berbew | ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
Size

96KB
MD5

63b19c2ffe44340c57ecfe27acce092d
SHA1

daf956e0721e305c14af139f09d989367890b565
SHA256

ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f
SHA512

5962add798ca667696feebada3293759b70659419ff136959d28e4cba5857a0ad5d457eb8b04db7a3b4df358cfd07db1c0741c4953377c0bc258196d03588cbf
SSDEEP

1536:TPO36omvf4eBASBAKyxpH8L2LO0aIZTJ+7LhkiB0MPiKeEAgHv:TWqZH3FBAJd8oHaMU7uihJ5P

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3152	Lpqiemge.exe
3272	Lenamdem.exe
3648	Liimncmf.exe
3716	Lpcfkm32.exe
1408	Lbabgh32.exe
2488	Lepncd32.exe
1748	Lmgfda32.exe
4080	Ldanqkki.exe
1144	Lebkhc32.exe
456	Lllcen32.exe
1108	Mdckfk32.exe
2044	Mipcob32.exe
740	Mlopkm32.exe
4092	Mdehlk32.exe
4796	Mgddhf32.exe
4960	Mibpda32.exe
2556	Mmnldp32.exe
4836	Mgfqmfde.exe
720	Mmpijp32.exe
784	Mdjagjco.exe
3496	Migjoaaf.exe
4416	Mpablkhc.exe
1724	Mcpnhfhf.exe
5108	Miifeq32.exe
4800	Npcoakfp.exe
3344	Ngmgne32.exe
1884	Nngokoej.exe
1004	Npfkgjdn.exe
5004	Ncdgcf32.exe
4420	Nebdoa32.exe
3228	Njnpppkn.exe
1176	Nnjlpo32.exe
2388	Ncfdie32.exe
1356	Neeqea32.exe
1788	Nloiakho.exe
2196	Ncianepl.exe
1444	Ngdmod32.exe
1524	Nlaegk32.exe
4788	Ndhmhh32.exe
3516	Nggjdc32.exe
1896	Njefqo32.exe
432	Olcbmj32.exe
2084	Odkjng32.exe
3544	Ogifjcdp.exe
1612	Ojgbfocc.exe
4924	Opakbi32.exe
3136	Odmgcgbi.exe
1468	Ojjolnaq.exe
2396	Opdghh32.exe
1660	Ocbddc32.exe
4688	Ojllan32.exe
5116	Onhhamgg.exe
1528	Odapnf32.exe
1732	Ogpmjb32.exe
1452	Ofcmfodb.exe
3656	Ojoign32.exe
3428	Olmeci32.exe
4860	Oqhacgdh.exe
3044	Ocgmpccl.exe
5008	Ofeilobp.exe
1728	Pnlaml32.exe
4920	Pqknig32.exe
1296	Pcijeb32.exe
4724	Pnonbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fojhkmkj.dll	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6484	6288	WerFault.exe	254

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3152	2344	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe	85
PID 2344 wrote to memory of 3152	2344	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe	85
PID 2344 wrote to memory of 3152	2344	ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe	85
PID 3152 wrote to memory of 3272	3152	Lpqiemge.exe	86
PID 3152 wrote to memory of 3272	3152	Lpqiemge.exe	86
PID 3152 wrote to memory of 3272	3152	Lpqiemge.exe	86
PID 3272 wrote to memory of 3648	3272	Lenamdem.exe	87
PID 3272 wrote to memory of 3648	3272	Lenamdem.exe	87
PID 3272 wrote to memory of 3648	3272	Lenamdem.exe	87
PID 3648 wrote to memory of 3716	3648	Liimncmf.exe	88
PID 3648 wrote to memory of 3716	3648	Liimncmf.exe	88
PID 3648 wrote to memory of 3716	3648	Liimncmf.exe	88
PID 3716 wrote to memory of 1408	3716	Lpcfkm32.exe	89
PID 3716 wrote to memory of 1408	3716	Lpcfkm32.exe	89
PID 3716 wrote to memory of 1408	3716	Lpcfkm32.exe	89
PID 1408 wrote to memory of 2488	1408	Lbabgh32.exe	90
PID 1408 wrote to memory of 2488	1408	Lbabgh32.exe	90
PID 1408 wrote to memory of 2488	1408	Lbabgh32.exe	90
PID 2488 wrote to memory of 1748	2488	Lepncd32.exe	91
PID 2488 wrote to memory of 1748	2488	Lepncd32.exe	91
PID 2488 wrote to memory of 1748	2488	Lepncd32.exe	91
PID 1748 wrote to memory of 4080	1748	Lmgfda32.exe	92
PID 1748 wrote to memory of 4080	1748	Lmgfda32.exe	92
PID 1748 wrote to memory of 4080	1748	Lmgfda32.exe	92
PID 4080 wrote to memory of 1144	4080	Ldanqkki.exe	93
PID 4080 wrote to memory of 1144	4080	Ldanqkki.exe	93
PID 4080 wrote to memory of 1144	4080	Ldanqkki.exe	93
PID 1144 wrote to memory of 456	1144	Lebkhc32.exe	94
PID 1144 wrote to memory of 456	1144	Lebkhc32.exe	94
PID 1144 wrote to memory of 456	1144	Lebkhc32.exe	94
PID 456 wrote to memory of 1108	456	Lllcen32.exe	95
PID 456 wrote to memory of 1108	456	Lllcen32.exe	95
PID 456 wrote to memory of 1108	456	Lllcen32.exe	95
PID 1108 wrote to memory of 2044	1108	Mdckfk32.exe	96
PID 1108 wrote to memory of 2044	1108	Mdckfk32.exe	96
PID 1108 wrote to memory of 2044	1108	Mdckfk32.exe	96
PID 2044 wrote to memory of 740	2044	Mipcob32.exe	97
PID 2044 wrote to memory of 740	2044	Mipcob32.exe	97
PID 2044 wrote to memory of 740	2044	Mipcob32.exe	97
PID 740 wrote to memory of 4092	740	Mlopkm32.exe	98
PID 740 wrote to memory of 4092	740	Mlopkm32.exe	98
PID 740 wrote to memory of 4092	740	Mlopkm32.exe	98
PID 4092 wrote to memory of 4796	4092	Mdehlk32.exe	100
PID 4092 wrote to memory of 4796	4092	Mdehlk32.exe	100
PID 4092 wrote to memory of 4796	4092	Mdehlk32.exe	100
PID 4796 wrote to memory of 4960	4796	Mgddhf32.exe	101
PID 4796 wrote to memory of 4960	4796	Mgddhf32.exe	101
PID 4796 wrote to memory of 4960	4796	Mgddhf32.exe	101
PID 4960 wrote to memory of 2556	4960	Mibpda32.exe	102
PID 4960 wrote to memory of 2556	4960	Mibpda32.exe	102
PID 4960 wrote to memory of 2556	4960	Mibpda32.exe	102
PID 2556 wrote to memory of 4836	2556	Mmnldp32.exe	103
PID 2556 wrote to memory of 4836	2556	Mmnldp32.exe	103
PID 2556 wrote to memory of 4836	2556	Mmnldp32.exe	103
PID 4836 wrote to memory of 720	4836	Mgfqmfde.exe	105
PID 4836 wrote to memory of 720	4836	Mgfqmfde.exe	105
PID 4836 wrote to memory of 720	4836	Mgfqmfde.exe	105
PID 720 wrote to memory of 784	720	Mmpijp32.exe	106
PID 720 wrote to memory of 784	720	Mmpijp32.exe	106
PID 720 wrote to memory of 784	720	Mmpijp32.exe	106
PID 784 wrote to memory of 3496	784	Mdjagjco.exe	108
PID 784 wrote to memory of 3496	784	Mdjagjco.exe	108
PID 784 wrote to memory of 3496	784	Mdjagjco.exe	108
PID 3496 wrote to memory of 4416	3496	Migjoaaf.exe	109

C:\Users\Admin\AppData\Local\Temp\ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe
"C:\Users\Admin\AppData\Local\Temp\ed0025e1ada313c719a90cdd8717b6b2ced81a2f77ddbd319bdc8e000f565d6f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\Lpqiemge.exe
  C:\Windows\system32\Lpqiemge.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\Lenamdem.exe
    C:\Windows\system32\Lenamdem.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\Liimncmf.exe
      C:\Windows\system32\Liimncmf.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        25⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        33⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        34⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1356
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        42⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        65⤵
        Executes dropped EXE
        
        PID:4724
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        68⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2300
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        80⤵
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3904
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        82⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        83⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        84⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        85⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        88⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        91⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        92⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        93⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        95⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        101⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3804
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        106⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        111⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        113⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5768
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        115⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        119⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        121⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        122⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        123⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        125⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        131⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        136⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        137⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        139⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        140⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6188
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6232
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6276
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        145⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        149⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        155⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6996
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        159⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        160⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        161⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 396
        165⤵
        Program crash
        
        PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6288 -ip 6288
1⤵
PID:6420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
c13655e51ca3a31e232c9911d2e893d6

SHA1
fec49454dc6fa0d0503a4776afc4a1657a68190c

SHA256
5005246084c965a61070d6904571969941ed6ee726752cfa92065243d347063f

SHA512
1133f415dd423759bae42117240f7f381f86b60b7a0dc24d5be80e1427ae267b8124e432d689e2d60dd3ccb5e39d2cedd85f00b8e8e9059c4ad31ae02f617757

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
eed776b8eade62f95517c234d82bcde4

SHA1
4df91f3f0b33d6c69a2f13144066168ce4b6e9f6

SHA256
9b9f237f1a321e8fa8712785d5b9355f9a899409f81c34ef41f73836564f48f9

SHA512
59fb0c7a653b93a710e0e641c95703f6584e620b1ff76925407aa91e7b981d834e23643aa5f1d9afd2564a80eebb7ed98429aabacef8985fae06eab6c7b9a046

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
96KB

MD5
acf22334ac543529e733429e176ed343

SHA1
60976d748db8ec1ef92bd73fc4cb0fb796cb741b

SHA256
314b45beef8159ae2cd205ebddff25f4ee9303d14aed39025ccbd21610851c1b

SHA512
a8da154cce7f1785a59ae30204b9f90b29c588612bf48b258dad4c61b04906cee3e92803e2d1f8c6214f965e2bff348db215d53d684b5fd74003483eee2a8878

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
5826fe4da8f111c5f4b030495ec658b9

SHA1
431a575a229d82ec82b1056832558a6967417088

SHA256
33ac3938f92b5a97615168d75dab08208ce342f537595df9f2540f95783d611d

SHA512
c400e9bb96f31456c60de2a750494dbc57320d30a3656cacbc16990805d9b99d6338ac5a497fc7cfddbc18b429480536e4823c4cb6becc824a0937893ac3a394

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
96KB

MD5
ed2aea3f78f8487189e5c4e484dabd6b

SHA1
6b7c6f13fd5f414c865792e226910df9a2970bce

SHA256
e2b0272ebfe319548d8cf28163ffa8aa9cc1c2cb14b5756347a3f0ec42830511

SHA512
ef25813756c18147d9660c41871cbe86beffb9d2d5799424f29d64bfb491b01f1dac056ae324d9c4240453cc7582014ffd496772d3305e1445aec09423d08b3c

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
331d2f917ec459b4e4d12ef37106cfe4

SHA1
8e593ad0a83b124c6e92c7a90da6dc8ac3e9998b

SHA256
e43c594b95e68991867ffb249a5eaa6e60ec3d1fa6cb38784f7d289ce347f994

SHA512
c75680121524810de3b0081c0eed9d2720a693dbde3d7afbccb428df20ad42eb572961d3884460e68fd8a287930015dfeffb678571a714d4a458e1d47d1bc785

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
43f23b9a3a80b23df616fc6428f12ac2

SHA1
7164c7dd3e1d477ccd620e966f945276426d9b89

SHA256
4e2aef1bee1195d724a28309480209c21fcc91efbf9c03a81bb2fd8205658591

SHA512
b381a7c5ae8c23872842feccd0c3eb79bd3ea230ed5d8ac51ef7837fe7768065a0cf8ddd6955229a42b8ee174d7e718e4cdeea424e2958ec18bb9b406865cbad

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
8f81ca44c09cc5b0d74045129da7207f

SHA1
c8e9f597c18448acbb65d30ecce1e0da346aab0c

SHA256
9f7cf223a31590bc412f334bcfdf5549f56ae2071184513ed872295b36c59720

SHA512
40ab0ddbb86ce5e84b69e6ddc3862b980159a966c710e3e46377bb34eb61211168995e9044322c99ba6ea44ff2c6785e273e310a62f8cf715076a3d39c328bab

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
9d5193aedc28d64bc8aa454a8887a654

SHA1
4de9fc909d32ba99f0d7847b9c9643cd9902daf0

SHA256
3633b4c0c34c62880b2825365252bbacc050f91404ff5db8f3a4f225fd132661

SHA512
664caa76071adced0c5ed886dcfde748fe42dbf9fd2abf4982de899e9d1c940bbb0ee019eebc2fd26649b6eeb07f294dc7fbe6ad57de7e7d6e2798bb8856f5aa

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
cec4ed5308c1293877bb7f180ec15e44

SHA1
e75581b2c03e04187e3fb85664e379d1bd1af3a4

SHA256
8f218cef98a29f5a58b2c73e4a0c7a3bdd7c79e3b19983dba98aa8fd62fd452d

SHA512
d81a28d2ec93dad439cd5ad8b0a1823aea613255a681e13f2c88d2e571d73e4ad282f2b7ed285f38db2baebeaf1afd84acef7118aba038ecab3873f3f777e361

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
b8fae8b0fc4ad0bf4d4a624efebbee7a

SHA1
0e12b4c99a08391f7b019cc326d62070611a19e3

SHA256
63f858ee926a6010eee3eb7936ccac246ef70d503f097557f8c0f94d51eb0857

SHA512
dedaaac47db0a6e7934f3e9e888bd3ee1365067f8f87efc378aeba83bf6d20c1c9b4ab767d20e29cf882937b46b51f67b460fc1476e7ed9ee3a63ee072831718

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
03716330f7baa0099e280dca853534ec

SHA1
c1b2d3ce39465535bee4c1db5820ac2a8d6cc83f

SHA256
abc7506181dde786759050e22fa5a05bc3d6786065c2f29b7edd5dcea45f4f94

SHA512
c4777500cc3e19bcd52ca84ac414225af80c5d00e3f9343f2b12387c8112094ef358e515534ad8184e8994cab0cf9448470ed455c9c456e9db7615c179739d7e

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
8bfd01f57728ce0e146e07f8781aefc1

SHA1
272839beb7a59d88097cab4698e15a3fc205912e

SHA256
fb4a06f2a50dc02692723aec6a7bc8da70f21a663c09954baa9148609315d288

SHA512
d7dcd5456d52d3591228e30699b1ba86b0f88ca1b8f83e65540f636e8bfd7e3f883dd400349a2ca26070696623f53ba1d7b9e27e6c61e2c9a6c6bca65e182cc9

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
a162539bb2c4478619a9db7fa0bd7a40

SHA1
7067dc9802c438ae748cde0a22b70962b4857d7a

SHA256
5ed4386c5e73c2c871709a6a7c6c6a476fdc1a216e9569e1f3fc3f2ebbf6fd21

SHA512
38c698a7d21a22ac14a05d101b631c0c7e7922d422c274bad2e7e1e17b09b7fb2eda17e7d3e0743cad76c3b005d6f4844b06cff5dc45675af316ca271ec231f7

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
d3eced5a8c79dc0daa81759d3615929b

SHA1
0a498462894161d30fe2c297bfa72f9b523201ba

SHA256
92ec905a0c30dfad672226b79cb7f50645c0ecd66f7f7bda1d69d4ab19e6f98a

SHA512
46beb256710369497336cca16ddd3597758c2b6fe8f3227e31dbcef274e2c44fe7adb0c7d65f84d135f2c6db343e3833b108acb185a30302d9515426a105655b

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
a58e575415ceca76abec1f4fb9bb3f7a

SHA1
5c46978df03483a90feaa4b4a521f3c3cbd2441b

SHA256
fa70e2c0938080315d048a68a25b5558fe266727d24545e879a8d03877277c9f

SHA512
65f579c17f33951b18208140416e82bab5151059286130c7ed592d3a3ef5384618276f91713bc107c98c2e9764edf9b334517add4533d5b5d427b324c23b876c

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
b3689a2e30af043cf05c9b0acf583d69

SHA1
d2c8a2dff663e1b2706ed51edb0379c448a7afe6

SHA256
95972eb8ad66d102301c678fedcd6205bcf226d8c4c0891d6e33e096849310ca

SHA512
f409f39e6f2e33b1599f9c883a524a10330661ef16744c89936e28478da3fc99889f03e8dae5e881fc92f760082b59d94948d984eacb9322bbb4ad5533db0937

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
e95ca8f9797de3c37115e5c0f5e5f1ac

SHA1
537ad7c16729b672daea8a43b91b7e8936cf9f21

SHA256
b7f118318b01f76f1136bf42b25136ba13b52bcec578f6041d60b982c9ff7d5d

SHA512
a0cae5a96ecc74e83c92cbe239ab0ceae7f5c85e6e6f80eaf3205a998094db4cdfee9efabbbb20a89171e2a8578a0a8b9070ed889587ef033d2c3d0c3b92d084

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
1e0785079b939bd9b0ee6709cc7822d1

SHA1
3acdd4359cc4496dc96babe0a9c92bb57898ca8a

SHA256
ad684f8c572d25558a70337882995144eaa9397f85882da2cdb9abbe56026340

SHA512
e660a50e748b0290293729037d2f70762d7a9588b6b1050b6504e61cb01d54393a6d4fc6822036bbb2eb54a6e6d61a22efc9bca1a2fcdc837f4383e61d39f63a

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
1a96d4a38b21aae90ee5057375d4a193

SHA1
4d4623f9911e0311b0acb4e10a4335c4a57d858f

SHA256
11f90c7e6fc6b21727fd2f60d80fa163f741b2bcb031dfc4bb6f0a1ba423a6f4

SHA512
99e14dd2abde05915c02e4372796c93df7e7cb54c32d1e99d3d0614434e31763c2858da9502dc4d1b383e501e7730781b267092ab006f6405b8d70b183c24298

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
3838eddf0d7e34685854971c69da2760

SHA1
c360fe83852322c2f86811d24fe7a87150b8a67a

SHA256
f1ba1621a353f4443ee91ca98521b0c11a2e6122db06450725a498282861b3b4

SHA512
0b59604e35e9263f5b17e58db12a0923c14ddd8d27d385c30044589b9f7a920d83e7f8761ce7edfe9773974c6aa50b9fbc383652fa17f2520177101fc26bb870

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
5c784b451b4ccb71c0c9ee3b4d52c503

SHA1
c348c4d772a9b19f75912feeb16c29a54ac689dd

SHA256
397afda555c3786a6b4c67de4c98531f382d017555c6695ffc8172ac6cbc9906

SHA512
c02b3ba77d774c803a2a26cd679cfba0958362b6e5359e6b740bf03b04dbc2e3ee58568287c33b7b126e941af86393d92e4bf8c735eb9640e46abc477ee2de04

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
babd1f06481d8b05c119e7e44094ddd6

SHA1
c185de85680232ec67e0bc4c72ced4e00b19ad7c

SHA256
d217ff8e4162b12bfa43c14cca2584b971b461be94d078bd4b81dc3aab103ead

SHA512
13bd5679525e6ce37abcb782fe5038ffc5b1a98433e5d0d4c3cd636d821522f106d54f91dfc81d214b84553b3d02e15f90edac8ae6c4089c717637934ed35e2f

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
96KB

MD5
805ee8b8d92d2dd1fee789efd61327b1

SHA1
920b4779dcd44435850aeb70859e157d256a2b58

SHA256
7b387fd693dd7566263debda4626df1312dff7c4ce5024bfb57a28236582f9ad

SHA512
778dbd7c16c3f0b380c73413f1aca3b9f93da8a7c1868ee4bdf052e15a62d822e6db43a36118b28212422a64e708bd8fb2f2d70e8243c2b9d6533b25fdce141c

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
1ee9fb3a7ca11fa1b0d48c1c1dfd7160

SHA1
9727ec74c3e41ec1edae53bfc2323d052542c7f8

SHA256
9f2b6bd506269765ad99eee5285488d21b62f9561272b5453686ab3216d88681

SHA512
cebea4f9855a9f43787b9444d5cb1b0db81bd0414fc1b9e5fd1fbfbc74b4d1fddc0f4bc9a9c00b7ab367a271f77788918d194b9679a07a78f12a3a7e91014bf0

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
fdd5e8556becad693a4df7407d8eac8c

SHA1
a54c8cfd102ba15fc3895d2843fa574531ba9787

SHA256
58adbb529c610349d44f1a56ce11375837614c6be5629c969954fdaa40ac4ea2

SHA512
7fd5125dc4c672c61bdba3f67cfe89b424b02f825851ebb87e1934985f53daae19e998292c3780ef6c793f5d5af4490f4512c2f3a8c9c5cc108b96b638cd90e2

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
6a4fa5a26d5086e02abad195dfd2a3d7

SHA1
0f3c3d939f7bbb8e26774dd065a5d67c46be1759

SHA256
44cf3595ce6877377130061b7b527d2f250b01b94effd8dd17d42bd81cb0b2ee

SHA512
8457f1b10e2893b2f1d35b5749de7db7f6b02e4a22559a27002ebcde18659a649fc8bf743a806341563cc573a035a2d7ed68acb425a88df71241d35f6bcc7862

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
976898c5d1797ee443c373ff5a2c15de

SHA1
0d9070e3a5debb32338db948dee21c08210ba936

SHA256
716eda3f0cb83bf9a7df660e9a8200f7348c96b655ca3b2e61bc36c56c320ff2

SHA512
1e9aa2312febe54f722f8a2a65192daa4e19824ec433b2fa65d3cba6107516cd28339d595b9bc97fb55d2f135541e6738a837d52bdbed42ffc420cffceba6142

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
5ca3a2ed2717bf054006e6bb67cc6d26

SHA1
c63477e350e994895448a044bb951f36607ce037

SHA256
2c00130acdeb4d4a6ac5055781ff15f1857fd81db5fba67c9c1619b4ec3c0613

SHA512
3d5d84b35d8d5e978b0b4d51d261dc26407a79004823e5459c07949135a91feb54cc696958b37d6394bed5fd7e842b994d4615ce8bd7148bc9a6308575f2917c

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
5c313e995454e6f890224c9c05f2b421

SHA1
bc1ddacb0b26330cf3508a41b17f55021a6c97a9

SHA256
9fb1d7047844918a14c6e6aa494a4cc3238d9546e38aef9fd2190b44876e1a6e

SHA512
c665d42f9d73629240573b127c1cf663becd336f7e43b3616e360321e9dc2619d4fccdd8492fc2f492f1a220b97d5ec6b61a14fd567670b277865738d7850fba

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
4d9d93a30b4d94f5a188d2404e017b57

SHA1
14c367dd37c1160adf8db3a034d2192f137495fc

SHA256
06e742e79fa73c8b739d3116cbd3c8c938eaf13db500fe8867d395370c2bf4d7

SHA512
ddf2ee665e907caa30c4a84c90b140ced63c023da787370a2b69dd2e55b81040188f785fbab136478e66760f185f4950d84a006a2b21ad2c9b2aa9c3dc917355

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
b0b546b103a0715af60db346466963b3

SHA1
4c151c92c493a6b823c3301952fc379c4946fe40

SHA256
37e4b441962d38cfa948d4d9d1f46e6a9d1ebc277dd0097f0375d792c16a2069

SHA512
db213cf1d73695d09ec818130183b7527d6f42132df8a04b40c0dcd9aa2df97cb7c930975989d8dd8e087e822935e893c9f626d70f49d8abc3c2f6f03cc71217

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
58fa1b0d33e85259cf14c230fd3f0259

SHA1
255b3a0b935c07c26cdca23ade60bf32324be291

SHA256
8f735e8757360d69afcb2c9e3bad7ceb617adc84ca258da186c4b30edb3b1ba9

SHA512
72a050aa367795dec7511c949d7852fd40484b0462e3c93ce48c1c84e64562b0da83537802db2168329793fa90e2c9023cf246a1c4b27e116d472610ae32028c

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
1a6b2e3f60dcc399b1bd1f77e7ced718

SHA1
d505b2ba6bda26bf4b84d7921f6452ad9a257e65

SHA256
8296a29ee4ddf22868aae2e607114384accf2b76c4d6133735444b4385df8151

SHA512
e573c26e6b4652e62e0c21daa4052300ec824481903b5f1c7fd5662b016ee6eedd27c773f40d007882fad3b3535c6f1f29fe61236a7629cf84695ffe769d2630

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
ecc1cf0b8a19707a911fa931aa0495a0

SHA1
4833602469cf60e483f47b9bb23942bb6dc01d1d

SHA256
4198ae28e0e239a4eb29665b54551cbefb76099a8c81da86225e0093a43d7843

SHA512
000f0c8af3f23dab887fcda70a4cb2ff0ad3881c2ed10a0cebe938f869cff5a4528238c8e05148920c076a41fa0f04b796f90a8205074b4110982c70e28b77e2

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
aa90e68a7d4808d8e01da3e3e8df585c

SHA1
95925f065c36746fc27e2602d8fe57bf16956147

SHA256
41858b08b67fefff449a8fafe898aa842fd68131b1bafc805bbc2efd254c55fd

SHA512
222712ac7772da8b2f1f08ca0948ba801dfbe45d256392e550a25c75ecfe0ba478d876d9af1122f90446eeb5a18a6bf875db10e72e72cd7809084a21497a5282

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
a3a6dc14bd7c3eb243022b44b38f0f25

SHA1
a8306ecd4a6d4f17dd910c07018a9aedc454d6b9

SHA256
14317f26a19a3b858707474cc464c3abbb21765a6934405691971420852a03d1

SHA512
9c6fdeb26208ad2b077a43878a0f4f99d78c5d2f77164e3890208f14d85a652fdd92aba772999d707960e4280290a1054d0d15d9ca1c1126c420b75804e216b4

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
7a869467012593df9fc3edc7bda41cf2

SHA1
c6fd0314019d94c8f7f55a21f56f6e4913026f09

SHA256
dfa7e66fb4c4687a77a8e7d0ede510aaa2f4144704f8fd9dd42110e7c513241a

SHA512
e290c3c93dfad8da7c1bc168d62b8151ce6e5dcc3b5db039cc195be92c542e9ea9b05cc629787439999faa687f946ee4a90016baaaea8728347a4c239b470637

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
07cf0c4a0307922062cf21cba73e76b9

SHA1
666d9a4469abfc26a2cde9f8eca7ed384abbc089

SHA256
7a9d0df3b0a2227d068422132e3f93c02494fe1ee9348ed452cf6d00809df351

SHA512
afbbc0ba235bc8db4d1b472995793a6ddd84c7253c1cbf8ffb83d0d8e6fdfd43fdfd787dbc8c009123b348e4e0350754af472d5c2b6bf939b7bb64a855775801

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
5e1f0d17bcbdf0874819b4f06e37e282

SHA1
eff2609f80aa5e68b5fca770091ff87e2601b159

SHA256
93365ed09f09848c415d5b3c6ce85da598e7dca82326ca5f09f3424556681c11

SHA512
b3bb3680cb296bb3c9315723c55ee2a22e285d81ccdca22e739c60584959d91cd0cf0794a9218a7aa29ff6e1ec6f0f9f76b00177d8a4b114e0d1f6d27b01a66a

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
b4aa3ff5e6bb525301ab0b92688bc1fc

SHA1
554f146f59aca64534874236ebc271764b67a749

SHA256
a937b82d482015cae4f3be839c18471e9e252da90beed1507cf7c52d1fbef314

SHA512
34ae66393849b385ebb1ef89db0c478abe983b6174c6648e15abd7166c2ca035f5a1cf0ed0bc2cbef9286ac6a97e5b2ec49ca8157cbd439404c0cb5b3b24cf70

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
265411f0dd950a11153b22a5169845ef

SHA1
d70153b17420084a5365a50b21ea4af8ab335a6e

SHA256
6e622db147fdde8f7b2077e0535e2f8b25b06d0d54cacda5bd05309983ec6102

SHA512
f24b08978083aeb151f412735da83d34041e9d5c5a001873fd6e939543024cae1ec62ac9843a3fc0a7877789a6ce5c7ef92628b6695e8f60b40eee1f836c5a2d

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
ab696d132463b1d865322bacbe85f1ba

SHA1
c86b3814b75374dac3834b16c1def1a9d7bf2b1a

SHA256
006745606f8a73eb57666e3caae7d8b807a59f51260648f97eb54cacdf361e71

SHA512
4325138df494170d8618e17fb0b2372ddfab58aaed7f2fc30bf7db5d742a8ceaee168dcc06aa95583b68c9fc8a6dab151ab2f430b02690db035959c0294ace58

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
18390086d3e63bd2ac387740f98da941

SHA1
5675d6556b5f3f3e24c465ea18e209671c01fd52

SHA256
c7adc453316c4adf6f7841c1cb0c1cef05c479a90aa1bb2483773c63de44d1dc

SHA512
06c29af66ed7393bfdcd6aaf064affc812f07bb11cb6c541e65d6e17944fbd18774d59bab25c053e4ca2d7865500c7830c3f10fca25d4fcf56134ac68c317799

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
81820e918a6a3a7c72637a8a75ad9dd3

SHA1
bc05dc2100e929760772f92f8f7f9c1c28309068

SHA256
cd3ea8c7a4521094c1cfc32be748d08801ea2026e6d9b7080ac59b0479359601

SHA512
fd66b1880c80f9420bbbfa0c85f14489be34724e1975b0e63c61389994c0daf68eb53eba41bdf80531f6942ba95821d29efb36438fc38f651598d465d086b682

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
1fbe4e9a70762e920f7298ed147b1737

SHA1
c15a57b8d9b9a49e6e2dcc673bd68ce861b663e5

SHA256
0a1bed11d220389ce9d6c529964b7a3a2e62c370605884cdea1669fee696a273

SHA512
61160a9755d0a2f025e90db6256b07de6bd3097f10cfc3d3b5d972e47f9c8846b14c2fc6fd89534591e55a5276e5f78684862da562cec3597bd943c07f752f92

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
e713efcc3379d84dda6548ea666da224

SHA1
cdbb98d77048e9ab292b3877da0356b84ff75180

SHA256
2b0b1a4ad66df38918bc30a5405bb798f658b85ebb31e2520498ac9852b01373

SHA512
a0d1301c0a7d9fd11e3f3a7892dc675a49ccaf58a4f88fd5aa67c424714ba8a4ee2b677445ff45151ef5f97f4439abdb1ce2f93daef1a234768cee3e9a42e15c

Download Submit
memory/432-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/432-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/456-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/456-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/720-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/720-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/740-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/784-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/784-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1144-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1176-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1444-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1660-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1748-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1884-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2044-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2344-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3152-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3152-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-271-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3272-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-226-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-270-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4080-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4092-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4092-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4416-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4420-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4788-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4796-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4800-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5004-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5116-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads