berbew | 280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88

Analysis

max time kernel
96s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe
Size

344KB
MD5

b6c073a30ff6f445feab2baaa05afed0
SHA1

a03d43e23f9d652c22800c348c65c6b46cee0a87
SHA256

280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88
SHA512

b5c3f3f7cc88ce953ad63886b429042d014105064ae78e2ee32f456c7523ae1c6ddc876c23748ed96286eb4c66aeed8647327877bbfa1b1262fe5843ea4b7861
SSDEEP

6144:WIqgl8RRTuCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:WIiyCpXImbzQD6OkPgl6bmIjKn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcdjbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjjgkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcekpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfnoqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aggpfkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2556	Jcdjbk32.exe
4496	Jokkgl32.exe
536	Kpjgaoqm.exe
2316	Kcidmkpq.exe
620	Kgflcifg.exe
4456	Klcekpdo.exe
1584	Kcmmhj32.exe
2356	Kncaec32.exe
4428	Knenkbio.exe
2104	Kgnbdh32.exe
452	Kngkqbgl.exe
1652	Ljnlecmp.exe
4992	Lcgpni32.exe
4124	Lqkqhm32.exe
552	Lcimdh32.exe
1112	Ljceqb32.exe
3460	Lqmmmmph.exe
4552	Lggejg32.exe
3900	Lfjfecno.exe
4776	Lnangaoa.exe
4372	Lmdnbn32.exe
4460	Lqojclne.exe
3472	Lcnfohmi.exe
4568	Lgibpf32.exe
1432	Lflbkcll.exe
4508	Lncjlq32.exe
2856	Mmfkhmdi.exe
1556	Modgdicm.exe
4536	Mcpcdg32.exe
4344	Mfnoqc32.exe
3832	Mnegbp32.exe
5004	Mmhgmmbf.exe
1540	Mogcihaj.exe
2864	Mcbpjg32.exe
3408	Mfqlfb32.exe
1980	Mjlhgaqp.exe
3020	Mmkdcm32.exe
768	Moipoh32.exe
5036	Mcelpggq.exe
1952	Mfchlbfd.exe
4928	Mjodla32.exe
4264	Mmmqhl32.exe
116	Mqimikfj.exe
5024	Mcgiefen.exe
700	Mfeeabda.exe
2828	Mjaabq32.exe
1068	Mmpmnl32.exe
3000	Monjjgkb.exe
2796	Mcifkf32.exe
2088	Mfhbga32.exe
3820	Mjcngpjh.exe
3664	Nmbjcljl.exe
1644	Nopfpgip.exe
1596	Nfjola32.exe
628	Njfkmphe.exe
1860	Nnafno32.exe
2220	Nqpcjj32.exe
4440	Ncnofeof.exe
2716	Nflkbanj.exe
1736	Njhgbp32.exe
3544	Nmfcok32.exe
1948	Nqbpojnp.exe
2148	Ncqlkemc.exe
1516	Nglhld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jnifpf32.dll	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Nqpcjj32.exe	Nnafno32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File created	C:\Windows\SysWOW64\Lfdqcn32.dll	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Mfnoqc32.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Ndqojdee.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mfnoqc32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Nnhmnn32.exe
File opened for modification	C:\Windows\SysWOW64\Opclldhj.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Cpmapodj.exe	Bnoddcef.exe
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Oanokhdb.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Kncaec32.exe	Kcmmhj32.exe
File created	C:\Windows\SysWOW64\Mfqlfb32.exe	Mcbpjg32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Lnangaoa.exe	Lfjfecno.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File created	C:\Windows\SysWOW64\Onocomdo.exe	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Kllfakij.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Nglhld32.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Aggpfkjj.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Lgibpf32.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Mmfkhmdi.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Mcpcdg32.exe	Modgdicm.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Lmdnbn32.exe	Lnangaoa.exe
File opened for modification	C:\Windows\SysWOW64\Mcelpggq.exe	Moipoh32.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Omdppiif.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lcimdh32.exe
File created	C:\Windows\SysWOW64\Apodoq32.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Clahmb32.dll	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Apodoq32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Klcekpdo.exe	Kgflcifg.exe
File created	C:\Windows\SysWOW64\Lcnfohmi.exe	Lqojclne.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Klcekpdo.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Lgibpf32.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Lmdnbn32.exe	Lnangaoa.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Bbikhdcm.dll	Ppgegd32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Npgmpf32.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cdmfllhn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6988	6892	WerFault.exe	262

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljceqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqmmmmph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmqnobn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcbpjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdnbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnangaoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgibpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moipoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnfohmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngkqbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjjgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcgpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcimdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lflbkcll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnoqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Mcbpjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglhld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll"	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcnfohmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbjqfjb.dll"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnjgdn.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcfimfi.dll"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onocomdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Pjkmomfn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2556	540	280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe	84
PID 540 wrote to memory of 2556	540	280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe	84
PID 540 wrote to memory of 2556	540	280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe	84
PID 2556 wrote to memory of 4496	2556	Jcdjbk32.exe	85
PID 2556 wrote to memory of 4496	2556	Jcdjbk32.exe	85
PID 2556 wrote to memory of 4496	2556	Jcdjbk32.exe	85
PID 4496 wrote to memory of 536	4496	Jokkgl32.exe	86
PID 4496 wrote to memory of 536	4496	Jokkgl32.exe	86
PID 4496 wrote to memory of 536	4496	Jokkgl32.exe	86
PID 536 wrote to memory of 2316	536	Kpjgaoqm.exe	87
PID 536 wrote to memory of 2316	536	Kpjgaoqm.exe	87
PID 536 wrote to memory of 2316	536	Kpjgaoqm.exe	87
PID 2316 wrote to memory of 620	2316	Kcidmkpq.exe	89
PID 2316 wrote to memory of 620	2316	Kcidmkpq.exe	89
PID 2316 wrote to memory of 620	2316	Kcidmkpq.exe	89
PID 620 wrote to memory of 4456	620	Kgflcifg.exe	90
PID 620 wrote to memory of 4456	620	Kgflcifg.exe	90
PID 620 wrote to memory of 4456	620	Kgflcifg.exe	90
PID 4456 wrote to memory of 1584	4456	Klcekpdo.exe	92
PID 4456 wrote to memory of 1584	4456	Klcekpdo.exe	92
PID 4456 wrote to memory of 1584	4456	Klcekpdo.exe	92
PID 1584 wrote to memory of 2356	1584	Kcmmhj32.exe	93
PID 1584 wrote to memory of 2356	1584	Kcmmhj32.exe	93
PID 1584 wrote to memory of 2356	1584	Kcmmhj32.exe	93
PID 2356 wrote to memory of 4428	2356	Kncaec32.exe	95
PID 2356 wrote to memory of 4428	2356	Kncaec32.exe	95
PID 2356 wrote to memory of 4428	2356	Kncaec32.exe	95
PID 4428 wrote to memory of 2104	4428	Knenkbio.exe	96
PID 4428 wrote to memory of 2104	4428	Knenkbio.exe	96
PID 4428 wrote to memory of 2104	4428	Knenkbio.exe	96
PID 2104 wrote to memory of 452	2104	Kgnbdh32.exe	97
PID 2104 wrote to memory of 452	2104	Kgnbdh32.exe	97
PID 2104 wrote to memory of 452	2104	Kgnbdh32.exe	97
PID 452 wrote to memory of 1652	452	Kngkqbgl.exe	99
PID 452 wrote to memory of 1652	452	Kngkqbgl.exe	99
PID 452 wrote to memory of 1652	452	Kngkqbgl.exe	99
PID 1652 wrote to memory of 4992	1652	Ljnlecmp.exe	101
PID 1652 wrote to memory of 4992	1652	Ljnlecmp.exe	101
PID 1652 wrote to memory of 4992	1652	Ljnlecmp.exe	101
PID 4992 wrote to memory of 4124	4992	Lcgpni32.exe	102
PID 4992 wrote to memory of 4124	4992	Lcgpni32.exe	102
PID 4992 wrote to memory of 4124	4992	Lcgpni32.exe	102
PID 4124 wrote to memory of 552	4124	Lqkqhm32.exe	103
PID 4124 wrote to memory of 552	4124	Lqkqhm32.exe	103
PID 4124 wrote to memory of 552	4124	Lqkqhm32.exe	103
PID 552 wrote to memory of 1112	552	Lcimdh32.exe	104
PID 552 wrote to memory of 1112	552	Lcimdh32.exe	104
PID 552 wrote to memory of 1112	552	Lcimdh32.exe	104
PID 1112 wrote to memory of 3460	1112	Ljceqb32.exe	105
PID 1112 wrote to memory of 3460	1112	Ljceqb32.exe	105
PID 1112 wrote to memory of 3460	1112	Ljceqb32.exe	105
PID 3460 wrote to memory of 4552	3460	Lqmmmmph.exe	106
PID 3460 wrote to memory of 4552	3460	Lqmmmmph.exe	106
PID 3460 wrote to memory of 4552	3460	Lqmmmmph.exe	106
PID 4552 wrote to memory of 3900	4552	Lggejg32.exe	107
PID 4552 wrote to memory of 3900	4552	Lggejg32.exe	107
PID 4552 wrote to memory of 3900	4552	Lggejg32.exe	107
PID 3900 wrote to memory of 4776	3900	Lfjfecno.exe	108
PID 3900 wrote to memory of 4776	3900	Lfjfecno.exe	108
PID 3900 wrote to memory of 4776	3900	Lfjfecno.exe	108
PID 4776 wrote to memory of 4372	4776	Lnangaoa.exe	109
PID 4776 wrote to memory of 4372	4776	Lnangaoa.exe	109
PID 4776 wrote to memory of 4372	4776	Lnangaoa.exe	109
PID 4372 wrote to memory of 4460	4372	Lmdnbn32.exe	110

C:\Users\Admin\AppData\Local\Temp\280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe
"C:\Users\Admin\AppData\Local\Temp\280ddbea59f2d8726d4743db726515647ca9798785dcecf226b2f58ffed35b88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\Jcdjbk32.exe
  C:\Windows\system32\Jcdjbk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\Jokkgl32.exe
    C:\Windows\system32\Jokkgl32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\Kpjgaoqm.exe
      C:\Windows\system32\Kpjgaoqm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        33⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mcbpjg32.exe
        
        C:\Windows\system32\Mcbpjg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        38⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        43⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        47⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        51⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        59⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        60⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        63⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3056
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        73⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        75⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        76⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        79⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        81⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        86⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        93⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        96⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        99⤵
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        101⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        105⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        107⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        114⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        117⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        118⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        119⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        120⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        121⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:752
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        123⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        126⤵
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        130⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        133⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        135⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        138⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        139⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        140⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        143⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        144⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        145⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        147⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        148⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        150⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        151⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        152⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        153⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        156⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        157⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        161⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        164⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        165⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6732
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        173⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 408
        174⤵
        Program crash
        
        PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6892 -ip 6892
1⤵
PID:6960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
344KB

MD5
b1c380c4039e00a7410aff8e31ae02df

SHA1
412b6edc3d84779c3a5158fdba511ba613c99f6a

SHA256
cc5a3fc365b471b3a078b1534d2c82dfd990c153eaea5f9b82aa1d1a756f7ddc

SHA512
87990bcbbc9f61dea22a3f85d3528b7e56c56a645299828849db683a694fa0d7ae48db948b6a0a88bba1d919af9e483d612ac881b7b9488bcf2521959e7c1f1e

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
344KB

MD5
9fecc5a576d2d3af166982ddd5b2cc31

SHA1
93ab94257aa59766903fd067b7738480a9c24817

SHA256
540c7b0f315230eea7142ccbb02be47308979c87e516370b2d3a03c4b3a4543c

SHA512
fe8355895696f7bc087101dcfee377811ae95c4754b9e774f2c49c8e7dff6eeaaa25c89287d4e6d165443d979c5893024982202a8c4d43090949f93261901a63

Download Submit
C:\Windows\SysWOW64\Jcdjbk32.exe

Filesize
344KB

MD5
a64d2d3599928ff54089de0d9cf7872f

SHA1
cdb04a8dceee5ac51d90c4e7fe68299296130f04

SHA256
c98c50cd4b0525b19ee3232bdab4f7464a309cefac0bc0b5e912b465676300e5

SHA512
1d790dd9794d4173893c0dbf0b47109d18b1c90d1a4aa25784290692cd8e86d7c77c464a19ad3da78e5ba8d713f825aa1edf2a9b93ad9ad3ad4ed8f15e36246a

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
344KB

MD5
069f684786bf0a64ae13a8d5abb9cb8f

SHA1
42e80ea14e0afe343f351da70dd47fc8c620e965

SHA256
2d62bf182d0e036a381943b0938ab55f90ee3754b904394024fe616c921c7ad5

SHA512
256d0fd149000eb547b4019a0e257c3b24da91dfcc572593345cd096c326e2b29be43e335f287a2e3ee69aaf7feac838ed5ac19156fecad70168df16f8db1369

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
344KB

MD5
6955d05f9fd5221d1536f335780ccc10

SHA1
7f64febc363f02c538792a2bd1077cfb6130a918

SHA256
2d74939e7d0419f36eb758e6b2a31e00eafe2467ce663b8586b93cdc7d107687

SHA512
c7b1ffe661c6240694241803ce010261330593feb473f1c96a3b9fd2b71fb13cae89f309b10ecb98f5ffae89d8de2662a33ff1289b79c8093e5bb2a5318d35b2

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
344KB

MD5
a062e9c27b39c20b277bd9a43a3e4f35

SHA1
f4077961e59b4b9d313f59d14c715b7612b47251

SHA256
c428d77c1f1e3ee689506a0045d82bbbdd321f74792ed1aedad50e481a047f94

SHA512
cae1a03638712161943522ce8855442f6035f560e5c57dc8ce953034e4459326e3bb5188f9e3ef5884ae93f6ecc81b09ae13620294449733cac8cb7a40c6ebaa

Download Submit
C:\Windows\SysWOW64\Kgflcifg.exe

Filesize
344KB

MD5
1da21f101e64f05e85da65717a69c657

SHA1
5b55fe31c2226e41a72a4b23980e15b98b1b37db

SHA256
decd7e5179143409caf78d25c1c41a05b55775e2bad5a3ee517ca741a05cca93

SHA512
dc62e9858fbd2e5469fd3722ab60067015c63131b2d304e1e4088a18857c7dd2a2269b9de4c171550de0f80b1d509c72b81fa53f7c48195e1327200848698498

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
344KB

MD5
b78c6f4f438a71955d9c9f8a22dbe851

SHA1
a3ace5e94ba2ca3cbc327cf239dfce356b953de6

SHA256
8305d0649dc250acbba24323290c17254d63af3036c4146d6736f2bd628ce76f

SHA512
72cfde128ae44fffadc9ec5ac3a767e42494bdc672359453e5b14d876fb33cbd5c9740eb840e8e3165a6443dc9922bd01a25b3243be693bc14e59ad272ad7455

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
344KB

MD5
403a9f1dc6729ea9b90bbf542d48260d

SHA1
4697df28018fbd9cb0ffea56a40d97c12592f765

SHA256
169e3fd7e678fe54cb875bab0257a447a7a788a42f0c2a4408898c825cf9ee30

SHA512
3d3b54c7349bbdea1d8a88b619d4aebdc241aefdaeca39aaef9801b1e63b0956f3007ecfd70a1f7828e87cedc8042650e8308da52b0783ae4288a590b1d78a24

Download Submit
C:\Windows\SysWOW64\Kncaec32.exe

Filesize
344KB

MD5
8f46b56b840c1d49c744a1aef11b1412

SHA1
406a94334c9129458abd729fff42bf359a681339

SHA256
e6067fa3927362e9dde83846195a8af7a494d381a36d428d5fa7cb002e5234d5

SHA512
c7d096e2bcc5e00536d267e2dd6ea7e369494d6edcd0ffcf2d5c24174a8836f552ad653d8c84eaa800e23854ffdf30a9ece573525d9cdafd1324ec9e0beb88e4

Download Submit
C:\Windows\SysWOW64\Knenkbio.exe

Filesize
344KB

MD5
605114b533435acdd8746c84564f5912

SHA1
bb838db2d91534a4b5952419880dbdd2587cf51c

SHA256
a3f268b1909c2530d3083f881b38fbe9afe86b7e5c4615481944d1776e5dbd0e

SHA512
5a38c3326d6b84271c93e4e12f421f990f167493bf4fd6dc93476c24a92ca71d841706c23acd8f66f8b8fce59896f7a290957d349fb4d0dbf8ad8781f50ac969

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
344KB

MD5
11d784830f68f98c3634e045c0670549

SHA1
7ac166164bd3790b1c67f4ad8fe9d811eea71242

SHA256
9b518a6a16561b46b0332b5744ac34497cd10dd4c8ce5d0da8a39e014b6d4165

SHA512
5d8a5e2c73b6b8284195481bb29c52bb3d3cea4a0bc6206afa5802764a2186894bf04e05ba5430a44ae17d3e8674d1f2b4336345d95945cb42a272efc678b8b0

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
344KB

MD5
9bf8690529beaa4e93a1969ef17f708d

SHA1
7b7b56c1f3a9921fc0c2b44392df78a5af0c121b

SHA256
5354120dbb2b7e25e5aac2d47e1192077bb4fad27eab1df7f0a79d8b88355d15

SHA512
74972a4a62b92224bd3cab86335d89dd79f7824ddeddc1108c468c370277543426f89dcef29e9f0df02931eecddc72a686f5d2dc7887f231711374de64e95f5d

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
344KB

MD5
651404e7c08262ff86b54b9141435eb7

SHA1
d90af13519196445d4e21bc53779b4e31369024c

SHA256
78a2656af29f768dfbe6fde82f8a5e417aade83e01c2c4d3e60f0851205b88fc

SHA512
469a3827232134eaff1ad945f5fdf9205b9529a9c2194eab6eead137a3f87c3b22f7f49f2ec0e63f4c89c03bafa4b27ea299294413bbcb75b4c7437c2151dd5e

Download Submit
C:\Windows\SysWOW64\Lcimdh32.exe

Filesize
344KB

MD5
da711840d54e2b5f7410c756a22a7072

SHA1
be63c34ec98fa826c19a92d75e96219770105fd8

SHA256
faf80588422f1f90f415e7b26639271d90b731d55dff8f1620eb65a0f85a1192

SHA512
75313567e50b5949538d5e2ecc1aa6a8a3a6a36315ad9891a27a86a5c11499db5a385dbc5e942b3a2d0f81754e5b8cba490f34a195cc34cf2262fd6c5f3deaab

Download Submit
C:\Windows\SysWOW64\Lcnfohmi.exe

Filesize
344KB

MD5
78e52d6fadcd8225b43c4077c6ba19d5

SHA1
6c2138ee1d4dce6c02b22719397b04df2cac3f4d

SHA256
4477f774f632969fd8e3340553e38ebbb3ca2f35088a691400d3b74639191792

SHA512
cfca84eaf2d54550c41d9d0371e773dd05bfa7633beecc624bc458a76e9df36d511017db20ceef913e37874251756aa68d8a6df020e0cf381ae46dd75d9ce55d

Download Submit
C:\Windows\SysWOW64\Lfjfecno.exe

Filesize
344KB

MD5
ba58eb062cfb30b3be550a008a783f1a

SHA1
9faba2e066b8d9ee14d3d3daca1402278355c39c

SHA256
5c63c6c585d1f75ca2f61e77033e04778213f1f261f25ed95eedf87195aba12d

SHA512
64d7e8eaebe133ebc4b75fc3255b1910fa9002c06561894245da1af1989fd6ef73ee11be828899364b44321537a01132a1832f4c5159d379c7d481e68b30ad0c

Download Submit
C:\Windows\SysWOW64\Lflbkcll.exe

Filesize
344KB

MD5
eb022d8d5594aeb5e7af446cfbcddef8

SHA1
76bd9dcb0be70b3e631b441f08f4cf6a1fd0df1b

SHA256
c2f0265c5cb61a030adc78115cd67533c4b7ab7b3d212bc318c4068476d95330

SHA512
24f3f676d42eca0f29778417ad1ec5d25f5d4126584bcdb9b769a7cd72cfb6046d2fb1d4fccb8cf8729fa5802a54b1bd5790b4106eb103d828e3fd0bed0b38b3

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
344KB

MD5
b3d5f11fd517a1e283e5894c8cd7b233

SHA1
7882e4214a584e0c7a0ae5604dad5baee4c99b09

SHA256
b399cb624f281909d77740bd4b1cd2e57c5e45f1eb9ddfd814a35c0f3f086ad1

SHA512
50930f5d28ac55e246cb0505c965ee8b7bff06397d2a14c63e3c2ec0a998b98c8c2d40bca49102b28ab04dd610a5be0a85f27105b8bc57fcf349fccec07a4244

Download Submit
C:\Windows\SysWOW64\Lgibpf32.exe

Filesize
344KB

MD5
aa5e59739aaa398bd78d4b91b0f40d24

SHA1
b7aede1fcd3bb464cfb4cb7eed22e09e5b6adf29

SHA256
03d8c40f848d230081048c4eb80152308a88cd866961b1e09e16c863225740a7

SHA512
50c10bde683cdd085fda7bcbd882ad31d98d910ae1810d111ee698fdd247658e007bff965a1d6087736f2d3878c6f0778979f9bd572764119bb44b53f360c577

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
344KB

MD5
9d3e38f4f8c6e238ecc7aeeafc790a70

SHA1
0d7ab441bc0137c066463d05f99cd00453cfb13c

SHA256
481ef1054dd197aa17a874a15aa8032a77194a1af13d0c760beda5d7bb25ea7c

SHA512
d1476de11b5769920e39bab3f83a8badedd8b093d6fa5cf374a0facd22ea932d4e77005b17ddf660b3755a05ab3c8b52dc2677b627901a8e91c1f8bd07afb2c1

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
344KB

MD5
40947b8db84d7d4833b4c0ae378b9c60

SHA1
faf29be34d26ec48394f8820b68a2286daa6e613

SHA256
f82d868263e4d8fa281f02190e14db93f0f3da271e1bc3dcfbeb81b16d8845ef

SHA512
fd791a0fb7d123c48a7b3bf89e6cd18cf9fb9a175fb16d3c66cd69b9a8229d5ca169a144179d05bf029564443aacdf89716840ca9048eace65202040525fe294

Download Submit
C:\Windows\SysWOW64\Lmdnbn32.exe

Filesize
344KB

MD5
252d1dcae28a6ad0b49b0e6c63b691f0

SHA1
2173e15edc7bf5f019abe42db0a3eacc7bc88a73

SHA256
a7fa2aae1584062b2b8a1f9dae76b88ba6cfd2f1a54a3bded7148ed6c8bbe23c

SHA512
54fdbf563abe311684af24bd895674d2fa8720fe1015da5c90c727e543ac62a5b3f2fe7823b6d031e766b29bda290b10acaf6d0cee4857557753dc62ab9faedd

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
344KB

MD5
7e66b48e3fda9e19c07f4382926984a5

SHA1
88414ad2222e98a727ef39f220b289fd5d53b8a2

SHA256
2ff2be713c7972b557c9da6f31b2aa0fb671e66b64a7c9ee743eafc5bd39f936

SHA512
e50c5896090d87cce5007b7e9a2115cdd663fddd20e069347a9ed96fa94f3b77b0dd8577e14d55f9c8e97469eef8543b20e37429fb30694b5428b42a9e5abc75

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
344KB

MD5
6058a10b0997eaa02e92541506765332

SHA1
fd4fface3876e32ad0c57a60d9422637f5a0e00e

SHA256
ed579894befa7175a6b8f3546f08f3aecabb1db66253631222a2fe1602f40ad9

SHA512
b595b31e7097adc609f18b922745a3999e8db9dcd96c666bc268d7cfbd44769ddd7f91c6b360ba929d2fcd58e86b72f6ac21e13a0e9c422e3f24ea186ad6fdf4

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
344KB

MD5
22a0b9450e4f10da443c5b5147df1079

SHA1
1fb328578827456024c2d77b07cf05eb8f140652

SHA256
816c39ac4e3189dbbfc02d333cc9cd78d932da4e0751b5d3a67ab1101c7d9512

SHA512
e30a58f4913ea9d81de8a74959039b3f75435f3f7d8005c7cb2decbe5e1a7a597b6526b7d18093378b983f4bd6da8d42f21a96f26ee874de60aed3b625b10001

Download Submit
C:\Windows\SysWOW64\Lqmmmmph.exe

Filesize
344KB

MD5
8f298d0994a59211a0542689406c80bc

SHA1
d70ebd1aed6220b65f69ac1eb1a046e40e78fe1e

SHA256
18a4bd767fc20b17f72e6a671373201ac580716338e43798ab9265c0c6eaed1d

SHA512
407fc5cca5d56eabfd0440c850eb0178485c37fcd0f0b22f3552427c56e3dfbd197d6e64af60ec79e7337bc031e0fa68a5a8ad2b1d4eb3b1cbed6ff5df8d8916

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe

Filesize
344KB

MD5
57787e3b69315dda95c989e124f24148

SHA1
6a5116dd7ea3091f72499ae9d1b1cb5e5de96afb

SHA256
c70d10f391ee96adcfbc0d3b600d9ada521bb2a4ae002232e525a9b5b46f1a45

SHA512
f68633a92f86d5a8306121bc969a0d086d4c22161855c0901df27a616f36cafdc16051bc328149524762cbe7ccee5c697b648c6e5a32b986c9f7b7bf15b82b0b

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
344KB

MD5
1adda51cfdfa32fa86f26558733844e8

SHA1
766ce1bfa667d4a64b8dd3390262c51b5ec20948

SHA256
0d18cd1e1efb0a56f2656ff6f3bf91620f2eea839d02f3491964fa9e1e0e920b

SHA512
4b5de8f085c7252a4e1ab5348b215146fcc3f31dc13540aa3d462f9f3c43c8ac02abb85836f301b13256f7c60f455f410411fb778c10456d9465ceb30b5465d4

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
344KB

MD5
ccfa1d779852b50ba6fe361a8764d276

SHA1
05fcd477299ae9686df67dab60199ce4d398817f

SHA256
a117f7f32d24bb5ea125c47afe64dbeb7705dc904ad1200e432422a45c0a0357

SHA512
99267f8944b14fab3df5a7d3c40d897d6ee9b86643b664f7498d74f9229377ff15292042adb44536adeb2fc4655fa954a2fc3b637028870e038e1b4fcfe85c31

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
344KB

MD5
bbd94edb8958c53a2a8e7be204008a6e

SHA1
788f429c20dc65cedd93d55568870b48c682651a

SHA256
4da7975f7b37b2eb8a9c16495ee9e16ac9c87c05f366c36e011d4e66abc33392

SHA512
1b86b08c800fa1d25e631f151ff18af2bde2ebd54a8fb4900e87aa4c057444327fa86e8869924f02e7b33cc2161d376ad3ad24a20c5d7f33a20045ec4ede6bb2

Download Submit
C:\Windows\SysWOW64\Mmhgmmbf.exe

Filesize
344KB

MD5
874d1768552ca23911256e0b46429ddc

SHA1
a4b187881d0507d5887d9d5071b5c166ea60e36b

SHA256
8b85217506730add84b91718311f4bf382f635a7b68e8a3efd8306dfe5b1a60b

SHA512
a62c72d8a6f1a5b7e2700f62cb3525162ac53e9b5b762b5af9c149ecd82b8599e6f07a24c8cc0f448c3362c3773b0921e4cc3578bb073d23c4733a4cdac930b3

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
344KB

MD5
7194de6c7f7ea3735280f9d57b1f8ae2

SHA1
7fe945c5833558e80690dbc416119216be7976b1

SHA256
6019a0524471ceee0773a376f030f1482e04a316e5c38c8f65b5cb54e17b00db

SHA512
93af60d75672c0f332cb10959bb54ceb7b29c41ca22e99020501047dbed7ff7caa0f5be4ac858f661c99a1ed4ea6d233617626246605481864d877b741d67c7c

Download Submit
C:\Windows\SysWOW64\Modgdicm.exe

Filesize
344KB

MD5
b6dea77f6256f195722d733f3d413745

SHA1
23ab3176ba0a36707a864050f6259bf9b3f18d37

SHA256
edd86d65ff580e0db12e1195bf093391d3336e92f46c7b8bb4760bf6b4d9ac95

SHA512
55dbe40fcc8d60a2964c0e5590014af58a780e1260fe8e150ce1f430d8060c6374cfe987ed8aa98f93fe75c13f456d709a5d9cee45c67526d4bac20623970998

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
344KB

MD5
b8f0e90ef46a4a92eb99dc134cdf1622

SHA1
66bb2f71b57f32b7fbce0bdb079fbe113612a500

SHA256
6cf53b756a8839121d8d130c3945b823cf3be296b86ced9a717cedcf6c14223b

SHA512
450c625db908ab6af8388e6ad6021df33a04daa9492925256af081fb9e456c2e72efc2ce8f2c05e28244713143e4ea726191c0ecacebc293faece3ca36c35527

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
344KB

MD5
57d42804b053500fb3a90b6c36f3d70f

SHA1
47533f9ac24c1ddc4dd574b490ebc4a63ef5faf8

SHA256
5b707950c4260be1784fe1409174dce86a5a11590a734fff850d8407afb16b23

SHA512
a35afeb9d1fd1ba689692926007c9b51d88e15970e24fc276d1fd12f592037828132dcc5963c3a2acb08cdd604fd918816dec4c0e8930313104ddd2c462e5a4e

Download Submit
memory/116-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/552-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-584-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-598-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-577-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-1183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-1180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3900-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4776-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5152-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5192-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5232-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5272-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5352-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5392-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5432-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5472-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5512-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5536-1155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5556-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5596-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5644-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5684-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5728-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5772-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5816-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6196-1146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads