berbew | 1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe
Size

56KB
MD5

596c040ddb453c0ddaa6ea146383182d
SHA1

c57510691d848ee2c83f0084660cd758c2e69619
SHA256

1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9
SHA512

2de883fecfc704294819a333a6f9d457764e08d4c7e3672d62663931b1b0391f945a00b24d56c27b8a98607f3caa549fd10f0278b747c0c3a44ebb4f3eb71de2
SSDEEP

768:NgNNYzBuQFwYP1CbAQBgEVDAeXcfEPEbIDENkoQewJp6EYhbttNtJ5j/1H5lXdnh:NR9uk9mlBgE2eXcfEcKNoQrQ1ptLdl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngkqbgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moipoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcimdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbpjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3124	Kfpcoefj.exe
2864	Kngkqbgl.exe
404	Lljklo32.exe
1420	Lcdciiec.exe
1788	Lfbped32.exe
1460	Lnjgfb32.exe
2784	Lqhdbm32.exe
4888	Lgbloglj.exe
2408	Lfeljd32.exe
1520	Llodgnja.exe
2444	Lcimdh32.exe
1500	Lfgipd32.exe
4928	Lnoaaaad.exe
1644	Lqmmmmph.exe
1396	Lckiihok.exe
1880	Lfjfecno.exe
3884	Lqojclne.exe
932	Lobjni32.exe
3168	Lflbkcll.exe
2928	Lncjlq32.exe
1748	Modgdicm.exe
4056	Mjjkaabc.exe
4204	Mqdcnl32.exe
1912	Mcbpjg32.exe
888	Mfqlfb32.exe
1212	Mnhdgpii.exe
4020	Moipoh32.exe
4772	Mfchlbfd.exe
4316	Mjodla32.exe
3152	Nnojho32.exe
3772	Nopfpgip.exe
1848	Nclbpf32.exe
4052	Nnafno32.exe
3080	Npbceggm.exe
2712	Ngjkfd32.exe
4592	Nflkbanj.exe
3164	Nncccnol.exe
3212	Npepkf32.exe
3460	Nfohgqlg.exe
2412	Nnfpinmi.exe
4900	Nadleilm.exe
2520	Ncchae32.exe
4436	Nfaemp32.exe
4040	Njmqnobn.exe
1188	Nmkmjjaa.exe
2824	Nceefd32.exe
852	Nfcabp32.exe
2344	Onkidm32.exe
4376	Oplfkeob.exe
2976	Ogcnmc32.exe
2664	Ojajin32.exe
1920	Opnbae32.exe
4324	Ocjoadei.exe
3980	Onocomdo.exe
1088	Oanokhdb.exe
452	Oghghb32.exe
1524	Ojfcdnjc.exe
2756	Oaplqh32.exe
4988	Ocohmc32.exe
2988	Ojhpimhp.exe
1776	Omgmeigd.exe
936	Opeiadfg.exe
2108	Ohlqcagj.exe
1700	Pnfiplog.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Lcimdh32.exe	Llodgnja.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Dnbdlf32.dll	Lfgipd32.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Ipbehfom.dll	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Lncjlq32.exe	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Pfdjinjo.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Lqhdbm32.exe	Lnjgfb32.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Mqdcnl32.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Efmnhl32.dll	Lobjni32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjkaabc.exe	Modgdicm.exe
File opened for modification	C:\Windows\SysWOW64\Nnafno32.exe	Nclbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bgpcliao.exe
File opened for modification	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Bkncfepb.dll	Modgdicm.exe
File created	C:\Windows\SysWOW64\Fihgkk32.dll	Lqojclne.exe
File created	C:\Windows\SysWOW64\Mjjkaabc.exe	Modgdicm.exe
File opened for modification	C:\Windows\SysWOW64\Moipoh32.exe	Mnhdgpii.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Pagbaglh.exe	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Eleqaiga.dll	Mjodla32.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nncccnol.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdciiec.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Lncjlq32.exe	Lflbkcll.exe
File created	C:\Windows\SysWOW64\Jnifpf32.dll	Moipoh32.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Kllfakij.dll	Nnojho32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Pdmdnadc.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Npbceggm.exe	Nnafno32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Npbceggm.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Nflkbanj.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Omgmeigd.exe
File created	C:\Windows\SysWOW64\Omfmcjlk.dll	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Kfpcoefj.exe	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe
File created	C:\Windows\SysWOW64\Lckiihok.exe	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Oghghb32.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Phcgcqab.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Gddedlaq.dll	Lljklo32.exe
File created	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pdmdnadc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7116	7028	WerFault.exe	246

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpcoefj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflbkcll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqhdbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llodgnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfeljd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfohgqlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nncccnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcdciiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngkqbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbloglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbped32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjjkaabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqojclne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpeahb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dddjmo32.dll"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhal32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjembbd.dll"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcimdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Mcbpjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjgeopm.dll"	Npepkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpcoefj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedckdaj.dll"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbikhdcm.dll"	Paeelgnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3124	4748	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe	88
PID 4748 wrote to memory of 3124	4748	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe	88
PID 4748 wrote to memory of 3124	4748	1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe	88
PID 3124 wrote to memory of 2864	3124	Kfpcoefj.exe	89
PID 3124 wrote to memory of 2864	3124	Kfpcoefj.exe	89
PID 3124 wrote to memory of 2864	3124	Kfpcoefj.exe	89
PID 2864 wrote to memory of 404	2864	Kngkqbgl.exe	90
PID 2864 wrote to memory of 404	2864	Kngkqbgl.exe	90
PID 2864 wrote to memory of 404	2864	Kngkqbgl.exe	90
PID 404 wrote to memory of 1420	404	Lljklo32.exe	91
PID 404 wrote to memory of 1420	404	Lljklo32.exe	91
PID 404 wrote to memory of 1420	404	Lljklo32.exe	91
PID 1420 wrote to memory of 1788	1420	Lcdciiec.exe	92
PID 1420 wrote to memory of 1788	1420	Lcdciiec.exe	92
PID 1420 wrote to memory of 1788	1420	Lcdciiec.exe	92
PID 1788 wrote to memory of 1460	1788	Lfbped32.exe	93
PID 1788 wrote to memory of 1460	1788	Lfbped32.exe	93
PID 1788 wrote to memory of 1460	1788	Lfbped32.exe	93
PID 1460 wrote to memory of 2784	1460	Lnjgfb32.exe	94
PID 1460 wrote to memory of 2784	1460	Lnjgfb32.exe	94
PID 1460 wrote to memory of 2784	1460	Lnjgfb32.exe	94
PID 2784 wrote to memory of 4888	2784	Lqhdbm32.exe	95
PID 2784 wrote to memory of 4888	2784	Lqhdbm32.exe	95
PID 2784 wrote to memory of 4888	2784	Lqhdbm32.exe	95
PID 4888 wrote to memory of 2408	4888	Lgbloglj.exe	96
PID 4888 wrote to memory of 2408	4888	Lgbloglj.exe	96
PID 4888 wrote to memory of 2408	4888	Lgbloglj.exe	96
PID 2408 wrote to memory of 1520	2408	Lfeljd32.exe	97
PID 2408 wrote to memory of 1520	2408	Lfeljd32.exe	97
PID 2408 wrote to memory of 1520	2408	Lfeljd32.exe	97
PID 1520 wrote to memory of 2444	1520	Llodgnja.exe	98
PID 1520 wrote to memory of 2444	1520	Llodgnja.exe	98
PID 1520 wrote to memory of 2444	1520	Llodgnja.exe	98
PID 2444 wrote to memory of 1500	2444	Lcimdh32.exe	99
PID 2444 wrote to memory of 1500	2444	Lcimdh32.exe	99
PID 2444 wrote to memory of 1500	2444	Lcimdh32.exe	99
PID 1500 wrote to memory of 4928	1500	Lfgipd32.exe	100
PID 1500 wrote to memory of 4928	1500	Lfgipd32.exe	100
PID 1500 wrote to memory of 4928	1500	Lfgipd32.exe	100
PID 4928 wrote to memory of 1644	4928	Lnoaaaad.exe	101
PID 4928 wrote to memory of 1644	4928	Lnoaaaad.exe	101
PID 4928 wrote to memory of 1644	4928	Lnoaaaad.exe	101
PID 1644 wrote to memory of 1396	1644	Lqmmmmph.exe	102
PID 1644 wrote to memory of 1396	1644	Lqmmmmph.exe	102
PID 1644 wrote to memory of 1396	1644	Lqmmmmph.exe	102
PID 1396 wrote to memory of 1880	1396	Lckiihok.exe	103
PID 1396 wrote to memory of 1880	1396	Lckiihok.exe	103
PID 1396 wrote to memory of 1880	1396	Lckiihok.exe	103
PID 1880 wrote to memory of 3884	1880	Lfjfecno.exe	104
PID 1880 wrote to memory of 3884	1880	Lfjfecno.exe	104
PID 1880 wrote to memory of 3884	1880	Lfjfecno.exe	104
PID 3884 wrote to memory of 932	3884	Lqojclne.exe	105
PID 3884 wrote to memory of 932	3884	Lqojclne.exe	105
PID 3884 wrote to memory of 932	3884	Lqojclne.exe	105
PID 932 wrote to memory of 3168	932	Lobjni32.exe	107
PID 932 wrote to memory of 3168	932	Lobjni32.exe	107
PID 932 wrote to memory of 3168	932	Lobjni32.exe	107
PID 3168 wrote to memory of 2928	3168	Lflbkcll.exe	108
PID 3168 wrote to memory of 2928	3168	Lflbkcll.exe	108
PID 3168 wrote to memory of 2928	3168	Lflbkcll.exe	108
PID 2928 wrote to memory of 1748	2928	Lncjlq32.exe	109
PID 2928 wrote to memory of 1748	2928	Lncjlq32.exe	109
PID 2928 wrote to memory of 1748	2928	Lncjlq32.exe	109
PID 1748 wrote to memory of 4056	1748	Modgdicm.exe	111

C:\Users\Admin\AppData\Local\Temp\1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe
"C:\Users\Admin\AppData\Local\Temp\1e73a011da99a7389059550571a370704c4cf3aee3488e36672b216982e80ba9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\Kfpcoefj.exe
  C:\Windows\system32\Kfpcoefj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\SysWOW64\Kngkqbgl.exe
    C:\Windows\system32\Kngkqbgl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Lljklo32.exe
      C:\Windows\system32\Lljklo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        24⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        41⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        42⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        43⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        52⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        61⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        70⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        75⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        76⤵
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        83⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        84⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        95⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        102⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        103⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        111⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        119⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        123⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        126⤵
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        127⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        128⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6252
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6296
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        140⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        142⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        143⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        144⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        147⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        149⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        150⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6984
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        152⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 400
        153⤵
        Program crash
        
        PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7028 -ip 7028
1⤵
PID:7092

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akdilipp.exe

Filesize
56KB

MD5
d0a37e489dedae8f9d10103b38a11f07

SHA1
1e128b2acaf385e3ceef616891aae07074e98d18

SHA256
70f4e367814540ed89e143dd12399cabbd5527bf2e49d2e395cc9b7d71faf0f4

SHA512
cbed06732d7fb9aa10959ee027b05bb77ab783a1ecdaabb893b5ab6a97e081de1af2500bdcbd49cacabb8bd01c931da84b4b59a61cc4700f2d50236eaca3c7b6

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
56KB

MD5
6b7286e6861492de49dcde6f8a0d2ddf

SHA1
a1af46274b328813130f0071556ca036db67ae3d

SHA256
d08f09b691abeca69ed259269f6865dd775ecf21cb3b9e1a2fee86022ddabaff

SHA512
31aa84e4ce0438ee99aefb2728500dd7a18b61da43a93fafa87e0fcecdf8f595a1096ff89a093bbff5ed129a9abed8e738d6b9fd7971097df89f41df069c2656

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
56KB

MD5
b94101f21faae779930bc8cb9e82c68c

SHA1
009237bc26444aeed8ae394b0b12b8524bd81189

SHA256
6f708c6fd3d251457f7c5ae5b9571c391328323b3e6f74cd4f4759d87ebd2345

SHA512
87b642f557bb6b9c3e4f9a51ddc809046b9783015e286d7f037ccd5305bf8568e085315c0e57c9303cdb13a6fccb6cb457ddecc35048bc0dd34c313b7efc1c8d

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
56KB

MD5
00d5a27c14e079437ac869e77f971917

SHA1
daa1cf15a4057cf446665d743c825172815047f3

SHA256
c5c18f1cdde72c5767717bd1372fffb5fa64e1bd354d7bf94ba5081ce6e092a2

SHA512
dcef63134d1a3590f979c85db9124b49b55031843b37a1e5878bc8c4f31efc0ce4a19288227b03d5923635951444f66bc8478f170f452fd1c894eb9a82252b75

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
56KB

MD5
f4a45b7ce43002f1d51edd64b8dac4ab

SHA1
6bf697f2e19e9f867786b4c551019f0e7cce7c9e

SHA256
d8cc9fb832eb76c9403d1d86ca04365b32be71ddbfd42f7c5d8ef68de3d6c8f7

SHA512
df44f33f5ec584c4978477987a383f51793a55610614f666787bbf110d145c989f128ebcbcb4d444e47d6263a8a39b929558c3d3865eaf90b7ba02219c926cb3

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
56KB

MD5
e8b1e0c56d9cf478f85def01de39e056

SHA1
82f593b8a0103ffe1d46de9a7ff4b9e72c5573b6

SHA256
88145547d167ebc2d97e215be0b9d2878b7d0973262aebde8fc54f52bcb42acf

SHA512
d53303184728fb9858f2a04bd9b92137687aafc6320babb7089e606f113b8eb84c9b900346d5c3cb8ccc6f4e72bf232a67ae5276d152011c476c240fb70525bc

Download Submit
C:\Windows\SysWOW64\Kfpcoefj.exe

Filesize
56KB

MD5
1a053a8f948863d1e523277b3254dbbe

SHA1
f7d2db49991ef4edb1441a6fbacd87903f6fc0d0

SHA256
90d80fa1190c70a31315cedbe9ea0444ce953eb13eb2c5c7836d37a1dd50a990

SHA512
b49776f11f305fe55e06419568745369ca92cad045132c64e5151bb602231d173d81630a9791f244d04826e0eeb466e6e5c32be07101d7a28b26ef59def109f0

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
56KB

MD5
dd48d5b76359ef0f82500c453c63d726

SHA1
3d573701b8d37bcc9d169b531bc7313beddd0a8c

SHA256
970e485bdd0f13dac970e535004dace1f25d76d52babbfc3b235c7372a361a81

SHA512
fba27571f9a1b9a4e7a58e5c18c2f576e38a53587423019650f478ba4b138cc3f63c8e6bac1033dbef0424a5aea83860e878555d0fedf90f3a6fca87216d2027

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
56KB

MD5
bce751d116b7fff4985a42ca0fb49542

SHA1
5a5254c3f0aa7d9aad98d4588a39514bfd5a1748

SHA256
ddc1da421a86aac1d8859da0524c9dc8331bfb57eba910a96d37a1830d0e6366

SHA512
12cbd3afccf823a019d3a2f15ffa3187005cf6f754a429cf224cc8150be625b639ec1baed2beb1e354686121c8a92303ad942f7bc16b39258b76db24d200a1c2

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
56KB

MD5
5c75aa450c8f6cbc2a485ebe18712aab

SHA1
132064b18cea6b57bef619ae85177f3809cfef63

SHA256
ca415638521a31a5e7e95407e428f9b7ae568e548e9a760951cb8ac0db3acb57

SHA512
a6608039b22d50b6413b76d68054db655ad2203ffe0b54773f837d642ef53182962b51805e7ec671ba9056d598eec3c00630d640d5c5c71c8dea56cd1aadef0b

Download Submit
C:\Windows\SysWOW64\Lckiihok.exe

Filesize
56KB

MD5
6997838a4ba19a124f920e966e455410

SHA1
7ce5f2d9d42980cd766c20df65230123d42e0f09

SHA256
b522e8991f75afd721ed5bc717df6c16480c6872dad103d9bc7b1b943ff1f0af

SHA512
641c9562ac8e39b89815a6f299d16f6de6dcb361d0d94641e2b04a17dbfa7e995624d09374d2ba269463f776820da800799c16fa73ac7837664bcad5f6b07119

Download Submit
C:\Windows\SysWOW64\Lfbped32.exe

Filesize
56KB

MD5
2849465b277245b114c67bae94bf95a3

SHA1
33212eccade7829f7329fbead44aa3a2684f030c

SHA256
721b6a967e211ca64e829c41eceea886aab5f2c4f79fcf36f8f6daae10fede50

SHA512
df0a006b2ca397eadc087eba631401ea3da9a9af0d1401b89112640e5ce90cb533926d0d218db811c09aa68473da72f670436144a4c2cf2aa9870fbd04725e3d

Download Submit
C:\Windows\SysWOW64\Lfeljd32.exe

Filesize
56KB

MD5
69495a9ae6456056dca6b4a5069b14d2

SHA1
cd972700049ed436945ff85b70ee4c89f6551410

SHA256
d40331a04fb3e257782be079d83129c5928cdedf60c4d3b2c396f62898dfa0d0

SHA512
94390f6e42edc8fd2576bf1a9e0ff6c930f7e856d6c19c51880e32b7fd4ffff48c95b5e4dfc3dcc636225a93399106f41b8e5647d327d2563d030b54c799630e

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
56KB

MD5
2987d280915ed89b7e8274d9af8c012b

SHA1
cde1afbe96474ef54bb52f366bb0cb8184d5b036

SHA256
3f49e7b225b0417d7607b03d526ca3dcb58adb67243c22ef840e3479e91ff21e

SHA512
e5b8fe31bb7297feca9396fd8d8951231ad47e08203ed3e5a1cc472c05e0c556ca9f4a6a33792ccbf0d7715275e797a1696bca87565aa996d61a349138240be0

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
56KB

MD5
c1269f0015ac704e572987114a6d1363

SHA1
d40c783beed7b65317c0b54e9ba81f4dad71335a

SHA256
e1390b5231cec67b46802043de03facd2ae2bd4f269728e1d09aefaab22d2421

SHA512
b2f9f15d296363ec116461bc3870c7b339c6187125cb4a0c6b94b0d26c047c6f4fd788db6bae5cec66f42ae2d81afed61c4d41b604213946e4e6bd8ce2a092dc

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
56KB

MD5
66929e532725952391dce308c39a9497

SHA1
0101db8bb8a638a5b53b9383b6cd2eebb84ba70f

SHA256
d2052891805ec067b717c19169d1b4754f203453c75325481ffc3aa2a181b79a

SHA512
e84457020d1363a14e5b4a08ba981c4ce583d130c1a931674fa352fe70e21fcf8238e57f49503c9ff5d6e031b74e580b702207752bee740d420f416ed492cd64

Download Submit
C:\Windows\SysWOW64\Lgbloglj.exe

Filesize
56KB

MD5
51e8891f7a4f18183fd06b8e594ce5bf

SHA1
9e8913c57257f21a2dcaeaa9c58661df7882fe21

SHA256
4185cfd3552c873859d5d677076d013aa34d09d5219e7ba9bdf00ab4de80a16e

SHA512
e72453ab37a285a3742c22c2a0014f8ae028784aead650cc736814ae578b56d94f479d471169908d75c8aec6f17370567179dfd887e4312b1651352a7af47de9

Download Submit
C:\Windows\SysWOW64\Lljklo32.exe

Filesize
56KB

MD5
b3c585ff0a7cdfb37708ce74003ee1db

SHA1
76fad3db708569cb9f5965d01c91476f19ffc688

SHA256
49a9507cbb52fe23ca701f7968d695fdc0c86de8b4c055889b5db21e22fdb34a

SHA512
5b8e07235d861df19148b6828b31ef37988dd553cf54ab22691260884bb17026028eb4ad294626920f5c2d3dc1eaa68fd59c89f67f3eb7f5936335004d62c6bc

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
56KB

MD5
c34dce030a6b0d09e0075772bd5bb9a6

SHA1
76fcb604a347da13265c0c70559ff205a0c0cb4d

SHA256
5c0294a9fb3e938d5c8f108bef11b845b55125719401207c472660742c90d953

SHA512
d5b03d337964d4b91239e15c0d3fc1e0617eaf531caa5a8ea1fff1900c274c5a97d727ecd0a97df8945cb2dac33526b69b9996a1c788234a8533c3c844360584

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
56KB

MD5
3a4e707a6a907308c62e3bcf00693f5d

SHA1
790eaf1397b2c0a024ef638326071d70de348ab7

SHA256
e29e821e88e974295f94bea91678d27ec25fcfa76726c3ba5af154b64adfeac9

SHA512
24a3b752ee56e103074f7dc0f4cd41fa9c65e91068548ed5bf727b50a594d021c8171b167cc1d8ce44f8c3cfda780f3e55923519bdc921ffd45ff2a0c66cacc2

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
56KB

MD5
15c8235a971e6ff1cb0a432e789d6ee2

SHA1
e7f8c4841cec14f9e066b61e0542b570c720c89e

SHA256
8864a696412e435835fc1dd069f1037a45f78c3dda5ffa0755b100975c2be764

SHA512
bad7b07bdc3a671a2c7aa4ba676b69e2d52296b66c9ae4eda2bba1f9e93f7830d71e0d2113c95ffbfd1698768d4ccada69426d33dd4ea44344e6734e65063e08

Download Submit
C:\Windows\SysWOW64\Lnoaaaad.exe

Filesize
56KB

MD5
b0487615c30bacbbc36d16fa7f9accb5

SHA1
02f10185fbe610681f5e1e3c1f24e5ee2c96fea7

SHA256
1b24c76c548318c2a777d59f2431beb4d1a29e000a8570347d12fde8f8a3ee37

SHA512
faba27c8a471599013fa4718e73acf7c0840423651484cef17151485d574930a483ced1aa2adf1d9a68b70ee939f79c1a575fb4d9c2101be300caa9c92ca49eb

Download Submit
C:\Windows\SysWOW64\Lobjni32.exe

Filesize
56KB

MD5
4fc5b71bb6c0416d6b63910320537fdf

SHA1
a10e6014b9ceb78c6bdd78e8de8c3b9edfdccc16

SHA256
2fa462f5a99e8ab1bc4d487b1b2e9cc2e3e371f9d7c872258bb0bb96fe4741e8

SHA512
dcf01644e2cbfaecf1de604047a4b294d4933e90819edbce3dc257f61fe69d24b2c893697ed42221fe8d1564cdd804c407583cd6cf8659d4864d76ea79fa42d3

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
56KB

MD5
f8668c0cc9f3de783f4f5347724ae0ef

SHA1
5e1fbef8d50c401a1860159744abf48c721b4d1d

SHA256
b8349f2a96cdfa5f4a57e1ff417025297439f58fed4c46f6c5e6b60982c01449

SHA512
a444c5e93ec6cd602774805881162688f0879c5b3ec18c9c1a2422825d0957abefbccbd974c571dde2b0cefd147f8c8886258190dbdbbde37a94ee405f4694a2

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
56KB

MD5
a516733ccdccee06a4525a8c174a62ba

SHA1
50524c0e01cb16dabb7dadd6db50f9cb48fc2cba

SHA256
7c7101477943f9c32463a8ce0ded0be025569457676269a2572813e3b70f3ca2

SHA512
c5b490e9c2bf457d59140ccd3d6918e0f20006b13e56937415026af42b3f58464cf5f3108c1196a8dba7df195a1308a51b1e93f9bad5c5d9178524332ac489f6

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe

Filesize
56KB

MD5
63529f3917734aa7a9e2700dcb2a3b0f

SHA1
b423cfbf35b02d8bd5b927dd7435c404a2fb2646

SHA256
aec159b29333fbf8284591cd4a8cde74eeeffb7f3f665a24f62c9a24b4723b1b

SHA512
1a83eaab40116a27a16b80a47a1c08f1dd3eee76883d6613873b39cf1d28b969c1298f3407692046b481419dae603e3a5d52caee1e6ab9d8554fd07782050444

Download Submit
C:\Windows\SysWOW64\Mcbpjg32.exe

Filesize
56KB

MD5
c7ba76ded80e27d4b1808d739180f295

SHA1
4e4c7fa3ec35bf2f5d91761b48df9edc4bdd1c54

SHA256
7652345f898040d3dbd257dc472619297a036aacb21e7e0219dfe470a1411277

SHA512
908bcb9e79df572aad62eff3e175615e636e5d08e64f5cdbc949e20dd37b3e06c96f605fc5d1c0f42fccd56ba6a923fbb96e4a9cb195b1f7214c9cef16e5fc7b

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
56KB

MD5
7fde7d9e108eb0408127838f0f46f966

SHA1
419af34f6a2808fbf8ba3d0f0a53ddd9f4831faa

SHA256
f621813e6368259c0baba900825dc4fd69a10a19043a4f2c84cdfe4327b98972

SHA512
84144ebfea51fb20abab99af94a98b3a3c22b21de70fa7da9687b6dfd8bee3e0afcb236e33c6f56ee2d6cad62abcebb3f28b7a186d74517d840e0a439ac99449

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
56KB

MD5
659f85ddc3ed69e0f8224c288c7532cf

SHA1
902ff257127f3593227502080e87206037faac39

SHA256
0a7d096a6114a78a75ee0f025d7d759d3ce34b01ff96c31724781dff8069617e

SHA512
b3e383c24dd9706835def56965a920254a0d5ea0f731e03509fc2dfd5d70a5e16806b4ad32e70ee8cb90244ac487c723372817883e1ba11f36b79662e89a4616

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
56KB

MD5
3e953a9d50683058fe296f3f54e4d4c7

SHA1
c392edfd047aca43364964adafdf2733fd6c4ad9

SHA256
28e51d22260f5ffbe19b0d4ec2f5d43a56b5beb201cb1c2ac9eb804eb659b4fa

SHA512
1f7634f824646672787c088aacf99d756b5ed406d0b3c1ab73135557db3c418ff3746df4e4f0e4896a9945d8093a1d03ac68cc4d2267479b8ae849297e240325

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
56KB

MD5
1a399db2f7b60c2c72c24075884603a1

SHA1
13fca1b871ffa7f272018612136c8de34f97c476

SHA256
98848b7e4aa130adc68dbaaf5afbbda07fbed2c4407ecd5d33a4a05dccebe29a

SHA512
fb0d6e177217fbcc28adf416bd5ada15755e57fe31e38074126c3f750a20bf7e46210c305a0be9a20a58829e06c6f51e8bcda5b332ba235b0cde935b78a65a79

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
56KB

MD5
119452f3eb269d63267267ebd817bf63

SHA1
318ac9c64654dbb8f7257c64dceab5702431af08

SHA256
947208b9f5f675240df7cb4c5c5632f5a7c467de4dda76fe919956bd42c0549e

SHA512
dcfc231ff62ac84c8b4a762a49be43298818cf5c5e23d4a1ad64fad55a6efc2652c548f723af5851c6bc00cab3928cf4dce7c02919a473cad2cdf6d0ec65f8eb

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
56KB

MD5
94d4ad31d045ca09e3f957e83fb9b59d

SHA1
3c0e1e480cfc6c48a7c4f31d87efa4dc47588fc8

SHA256
457aec1b4bf81534848137d60bafb20485a23cd4f92fe6bfcfb5f34ab275315e

SHA512
0911ee3be981c26f2bfa0a6ed2989437d6f5f817753162b6a803e66ab209bcfbaaf1a8c716c49bcd32a24b41dae43991683139332ae40e97b7c3a587f61363da

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
56KB

MD5
afc444afcf0675f9dbc94eab9048ae17

SHA1
5c4b2f23a6f6d2ae642ee79206989399f4fe904e

SHA256
b16eb55559ab053fde76a767ccc385ae641df7d80176612fb80c4a7a436f875d

SHA512
d0f1f416f637052b63a6b44eacbe3ba7ef39c9f6bcc726a3f7293faef0baeaa3b9523702bbf5844dd7a69b346bbed325982530246fcef629a517923efe43914e

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
56KB

MD5
fb34af286b8e8ea4d38a6875dacb9256

SHA1
4861854855063c99318032af5d63aadaaa24723c

SHA256
8bf83e9c535ff5b5564379d06be13bfb9f0d2b768d01f1e9ed4b28f2b027441f

SHA512
3cba13463b68ea79d17a4883ee2fae969863d17d5b4a0da30f15bcc626cbd16376ddf63f784b31e3ef576fc12e01c498023d0c63a9a107711aa62df4290442e0

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
56KB

MD5
6d4621ecb035f543363179e76430c00a

SHA1
f665c2354736aa400c7e1508c308a3e0523ad349

SHA256
1a820c171f7ae7b072666c6dbae3e8d390069a6594265e56f3454c69423e2ed4

SHA512
762856155869acbbaedd6fde6e356c982a0efee3ca57f550e4f462fac0cd3c382525ae32a4fb4af54d3ce16a7820f8c9fbc37ca0fad7d57ad692b1b288cce66f

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
56KB

MD5
cd09200438595984601c911aa44d67ec

SHA1
ac1b19ad86df8d224d966b8ca3c1fa75c8709374

SHA256
6a57887b054c90a30fc576fe07b900506c1fc6d2ecace86700b3bbbc034f062f

SHA512
805e11940fc860635f57a45161539c6c1870633d7d819f992ee6205e6ea9eaa6e19f7a71e220a989cf65b8f59dd6f28f1bff38ddbf898879b89cf08e876faf6c

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
56KB

MD5
c260ef74786cfb664b6b3b4165135366

SHA1
8b4ba76da13917c972d33ea1ead09217ca94d563

SHA256
4c64b9afcb4d55398769df103bd70cb57fc79670fea68af60fc37f7d523872a2

SHA512
5c900be52e839d18dc94d73ee122efd5ddf265f01e0149bfbc1e93fdd315ce3e1aef93b306c1c0c9cbd7113219af414d1dfe58e7eb818e38440fce8ec63998fb

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
56KB

MD5
631b0cf9689d4a86fc82ef6bb1cab4d1

SHA1
f5772156f6a2cd85c4c72a41c618e921f8cecaf0

SHA256
a46a8ae249b8d2ef229feac3297dd49482991bd94129bdbcc455d0942ddcd3d2

SHA512
ec21d54f9503940b19985f548e29216f5c28dc4f22294dd5b3ae9976bdc2e0d18cb39d01732a373e2a9ca65abf64beee407e882b7d1018c5fc832dbe50a14470

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
56KB

MD5
dff362ac187ad52d1c6ddcc23d2d2b5e

SHA1
c1c90cd7a782a9352c1fe4995116ebe622f89193

SHA256
7aae5a3ecc4cf4ee5f63906024f54cd1ef081cb934e9180f183d03bd4237ce89

SHA512
bdb5a941ba1ba1315a325443bd6f12b0f83c45994240472242462bb41469a5bc02991c70c899aa73f58442a1d2c019a4a5eb653da928aa6b54fafaebb7c73dc8

Download Submit
C:\Windows\SysWOW64\Qfkqjmdg.exe

Filesize
56KB

MD5
f6cbedfc3fbd0863902ac4f0d793b0ee

SHA1
d7d8e8e4181eec019448bdaf462abb93ee352830

SHA256
57af78f15947068c2407eefdb9b4e489b8ee818436b971060b44d4092a6b122b

SHA512
13a50078b1c759f84d45c17831493d45391bc8906bc3dd4a3c6602dafe1f31ecd885565b57ec2ffbecde191d13fb0b4bd828db4241d6df9a639c5a849d286357

Download Submit
memory/404-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1212-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1880-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3808-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3928-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4748-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5132-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5256-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5292-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6440-1058-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6672-1050-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6716-1049-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6852-1044-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads