa24787d1

SHA1
7ec38ff323e4577678be4ff4a89abe3b0de5b877

SHA256
5674f8470cb77dd4d1bc2c722eade358db1a15ee7cfc5cf245b1d38083a7efe2

SHA512
fd14b83232ab24454e9a2b78e4af9b19fc737e2c5209bc261a85f0792ca3b8fb21132b98d38acc1734bb7001e3feb9ec653793040a88c2f07f8398ab423d6c1e

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
60KB

MD5
5521549853f8ea1c265056414c24654e

SHA1
17fda5bdb7ef6d7f0825848366d52e55772faeb3

SHA256
092d5dda8f15a5e4febc79a3882c237d8d95e0fbc0d16081ba9acd657593ee8b

SHA512
045c34b606027d12549688bdfe9a31933cbdffcbe7bae7b0fd1f2213a31dfcb77c41bbcd5463022368e72b004d5b23153765a054184a0b553ce05aa08a02c69d

Download Submit
C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
60KB

MD5
166ff73bf5bac38ff751bf6bd930e2eb

SHA1
b87c1bfde0112d5d36b12d93bd0e5a4454cdbe2b

SHA256
97a3b73a81feecf1edbbd0f6be616a901ab09defa83071c6a532b90fdaab622e

SHA512
47ab614ba2591fa9da3d708d09e5e6e3b23050da69f66306b7f0e85d3b85f6f606c1b3aa8db7ac9dd29f26b55c0c2d33981c8c19174b308c1e854bf80c857f99

Download Submit
C:\Windows\SysWOW64\Mcfbkpab.exe

Filesize
60KB

MD5
0f5a71d031b335d0718daff4538ff161

SHA1
e3d27c7abd0a0e2ad0f373a9bf80f7f57eb45f6a

SHA256
5710f06bbd025dad6429c02270656363f09442b522227c04f22a89fd87733a3d

SHA512
9db00797840c14f32abdc81a7dafe3c75c9b3c7d31838c0e00963b79f2e82d38f4a3f4d5c844bf08bf6c52a6e989b2fe90ea8bc9f25999af68413f5153f390fc

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
60KB

MD5
6665d5893190e0c5e843d2d750db6d48

SHA1
c7230f3844e48c18c49996e9e9fbf715983af9bd

SHA256
386c7c02c39a80ebfd088e48767f425ef844a239a247863b5f9e021151ec7914

SHA512
43595c405af35b9d5603113a2d9e9735718122967865820ac5a0cd0cdf34ea6f8a7e5e335d836f2663b9ec3e442bc655a136d1868bbf3a6c31ff873dc7f5751f

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
60KB

MD5
44d25fb73ac4e60acbfb9aeca3c06ba8

SHA1
5328728cc47d113dba0423db047abb385024e267

SHA256
748d18706df446540f88a4fa9d7dfe2f11b63bc3166d8c70c485371242314515

SHA512
df86e253182b574c23487ef45f1e80c84ba6cd1ec8b553e14cbf90676e3d428d2dc0381839f91fa053d4f1ac73af78a12936140a30f128b741d7a45db1a3b644

Download Submit
C:\Windows\SysWOW64\Mfkkqmiq.exe

Filesize
60KB

MD5
fd94f5852c2eaeb9afc15f60b16cc6e1

SHA1
c08dcdc9f1dcc08cc9f769e25707198674bb20f3

SHA256
60f2014fea5e6b8f7e44a602d87a59ff8799d9d340bceb7a188e8ef840b213d1

SHA512
a490483fb945e3896acbc645ede4b0b7429646081c66e6d7162d4201f0139cbdf2fe35a7209e3fb1f1a155ae998d07f120cba16ed730c8a3df9b86a5d1cbe7a8

Download Submit
C:\Windows\SysWOW64\Mhjhmhhd.exe

Filesize
60KB

MD5
5cfd5219b2a5b63b5609e9cf61b0db4a

SHA1
e9a0174ccac7e86c2cc41a6b8ada290fb27bf327

SHA256
8f5943468b30ffd0d4347c6c9c9456270cf04b31a8c037be5b02c294f75a753b

SHA512
372710d05003af31dd817afe4eb5385965670921b65acc4ebe3067e2f65406d6c9e8467ad9428a91151cbc0069fcac8ba7099f4b910655d9b1f899352c2307e1

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe

Filesize
60KB

MD5
c97c8d05f2caeb01453d91b53865a77b

SHA1
6a5119433f3c554c7b5ee2021a488331a76e6e73

SHA256
35ba1e05c6d9f52691484e7dcf718cf814a643c57879e27a7802aad4f4520e46

SHA512
bcb02efa8d1eb1088025f2b8fb85eae899c34be8c18d58f34e5e000919893db7da038397daa89ec13b2b6dc0e25c2357410d6043d20e0141759cad941db67744

Download Submit
C:\Windows\SysWOW64\Mjlalkmd.exe

Filesize
60KB

MD5
e29d76fa3e7ba3418c8fab2c4a3e876e

SHA1
55f4a3f55283574d8a9979d885c0ce12d5a1a798

SHA256
8704e3796a3a4f848e3907d02d8d272a63128a7cb38feb9cc90226ba3276999e

SHA512
612e54a2cb71471c05e358c9b2c86fccc8dac2ae4b811cf724d35e04501fd4df5003905083e0aa0c48549ae520c06fb969c63a1ea4e90e29512dad3858e0aa2f

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
60KB

MD5
bfdee45341f4dea3c97a5c7dd443ee72

SHA1
662fea2b4cb5df5cea486a9fabd95ed31cd9cc26

SHA256
d872534e376b7212fefe7a5e4b3efa61b07ce825f5d1a1843791060cfa533d2e

SHA512
ee8262aa1cc02fe939c2c1cb755039f063a1a3da2f8762d3d1a9ead71660dc29ea69fe0be5daeb875fa7b5da1dc86935cf2982877c609355d2794758b2f8d763

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
60KB

MD5
23a493c707618b418b57688074a014c2

SHA1
a3af3544aec750f509e6e4c1dc12f279b13ed9f4

SHA256
d02292add3bb4c70421b8b72954aeeab84fa017abba272e9df63ab20488c364e

SHA512
549d8aaab5d0249b6e97fe697c059554ee1bdfc8b10b948333ff69130bb3ccf4773ca5e862dc8fb5e9a4c25c41ac817b7ac5811497f5c9fe326886a008496c7a

Download Submit
C:\Windows\SysWOW64\Mlljnf32.exe

Filesize
60KB

MD5
858ce96de2d22ea23df10dee9a1fc52c

SHA1
97c50cbbf584baddb09ba5c7a5e4d32b2b4496d3

SHA256
b22156a4750163c7c469db9056c54b62ee6017a0232f8d27c4533aa5e00ecf9e

SHA512
3c122d213c30ad950b6c6ec3cdbb3ec54ff2be8c6558f77745b8e8c774fb513441c3e30a5717c7d323bb2d3e0d8093de874b30167d83bb312bb928120e1f8b61

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
60KB

MD5
707088995e99463a3d2ce3c359b04528

SHA1
db833efa70cfcef97226675b257c560b7072f014

SHA256
03cac8d3a90d5a280d4445f07f7d1dd3f9844d27d2c1122736f63778b60a048f

SHA512
2bce9be53e939de2c181ecc6b9ac4ef987e8462b6bb3f52700ef691e1b4b9c86deb25d3cfa9f873d2082034effb320f465ef83b6d9c7e4c921f6fe7abccc70b2

Download Submit
C:\Windows\SysWOW64\Mofmobmo.exe

Filesize
60KB

MD5
72d90ca3a518dfd87093cabe9ea12e52

SHA1
6d1dbc9cde6e184197a4785375be75c3c5b60e26

SHA256
af553a9f171b8a6dc1ab0913e08a38f8eb23ecd1e1c4092113f73c46f2607e5c

SHA512
86f79dff421101cb68b6c95126035ca989cc9ba77e4b424bfed3a5f9ad3199af10c642e9cd60663ad12393c6ac5bb8b1477a85f498267c24d49493084e2cd603

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
60KB

MD5
288cd4f4fa5534b76734ec68df720da6

SHA1
2efd6b869c7a891b9ccb66bf4b23da0791354ed5

SHA256
cd9121178e319b12262f0c1d7cb510ebf0f400cf3cb500140ad88987db870024

SHA512
efa3fd862f82a76564beaf2c320c7a10c524f4483694867ce7305f8632e6d5339dff95d03176bb3c6beb0284c0d0b42b60b6cb588d6e1a7886ef888425da13ed

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
60KB

MD5
9fdace6c43b5e62c21c1ff3f60f266eb

SHA1
8bbb01d37e78615ac89cfa9680bb5af29b917887

SHA256
4066352b65e7e36f5cfd9e60c8189ad95e25d11efab11d91fb3564f45737cbf3

SHA512
ebda45bc24354185775ab189aecc074a7513f81890c80271f4f42f3b325e891f7397e9e857ae2f06f8e468dbc4414738420d67304c5ecf3beb86bbf0c292ac9a

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
60KB

MD5
e48ac0d253f3f23d2ad17ab93889ae01

SHA1
3d93ca2396bf92f05bd689d744d9faca34c875e7

SHA256
017c0005ff4911105cef7ca2657323774aaec7912388886b9106c9fd8d556ed1

SHA512
40b8ccb007c40c4e5f60cf979f5c938af44268735df86cb9355d0672bfd071e59d8769096f7aba1ad34e7c186fcaee919ca02072eb04120ef18fdb9e073cd0ba

Download Submit
C:\Windows\SysWOW64\Nmaciefp.exe

Filesize
60KB

MD5
48453e0c0895365632bde042f924c8b2

SHA1
59919351bbc04daeb69d6c914260ffb39fc467da

SHA256
d84565e8189506653c94d9c8158ad299905ba95c01800965a8d71566c234af93

SHA512
599f84057a3674ff00cf2454696d60ffd5b7d820ea4a1772f8a2a9b520db5f646800edbac616672c12ffcfd2eafe6684e04b4844fc99609c3c95786759037477

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
60KB

MD5
fef97cc0cc8f602226b387453334059b

SHA1
58739ca07d70d9611dfdb3836cedf58639c43e42

SHA256
625386698ed766de142df987fc7daa86a9686e495694aa2f36573b926cdc16bc

SHA512
468d127fe94312ac765221b2cc51569dcb7abac9f982273c2043b258cc4dd038d1905ce5bf85d6149b06b15da93a682faeb8379e3eacbcb334a75ac06c3e56b1

Download Submit
C:\Windows\SysWOW64\Oflmnh32.exe

Filesize
60KB

MD5
086e2acbba03b0ce37572a4e281e5895

SHA1
168d3475b75170eea817f173079f4fde7b28a3ed

SHA256
1526bb8e4f074b0c37ab6e5fade930c13d51ad13a9351e40032b1f109778289a

SHA512
5af5225f13b3843b9bac97db0da2ed26b5e6a5f85b0d2c9722ce49bdd5c7f1a9312e2b423064f083a1d56e0bc011c6a8312404e90368157dea846f313744698d

Download Submit
C:\Windows\SysWOW64\Ojqcnhkl.exe

Filesize
60KB

MD5
2ef944f2cd37e622cf4330947cd73291

SHA1
85c1c63456334d1a47242cc2fb8923c75f49f718

SHA256
91cdb399fed8e0b1ac7b5c3a815848751f57d03284579f0a49cf022fbd42637d

SHA512
dec2e6cdbb0f48c56e9248a281f23cd4d0ed9c0cc458e60c176e93187c8c73d30aa0637718831d27c3e919eb89f0783c87b97b5c9b7416ba085f709da7a1ec43

Download Submit
C:\Windows\SysWOW64\Omalpc32.exe

Filesize
60KB

MD5
61f23403d859c5f54a6eaa327feae570

SHA1
5c37e106f4d27b9a10d476cd417f99f993da7151

SHA256
2a1f78257bc2d2566afcc83a38111009e12cd9d254f67bf42ee5714ffca21369

SHA512
16635a6acb144f3b735ad318a568e261c7f165bc0fafd1fba6aaf28d4cf1230708a82b81d4e36a66d8639ae060cfd23cc9b044f537d063d4b17485c3a581943d

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
60KB

MD5
31f4f6f7c459f0bd37bc7ffab2734669

SHA1
b17c801c3bd1d6a0674746851853bc8d7ae9878d

SHA256
a39dc1a5d92fe95fe412e9d71866161f0567b11db6bc3af59e405bbb9e6bcd51

SHA512
8b7cadc90782797a909b5eca0fa6b0bfe90988759605c07515e8d4fa0b174a46dae91b67aa55b14f46f4b3a3172a29e29b8efc17fa348a8d2f1ce261a1bd74ea

Download Submit
C:\Windows\SysWOW64\Pbcncibp.exe

Filesize
60KB

MD5
7ea65eb68aa1e9e7b6dedaf0dad02f6e

SHA1
bcafb776d278c8938acb1c4a3f4136d8a944f0da

SHA256
2ee4669f0e49d2efeb03680a2a98b01cb2487b652e1ac68c44d5f88dde76cc78

SHA512
3b79033fd48b8ebb282077acbdb2454e3fa69b050547ebd23577b0b6266c9f433525b4554382c4e374cc3dd798364b6c3ee40a2bdda03847e16fa632679500d5

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
60KB

MD5
20418ccd89b1379fd90bd9c16950f4de

SHA1
9243293e4f2309861e3fc514260b279d9ca1b9ba

SHA256
774eae4ea621a95bc48d11870de51b796d3a4ed9ad41fd348a0085e7b889aa99

SHA512
df3956b636592f7ac5500f3a802d84217e05b6265026f42c9dffce63332570dd30d7f98504e07efcc0d1a2ec392a07702457d48507808b4ed69e0975e9dc77ea

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
60KB

MD5
b6a0aa882f59e4abce470aceca5e96a3

SHA1
6683a1c5d0d5c6378bd1a87b44d277c257fd431a

SHA256
b2f25bacdacc39e837ccc17591d9796eeea403492c09ec872e6601520f1de965

SHA512
74d23f81b60105526053ce519fd7321af9f7a5124b6ea091095b41be8012ccbf699d4661d7052a2b83ab0259cc93876f3abb5409b13c6aeb8a55ad910c774786

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
60KB

MD5
66e00d778272e60c0a9427e8bc7e537a

SHA1
3aed3400818419dee84e9978b9306c465d38d7df

SHA256
3df2b3e3ff396105711ef8e958a9d50abf67ef8c5da30acd3c14cb64b3e3977d

SHA512
50b4aeb0f07e366424686900819972f640a940faebb99fc19cc44593784af0efdd5e0f3d90a76b4c3460667f8a8039f4e0377f4544056b76bb88587174c09bce

Download Submit
memory/512-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/512-235-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/548-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/548-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/552-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/552-373-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/552-972-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-1033-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-48-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1308-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1308-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1552-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1552-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1692-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1736-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1908-225-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1952-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-420-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-89-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2348-318-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2608-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2608-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2744-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2744-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3024-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3176-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3176-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3204-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3204-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3288-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3304-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3392-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/3392-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3392-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3672-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3672-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3780-414-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4076-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4076-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4168-874-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4496-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4672-360-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4672-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4736-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4736-955-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4872-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4972-393-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-282-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5084-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5368-851-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5580-840-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads