berbew | 61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Size

704KB
MD5

1513148074c14bae4004cc3cf45996ab
SHA1

21165a43f657ea9ca7860980888748d083b452f6
SHA256

61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d
SHA512

47884ea8729175865650aeb1c4423dbc0ef1edef195245fae89068d7d16823110314bdbd739633004da2a1b69657e653c3d1db40b945d2c132d14d5f8dd235ed
SSDEEP

12288:CqLOrkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6Ir:8gsaDZgQjGkwlksd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1956	Kemhff32.exe
2684	Kikame32.exe
3000	Kbceejpf.exe
2808	Kbfbkj32.exe
696	Klngdpdd.exe
2400	Klqcioba.exe
4064	Liddbc32.exe
3920	Lmbmibhb.exe
4728	Lmdina32.exe
4780	Lepncd32.exe
4380	Ldanqkki.exe
4060	Lebkhc32.exe
4472	Lmiciaaj.exe
2584	Mbfkbhpa.exe
5040	Mnebeogl.exe
4440	Npcoakfp.exe
3280	Ncbknfed.exe
5096	Ngmgne32.exe
3016	Nilcjp32.exe
3180	Nngokoej.exe
2944	Npfkgjdn.exe
924	Ndaggimg.exe
1508	Ncdgcf32.exe
1932	Nebdoa32.exe
5032	Njnpppkn.exe
3308	Nlmllkja.exe
4304	Nphhmj32.exe
3712	Ncfdie32.exe
1056	Ngbpidjh.exe
3716	Njqmepik.exe
2700	Nloiakho.exe
3708	Npjebj32.exe
3508	Ncianepl.exe
2324	Ngdmod32.exe
884	Njciko32.exe
4536	Nnneknob.exe
2368	Npmagine.exe
3576	Nckndeni.exe
748	Nggjdc32.exe
1092	Njefqo32.exe
1884	Nnqbanmo.exe
4856	Oponmilc.exe
1408	Ocnjidkf.exe
5048	Ogifjcdp.exe
4796	Ojgbfocc.exe
1144	Olfobjbg.exe
3872	Odmgcgbi.exe
2240	Ocpgod32.exe
1540	Ofnckp32.exe
1256	Oneklm32.exe
4436	Olhlhjpd.exe
1084	Odocigqg.exe
5104	Ognpebpj.exe
1936	Ojllan32.exe
4968	Onhhamgg.exe
4896	Oqfdnhfk.exe
3100	Ocdqjceo.exe
2100	Ofcmfodb.exe
5160	Ojoign32.exe
5196	Olmeci32.exe
5236	Oddmdf32.exe
5284	Ogbipa32.exe
5320	Ofeilobp.exe
5360	Pnlaml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmbmibhb.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Kbfbkj32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Kikame32.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6900	6820	WerFault.exe	247

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ngdmod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1956	4804	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	84
PID 4804 wrote to memory of 1956	4804	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	84
PID 4804 wrote to memory of 1956	4804	61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe	84
PID 1956 wrote to memory of 2684	1956	Kemhff32.exe	85
PID 1956 wrote to memory of 2684	1956	Kemhff32.exe	85
PID 1956 wrote to memory of 2684	1956	Kemhff32.exe	85
PID 2684 wrote to memory of 3000	2684	Kikame32.exe	86
PID 2684 wrote to memory of 3000	2684	Kikame32.exe	86
PID 2684 wrote to memory of 3000	2684	Kikame32.exe	86
PID 3000 wrote to memory of 2808	3000	Kbceejpf.exe	87
PID 3000 wrote to memory of 2808	3000	Kbceejpf.exe	87
PID 3000 wrote to memory of 2808	3000	Kbceejpf.exe	87
PID 2808 wrote to memory of 696	2808	Kbfbkj32.exe	88
PID 2808 wrote to memory of 696	2808	Kbfbkj32.exe	88
PID 2808 wrote to memory of 696	2808	Kbfbkj32.exe	88
PID 696 wrote to memory of 2400	696	Klngdpdd.exe	91
PID 696 wrote to memory of 2400	696	Klngdpdd.exe	91
PID 696 wrote to memory of 2400	696	Klngdpdd.exe	91
PID 2400 wrote to memory of 4064	2400	Klqcioba.exe	92
PID 2400 wrote to memory of 4064	2400	Klqcioba.exe	92
PID 2400 wrote to memory of 4064	2400	Klqcioba.exe	92
PID 4064 wrote to memory of 3920	4064	Liddbc32.exe	94
PID 4064 wrote to memory of 3920	4064	Liddbc32.exe	94
PID 4064 wrote to memory of 3920	4064	Liddbc32.exe	94
PID 3920 wrote to memory of 4728	3920	Lmbmibhb.exe	95
PID 3920 wrote to memory of 4728	3920	Lmbmibhb.exe	95
PID 3920 wrote to memory of 4728	3920	Lmbmibhb.exe	95
PID 4728 wrote to memory of 4780	4728	Lmdina32.exe	96
PID 4728 wrote to memory of 4780	4728	Lmdina32.exe	96
PID 4728 wrote to memory of 4780	4728	Lmdina32.exe	96
PID 4780 wrote to memory of 4380	4780	Lepncd32.exe	97
PID 4780 wrote to memory of 4380	4780	Lepncd32.exe	97
PID 4780 wrote to memory of 4380	4780	Lepncd32.exe	97
PID 4380 wrote to memory of 4060	4380	Ldanqkki.exe	98
PID 4380 wrote to memory of 4060	4380	Ldanqkki.exe	98
PID 4380 wrote to memory of 4060	4380	Ldanqkki.exe	98
PID 4060 wrote to memory of 4472	4060	Lebkhc32.exe	99
PID 4060 wrote to memory of 4472	4060	Lebkhc32.exe	99
PID 4060 wrote to memory of 4472	4060	Lebkhc32.exe	99
PID 4472 wrote to memory of 2584	4472	Lmiciaaj.exe	100
PID 4472 wrote to memory of 2584	4472	Lmiciaaj.exe	100
PID 4472 wrote to memory of 2584	4472	Lmiciaaj.exe	100
PID 2584 wrote to memory of 5040	2584	Mbfkbhpa.exe	101
PID 2584 wrote to memory of 5040	2584	Mbfkbhpa.exe	101
PID 2584 wrote to memory of 5040	2584	Mbfkbhpa.exe	101
PID 5040 wrote to memory of 4440	5040	Mnebeogl.exe	102
PID 5040 wrote to memory of 4440	5040	Mnebeogl.exe	102
PID 5040 wrote to memory of 4440	5040	Mnebeogl.exe	102
PID 4440 wrote to memory of 3280	4440	Npcoakfp.exe	103
PID 4440 wrote to memory of 3280	4440	Npcoakfp.exe	103
PID 4440 wrote to memory of 3280	4440	Npcoakfp.exe	103
PID 3280 wrote to memory of 5096	3280	Ncbknfed.exe	104
PID 3280 wrote to memory of 5096	3280	Ncbknfed.exe	104
PID 3280 wrote to memory of 5096	3280	Ncbknfed.exe	104
PID 5096 wrote to memory of 3016	5096	Ngmgne32.exe	105
PID 5096 wrote to memory of 3016	5096	Ngmgne32.exe	105
PID 5096 wrote to memory of 3016	5096	Ngmgne32.exe	105
PID 3016 wrote to memory of 3180	3016	Nilcjp32.exe	106
PID 3016 wrote to memory of 3180	3016	Nilcjp32.exe	106
PID 3016 wrote to memory of 3180	3016	Nilcjp32.exe	106
PID 3180 wrote to memory of 2944	3180	Nngokoej.exe	107
PID 3180 wrote to memory of 2944	3180	Nngokoej.exe	107
PID 3180 wrote to memory of 2944	3180	Nngokoej.exe	107
PID 2944 wrote to memory of 924	2944	Npfkgjdn.exe	108

C:\Users\Admin\AppData\Local\Temp\61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe
"C:\Users\Admin\AppData\Local\Temp\61c924c69f4adbaf9219c86ada7d1999f5874b061859736431a830e33e09739d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\Kikame32.exe
    C:\Windows\system32\Kikame32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\Kbceejpf.exe
      C:\Windows\system32\Kbceejpf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        23⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        30⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        40⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        48⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        51⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        58⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        61⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        69⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        72⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        75⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        76⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        79⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        80⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        81⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        82⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        85⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        88⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        102⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        105⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        107⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        109⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        112⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        113⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        116⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        117⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        119⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        125⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        127⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        129⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        134⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        136⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        142⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        143⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        146⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        152⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        157⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        158⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        160⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 408
        161⤵
        Program crash
        
        PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6820 -ip 6820
1⤵
PID:6876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
704KB

MD5
d958f3fe57469a96e417d00caaf7b1d2

SHA1
34d3c5537c5817160829430352e675448387c328

SHA256
c3784d00b1e69cc99e84404fd3a48f61279076548ede440178caa4f8ab9fae2f

SHA512
c238d1cd5eb24a8c952313204fb2239dd9da9654a0f74415b49d0980af31e265131e353b92b25ecbef437328bbea2cdbabf16974ea5022e2f02be2217153d034

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
704KB

MD5
49d076a265f066cc383be981c5c19388

SHA1
16465cb18e4ff1b1b16e9a24d4cbc10f53c8ec73

SHA256
a6d0dddf8bf20da6103931d1f816cc72f883491153ab87c1d8ff869b7e322608

SHA512
3713e1c84ac92afd9da92edbcabd834e2bdcf5a1aa724384400ecd5ebe06c1983322426ba49b94d31c3a8b8db16d2b8b6804327abc4775a249586ccb79f02aec

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
704KB

MD5
bc6e34363180d910c61d73fdfd1a1379

SHA1
3272ce92bd85ed2718c478e3d6152c0cc3da200d

SHA256
d9fe2697d798275728248896cfc8627f230a23744610bbb7a42d70bc609c2658

SHA512
d08d1450004ff62a588109609276576e0531e65a0f6feaf6d8d74b0047b833dea13f74aaf9c18e332d1a5734ce54504a96772966a36c2e301061ec0305c780c0

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
704KB

MD5
2f29ada6394da3fa0424e26af3d6df84

SHA1
64a561d5bd29de313ee83704c6ee9b10906c12d9

SHA256
3854e9c5ca0ac641c9480efb1004e241aec43d3f023b8047e3085d40650ed97b

SHA512
eea23a9c77d6685e4ff0b77f0b204f0ae1a1a4f240d73baeb6ec2cd1547a0e511829f6c7cf561776319afaffd28c1d12fd3cbd8ce2e0cb1c573f2caf3ee65c5b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
704KB

MD5
1c90fd09b32b03129f77e363c18bcc9e

SHA1
7505ff47b72a38a7366c0a6e0d56b623a133c132

SHA256
2eefe930afafd528786b060d03b257775181ef40424d9786f8ba4e3351281773

SHA512
f75d2c5c95a80dd08839cf6376e2c2cc56ba2e73391707c8b5da7cea62c335e6811d369ab74d645cb249810a9a58a4b063950297a019563ec74f1897c76765ed

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
704KB

MD5
6a3f0256b885628a97ddc1dcee5e8e3d

SHA1
669e9436aa004fb6c4cb3ecbad6add799dccc112

SHA256
cdb7ee03628e2fbb787154bcf34f180d481ca30479b57a9e98558e5d42dfc6cf

SHA512
6cd99533fc3f920292be9e88a8570683f079d5ca5cda011e0622030413d540b5875f16cbc2cf88a82dd524366f061b2e09efabf83a552125f0e0dfad25adc461

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
704KB

MD5
fb8aebb28d740a54e6440c651c0895ce

SHA1
7661e001deff7bb263d18efd9cf07efdd95d351e

SHA256
f0225a7450506037cd6eac3d8fbfc971ae8aab885c2f40441e96fe5bf80b955d

SHA512
1962b2c0d20f5027cb2667d471699b56b0b60f4b9360c09d6c75a58d5284f298dfb1ad456d972b795ae3ca3ba9e0eda0947a7383b9728a682c83be5d8693a272

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
704KB

MD5
0b38262900537a44c72814ac7d915d97

SHA1
d04ddb8d5424eb8e780287918859ac18976f6b2f

SHA256
bf3084d327f36fcded44ecec15fd7283f59afeb6be30fe2d87bf53c268a17514

SHA512
bb39b6a88fd60130a97018a7014060eefa70c695dd500552d7955d22641a292e2871a24a86d0f0cb68556293f044a41e179790c07de3a33e3ebfbf356eb2cada

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
704KB

MD5
efbf637ece22680a25765f83ae869fff

SHA1
fe0e93f43b3cf5419a44196249a25e2edfaf5ae9

SHA256
02c4d9159a441ac26552a613893f5c363740fcbfe05f099d72fc65a32ae659a3

SHA512
7da8e5acebec46608dd0592d84bc738963c2edb4178923ac5082c409ac42e893aa1549d77fd5996d83bcd6a69bd9c7318f3eb9441349199e8a72f2cd1ed63b01

Download Submit
C:\Windows\SysWOW64\Inpocg32.dll

Filesize
7KB

MD5
b2edd4718e83db51b296b68abc6d9f6c

SHA1
0841c1fcffe04df520831e9c7f780111f7a49e87

SHA256
5f18e375184106cd390367c531c0e7ffceb469e682565cf75d6922914f8c548d

SHA512
58faafff91ffbf8b49a7ca4d9e50281d9863a8f5b69e1b045aa2c6636ccf3d3653d9634dccbcdf33a882f29377eb9e1faf6f932fce6694ccb420cf53f0ba6406

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
704KB

MD5
3140bc9bfac895c875d63460ce5cb0c4

SHA1
4b163c743437ba91f2082a7607a798ae4eb56b3c

SHA256
6fda6a45c5a548ce5ff45d95b552c187ee7c3c375a8d2763072eb0a9a1d034d3

SHA512
5f5da1b61a457d5b5854d83b3747937af406d5814118d5cb55f391f60bd68e8529d6d1cb7c63fb0ac5020b5bc525723d1d29e1528240c00f3455bc0b69a93239

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
704KB

MD5
c509722a7eaeca109b791e1524749f57

SHA1
210736f048dae16c3f7372327816dbd0a861a542

SHA256
ac9d5a3986f22f5353713db896413c2a7df9485d0704b402b9a9c8933cad9070

SHA512
ad68551e50bd3b13214b225392fe8ef7896d619d5096113cd7d7ba0b3a70bed655e0912132e8879fa0c52d9424d239bef12eb0e6952c18693aa78b68292b6d74

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
704KB

MD5
4e10803c37efc8dddd54c0d47bdd2af9

SHA1
d373e2a6d4d114b42f1ab035aa3693956343a051

SHA256
59d43222ccb2d30b851d2e3557182dc5513d31cd8c617eb4474475c68d6ba3ef

SHA512
f7a55c0c2293bb1669bf6768412e10f2ce8c8af51de3b8f17f176639e95b0f70a4a75172c2f68b4ac7a9fd9a1dbc9234e5f413bd41e88ba74225369bfb02b9ec

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
704KB

MD5
091c7515028884152bd8f2140e301f51

SHA1
ed24e4964a8eef981985aa82054912aa39f91ea0

SHA256
ec4a267595777d5e1f40acbe59a80fba2d78c66bcd64d725a0f105f556792320

SHA512
425eed49956080695b5e3816b5c11b45d59af4e6607ee6e7a91ccfa7b1edee3417603fa4d250f470b509c42049399adef6d66b5af47e60fefb85ef7dd77870ec

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
704KB

MD5
ec4567ee0bd3c928040751b402f2a99c

SHA1
3eb9c820b6c01402c922b758b8247cf80b4e1e56

SHA256
1a094fc68d01e942615ec668751f625c4e818b86fca94053b8178e5d0c314878

SHA512
55d32156acf708ade36fb8f4c213dec0a18d706f3ccf4b52c77298662b59dbf1dbbdac91706a2586b945e6809f32c83b5c21f6dbb4746a778ffaf2f3380613b0

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
704KB

MD5
526b640d1d898cfaffb36a994c903b2a

SHA1
24923677faa3f620251302728d06013420263474

SHA256
9434355d8a300ea201f142eec51ca753c71a31a42928e828b125fa8ed5eb1b98

SHA512
d4ca1b84f436a07d49d074a9ef69e8026e95ecf4c7043d05cbdeb5cbba3463bf671ee94aa5952350ca741452e3e72fed0ca93828c3b62ab170442e59627af089

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
704KB

MD5
008391dc05b85b13abe0cd3fa862b888

SHA1
131628d6694f94a32aba869635769f89d7dac104

SHA256
68b56c8511da4e759ba978c59c872c0a26a49e02b0c8fd1b4fa5f0b0f09c9944

SHA512
8badb8873f6bd759c780d219b61d8a7b1c7f0135dbfb877cf31bc1ab58f8ac4c7d45c1848cdc2018d894f54154c8b8df9cd37701bd21f37d787375279caf6c9f

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
704KB

MD5
d871615d599e928edff11d7e4c07c411

SHA1
4af53815b57714fac42188a04a1962bce339f6eb

SHA256
13957cc8529eb66506a7ce6787be45a08e1ec5abf87fd43bbedb092891fec050

SHA512
59e370dd5e41642ea0875a10d2b79c1f097a2f699aede811d74bd1ce6cca0967bb1f9229f56ebee26a3c87912acebc72a94fcc8d46424daea9c1b1ed596de055

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
704KB

MD5
1f90454a9a65a0c1f9b124f8b7b855f2

SHA1
ee8f829db07ff162dc174bf4791ac6fa88327cea

SHA256
7523b28a1c6ee518db87af5fe7c66d51b756c9b38181ea550a867297575995b2

SHA512
97295278d528c7db6c2b1cdbd05a6f27713597a46b61431875a17106002b83e0ab94ca8496f94053c06ab4ce99a8fdcabaa12f4c4127143b7798caa0f55e8040

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
704KB

MD5
73e84784e5050ae777f8c2c43c816488

SHA1
a7765d2a168a1180d2d04de2fa8ab9bb93f5bad8

SHA256
3b3cbd99aa6305fd66072e2b30accbf876746f8764010f4fcce53b83857ed2cb

SHA512
c9d68cc3fa3c8a7269b1ca83a6ad410d8d0f8e1ef60f11decb599eb86cff98e1ec459e0c8e1223e21198a8b3018126311ebf6d3c708d77dafae0480460e473e7

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
704KB

MD5
71677e796d11647e8943e481bfce533a

SHA1
8ac18e23f36a8d7a5ea0b892de75103987b39769

SHA256
c5fd3870144ec11ad46414827f0a526742e607ab8b75f47e6e5f19f6c8ad2c4a

SHA512
2270852815c53d5b3fe2e7dba8d095b5c0fa3a689a946dc556c9eac6ea06819483c36872b552c174119b7b93d1ef42e4248b2cc0f9b0661a1a6efe10b248df57

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
704KB

MD5
d9166926cc3e78e99a39f99e912559df

SHA1
cfddb6360fc1149911efae46342af24b06aed0a3

SHA256
8cf530f5fa8f64ccbc65be87268b48fe8c46ef6913fcbe21d12c74e52bad2761

SHA512
8747480c266dea63dccded74095325ca2344a1183498f37f7ddd2da935644185474ce9714a04dd1835dcaebfd54c34fdb2493d44a6558e8a4c17507cb57d54ae

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
704KB

MD5
e5937adb3b7a191c27194ef409d85634

SHA1
cff7ee99c793f8c86d8b245f62ed3b0a3068564d

SHA256
38ca8e862b06c3787143163ed11c1fe81e13bdd764532f87cb4df4e5ab1828cd

SHA512
5c6108ced2ac0d695cefd9299d362e5049676a487eb56c2775e341cec2a584ba6c30e78e3787eec4c0fbf72f5db2c0cb817a9f06fcad72b7814ef96d2dd72d7b

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
704KB

MD5
847930ae0c632fc7f8574491368cc039

SHA1
f31c222569db97d815e4841c1c32d710a89f464c

SHA256
1da96c9bb2fc8e9ea091e4f284c287530111c3cbd5b23e9f0286972624371519

SHA512
fdb5083773d719eb1d72f4dd981efbbd8358a8eac419ff57c17b2376cc395a6c9681c3fc830fe4c2f9ee7a7b183707f750744964f8c2e1feefe6699508329a57

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
704KB

MD5
8da7ee7d3f0984c7281364189b0f32cc

SHA1
feae74dc83a545c8d4777a424f4e051648f087cf

SHA256
d004f51792b56bbe23b7c9fb4a3f8c53cb9994b43e0b9e47006bcd77d03be651

SHA512
7e303387384093bb5ba2f4f0c24db1972c866afe872a2620f06e712e08774f982d6ce3590b6a99cc173232486c643fa7a313acaa9774cf831375d8702d95fe16

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
704KB

MD5
0849ff69cf56a2e52b88682664d88dc9

SHA1
c20e14c748c66de8a627846dbc6046e644bbaaa1

SHA256
4e547f444c28b3cffda6596dfb608789f47a8a9d405c3e2b9f151580f4b3fc92

SHA512
229fcac7a2c9b25e602078a1098af9088aaf381b4d681de9a10be053583fe6fa7460447256f99a23ceca07e89b3149796c4efe039a382e734aa43080c88031af

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
704KB

MD5
7e43737deb8520877c22e3ffb3c12518

SHA1
4c7f4b7e91194c4f746d734d69f3f912a7dd394d

SHA256
7393af1fcea48879de794c8c2bcc68858940adf40cc37c6dbe1eb85f14d2f931

SHA512
689643dd44d180a1199b6c5b212f16f1cb842f7eb2b863657ec54b0acb33c1593baa576a50ca0a32fa165cf6f0d6fe4d61092efcf8b01034a386ed9507769a09

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
704KB

MD5
193a5f9b7986fd9b50ab20442cf2f194

SHA1
4912b4f7445159b2486daa4f72ef023cf0f429c8

SHA256
2d0eb822cffc2f5d766922d8aebd470c0463293e7e082c4590298475fc3927a5

SHA512
25039c4954bf3f538b8ec57bc8d58c6e6ee36d4973435963d923fef179e09eef9373487754119af9fb6c3f466b98ecf94e63d6cd828bbe55d3a3ee43564ec2f0

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
704KB

MD5
65c9e439ff30cfe1919287e142e770f2

SHA1
160e607b34ce790161766b91082e6801907d921b

SHA256
adf99ff4ade41d95168b6cb8ed5876507b22f715a0e0f55408aef2a833eac48b

SHA512
21c30466cbc35eb2f487a98d03d107911ead7af87dd05c386be8b3b6a3b1c040864181708a0ffd0b0f0fc49866c188afd277ce3f32e75d7af1971da62acd0d85

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
704KB

MD5
1812d22fd32dee1667ee1aa760158040

SHA1
cd05bf4fe2b1f6449fa29eed93337fc7d3bfd06b

SHA256
b00e1c30dd938cf517e4ed2c133cec1695310241c7b679a8aca4233d573eff55

SHA512
c0672ae43691d5824c717836406d3094f01b4e7ebcb503fa63394f033cfa97194bc092a5799c908f363e3f7672993894b674856758a786b1c1c881158a84663c

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
704KB

MD5
3f879aefa1e9bda5027c7facbf1ec3ab

SHA1
08dabde58667f8f1e3886563fb8bfb602d40d25a

SHA256
287e8befb585c879290dba512ac0a1344892bd7be547dcd210805205496c1d6f

SHA512
f754d2c02cafdd770b485a8dd4558138449af0898a9797f8f43c761826994e0ea300d4a4c2ab7cae80c2da418570b2ba40308723056641b55a431ff57cd92254

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
704KB

MD5
4ce8e3720240e7f343214036d9393822

SHA1
b2433f06f57bce04068fc6e2d1cd0c7a8797df6d

SHA256
2defe19d2d72c6cc60880348111da4d50a0b41cb0851879a21864bcc5875177c

SHA512
bc8face655f155ea70283cd40030bab32b3d03577348e765a3318baccf4f477a5bc96f7243af62c25ea6329aa7b8bc4096ccca8f8c0b9626b8d0360c44dbacec

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
704KB

MD5
ad78e474d065ffb21f8cf8a43ce49b02

SHA1
f844b9bd29abec5139db84f1c237bbe0312850d6

SHA256
5a38ec6bb30e4b83feafe54b89f10d30960a4f3a0ac8196b7d6652600a66f108

SHA512
019f63dbc19dae292383be46d2e86494710066fd9e10826e4ba82adfab752cfb871e25c7e4a78d09f9305cfd9eb6772819e56dc5377f6fa963c62fe888eecbe4

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
704KB

MD5
ec7d36a7a724cd2153ffea8a793492b1

SHA1
acffc299405d105023b2187b7697fac51859817e

SHA256
5ba609d881022b964002f9e075becca836e6a1203ff853d47ae6cd39d66d27ef

SHA512
40032102cd4b78861aeddc0553ae88590ad96124bedad41c29f3dc58d6f7d4e598246042e98b908854a39b92e916157714beab8235ea69fde97018564c67497f

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
704KB

MD5
ace1b6827be4f41a709f990e453403ee

SHA1
f52408959ab1f20fa43a998380cfa5197186e4ed

SHA256
047257e8752fe092092bd1b878566f7d014ddbcef096a3930d48ec98435e63f5

SHA512
2531fc2bf3d0918f398d5c891f56142dbce51f42101abd04c772a6431f44e87b4d6968d44bda313c67870edd4b085d26ae2ad36fea843c7cc8ee81c9fec5679d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
704KB

MD5
ca66769800032c9f51cea5c9df28776f

SHA1
b713923b86a11728efe85ab7bec6de7cb93a88ae

SHA256
bf503ed15404ac578cfd9f56d923a670980be7c42256b54c374f6759dc110fd0

SHA512
316108443bb2ef1ba7975ea36b61d42a4ac40e7383e521fd9a4bdf148e5e9dcc7472d63d2792bc3d4a411f40f4cd1bd214f91fe265f7512667f68a267685e2e5

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
704KB

MD5
ef9d26a84f7e460c04eaa860dede66ed

SHA1
fd10a0920b6237d200ac20f42d5ab24766e0a0d6

SHA256
8374ecd1be87ce4f35bd96c2f7c77aa361ffd9568139aa18b40fcf419597e539

SHA512
8f945e748f498ed1b5adc4ed1c57f41f09e1d9e29fa22c6f56aedea87ca027554510092f675939d819efb1b291af9c3b3f9b549afea5785f8fdfd6d26fc8d8b7

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
704KB

MD5
e129c9e153aae80469ec6c3a545a8efc

SHA1
eb0d4c73a3f66ba4eb9dde62c6fdf8d704f9a796

SHA256
028cd657e148ce48be6acb38ce53438584b174bdf8a7ad15b0afaeaf64a75ce3

SHA512
8f3c2113504194ec727fde8c83e58a7f4f46db550eace38e014acbda560cb9818deb7168644809e3ad216269a027675809d74278307c9b28c3e5409442d44392

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
704KB

MD5
2f3353a6ab4dd2e4f5d23e6af5d36dff

SHA1
6f799fca0397ea920cca3b7500e1f3387fe174f8

SHA256
17fcc32f81b7afac3dc710c347d110da73e184fb54df2020491e292cba579432

SHA512
8c7483021be10ed7d558c9c92e41c15375dc78152efdf2c62f6368462f0d653d77dd0a25fa0be678bd57ab9e2d47f55ae9c311a37047ff580067afbabc7558b5

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
704KB

MD5
6881e65c8cdc9d1edbfefc9747c97347

SHA1
15c5105b12a2d87950475b9d9cbf048111792b09

SHA256
7198c1ea1f4d37b6e2a22ecf0d069b1eb89fafe44e9b00b81b5530ed26b948b4

SHA512
ee8af7079ea3a19dce1bce3afb8e6f459181745ac46bba000d5e3d62f46c162eea662dab4409fc4544903419e76d8b49de4523b543877dc8f3e5cab2a685c5dd

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
704KB

MD5
e783d4435c660a55419e23793dfa2611

SHA1
da791d11fc2fa4c79505e18a4ecabf49c548f93b

SHA256
0fa5e417fc42541689d22f2fa3bad333a468dd1b1827c0f55a4641ea80e039fe

SHA512
34be029476197632eed6306569b73583876002314a18f2948d110a42448e29bc936dc79f1d5963e72ae2dcd7868021eefbd3950bc8a7c02ac021ecb9ba825081

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
704KB

MD5
71d887e3e3538c8be5a8190501bc1cd8

SHA1
a0548770c6a69989f74926f9cf301e7ae7732a76

SHA256
bbda2bb651ea322539438b6ba0466988094a2a08bdd6d01a82efc2b4fffbeba0

SHA512
dcb756f9beaa8445eb52f2111f76d80e130e45bd9dcf64bea64abe6a46b61dd07b697552ad1ce04ec81f1ebf62de8585b4f028a587607f51a9af352eb1803220

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
704KB

MD5
16a40803b4d668c3eb121cc4bc30df8a

SHA1
812bc531d4254abb99916dc9361b94fce6253081

SHA256
37905bf25846fa9931d4aa75103b48f05763c91978884e4a305c79ff9e0fa1a7

SHA512
bbd079f55f7d806cc9ffd6aead786678fe9242b322893db5de937e3a3a3a8aa198350bdc72fa6ef7e991e8f479fab9f0ccb792203390e5cd3505e6a777b585fb

Download Submit
memory/220-1102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1092-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2240-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-590-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3920-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-1096-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5360-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5400-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5436-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5480-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5556-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5640-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5676-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5716-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5756-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5876-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5916-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5956-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5996-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6040-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6084-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6128-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6368-1048-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6660-1038-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6700-1037-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads