berbew | bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe
Size

67KB
MD5

c3ff0542e6d50e0c282b0d43b0d8cd80
SHA1

7d6a1d15aa5c5e06dcd673476d36288b54003a60
SHA256

bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67
SHA512

4f63253dc987a968f5c487d696f0f5dd8b834b9e7dd5be0d652783682f8c2ae105b9855a898fb34177ab0d7d881c6d2e9b65b85b9387eed2b6f6a583c7705be3
SSDEEP

1536:C9pi573M2WUwmDLanCCNlAnr+261cgCe8uC:c073M/UwmDLanTlAnr+FugCe8uC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
5068	Lpebpm32.exe
1508	Ldanqkki.exe
4580	Lgokmgjm.exe
4188	Lllcen32.exe
2856	Mdckfk32.exe
460	Medgncoe.exe
3764	Mmlpoqpg.exe
4040	Mpjlklok.exe
4536	Mchhggno.exe
2072	Mibpda32.exe
1944	Mlampmdo.exe
1952	Mckemg32.exe
4704	Meiaib32.exe
3016	Mmpijp32.exe
1600	Mdjagjco.exe
1520	Melnob32.exe
4084	Mlefklpj.exe
4296	Mcpnhfhf.exe
3684	Mnebeogl.exe
4992	Npcoakfp.exe
1504	Ngmgne32.exe
2196	Nilcjp32.exe
5100	Nljofl32.exe
2628	Ndaggimg.exe
2576	Ngpccdlj.exe
2152	Nnjlpo32.exe
2280	Nphhmj32.exe
4496	Ncfdie32.exe
1712	Njqmepik.exe
4876	Nnlhfn32.exe
4340	Ncianepl.exe
1588	Nlaegk32.exe
428	Npmagine.exe
3940	Nckndeni.exe
4388	Nfjjppmm.exe
684	Njefqo32.exe
1852	Olcbmj32.exe
2288	Ojgbfocc.exe
1904	Ocpgod32.exe
4076	Oneklm32.exe
2436	Odocigqg.exe
3172	Ojllan32.exe
3168	Ocdqjceo.exe
812	Ofcmfodb.exe
1060	Oqhacgdh.exe
2996	Ojaelm32.exe
3020	Pqknig32.exe
3964	Pfhfan32.exe
1228	Pqmjog32.exe
2396	Pclgkb32.exe
1384	Pmdkch32.exe
1492	Pgioqq32.exe
2604	Pncgmkmj.exe
1720	Pfolbmje.exe
4548	Pmidog32.exe
2896	Pcbmka32.exe
4240	Pjmehkqk.exe
244	Qmkadgpo.exe
872	Qgqeappe.exe
508	Qnjnnj32.exe
5112	Qddfkd32.exe
4316	Qcgffqei.exe
1348	Qffbbldm.exe
1056	Adgbpc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ckijjqka.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Lllcen32.exe	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Ndaggimg.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dhhnpjmh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3776	6052	WerFault.exe	199

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 5068	2924	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe	82
PID 2924 wrote to memory of 5068	2924	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe	82
PID 2924 wrote to memory of 5068	2924	bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe	82
PID 5068 wrote to memory of 1508	5068	Lpebpm32.exe	83
PID 5068 wrote to memory of 1508	5068	Lpebpm32.exe	83
PID 5068 wrote to memory of 1508	5068	Lpebpm32.exe	83
PID 1508 wrote to memory of 4580	1508	Ldanqkki.exe	84
PID 1508 wrote to memory of 4580	1508	Ldanqkki.exe	84
PID 1508 wrote to memory of 4580	1508	Ldanqkki.exe	84
PID 4580 wrote to memory of 4188	4580	Lgokmgjm.exe	85
PID 4580 wrote to memory of 4188	4580	Lgokmgjm.exe	85
PID 4580 wrote to memory of 4188	4580	Lgokmgjm.exe	85
PID 4188 wrote to memory of 2856	4188	Lllcen32.exe	86
PID 4188 wrote to memory of 2856	4188	Lllcen32.exe	86
PID 4188 wrote to memory of 2856	4188	Lllcen32.exe	86
PID 2856 wrote to memory of 460	2856	Mdckfk32.exe	87
PID 2856 wrote to memory of 460	2856	Mdckfk32.exe	87
PID 2856 wrote to memory of 460	2856	Mdckfk32.exe	87
PID 460 wrote to memory of 3764	460	Medgncoe.exe	88
PID 460 wrote to memory of 3764	460	Medgncoe.exe	88
PID 460 wrote to memory of 3764	460	Medgncoe.exe	88
PID 3764 wrote to memory of 4040	3764	Mmlpoqpg.exe	89
PID 3764 wrote to memory of 4040	3764	Mmlpoqpg.exe	89
PID 3764 wrote to memory of 4040	3764	Mmlpoqpg.exe	89
PID 4040 wrote to memory of 4536	4040	Mpjlklok.exe	90
PID 4040 wrote to memory of 4536	4040	Mpjlklok.exe	90
PID 4040 wrote to memory of 4536	4040	Mpjlklok.exe	90
PID 4536 wrote to memory of 2072	4536	Mchhggno.exe	91
PID 4536 wrote to memory of 2072	4536	Mchhggno.exe	91
PID 4536 wrote to memory of 2072	4536	Mchhggno.exe	91
PID 2072 wrote to memory of 1944	2072	Mibpda32.exe	92
PID 2072 wrote to memory of 1944	2072	Mibpda32.exe	92
PID 2072 wrote to memory of 1944	2072	Mibpda32.exe	92
PID 1944 wrote to memory of 1952	1944	Mlampmdo.exe	93
PID 1944 wrote to memory of 1952	1944	Mlampmdo.exe	93
PID 1944 wrote to memory of 1952	1944	Mlampmdo.exe	93
PID 1952 wrote to memory of 4704	1952	Mckemg32.exe	94
PID 1952 wrote to memory of 4704	1952	Mckemg32.exe	94
PID 1952 wrote to memory of 4704	1952	Mckemg32.exe	94
PID 4704 wrote to memory of 3016	4704	Meiaib32.exe	95
PID 4704 wrote to memory of 3016	4704	Meiaib32.exe	95
PID 4704 wrote to memory of 3016	4704	Meiaib32.exe	95
PID 3016 wrote to memory of 1600	3016	Mmpijp32.exe	96
PID 3016 wrote to memory of 1600	3016	Mmpijp32.exe	96
PID 3016 wrote to memory of 1600	3016	Mmpijp32.exe	96
PID 1600 wrote to memory of 1520	1600	Mdjagjco.exe	97
PID 1600 wrote to memory of 1520	1600	Mdjagjco.exe	97
PID 1600 wrote to memory of 1520	1600	Mdjagjco.exe	97
PID 1520 wrote to memory of 4084	1520	Melnob32.exe	98
PID 1520 wrote to memory of 4084	1520	Melnob32.exe	98
PID 1520 wrote to memory of 4084	1520	Melnob32.exe	98
PID 4084 wrote to memory of 4296	4084	Mlefklpj.exe	99
PID 4084 wrote to memory of 4296	4084	Mlefklpj.exe	99
PID 4084 wrote to memory of 4296	4084	Mlefklpj.exe	99
PID 4296 wrote to memory of 3684	4296	Mcpnhfhf.exe	100
PID 4296 wrote to memory of 3684	4296	Mcpnhfhf.exe	100
PID 4296 wrote to memory of 3684	4296	Mcpnhfhf.exe	100
PID 3684 wrote to memory of 4992	3684	Mnebeogl.exe	101
PID 3684 wrote to memory of 4992	3684	Mnebeogl.exe	101
PID 3684 wrote to memory of 4992	3684	Mnebeogl.exe	101
PID 4992 wrote to memory of 1504	4992	Npcoakfp.exe	102
PID 4992 wrote to memory of 1504	4992	Npcoakfp.exe	102
PID 4992 wrote to memory of 1504	4992	Npcoakfp.exe	102
PID 1504 wrote to memory of 2196	1504	Ngmgne32.exe	103

C:\Users\Admin\AppData\Local\Temp\bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe
"C:\Users\Admin\AppData\Local\Temp\bf02ed3a26595fa1526568ee60028135f7202ba51b6145743e0c0526521c5a67N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\Lpebpm32.exe
  C:\Windows\system32\Lpebpm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\Ldanqkki.exe
    C:\Windows\system32\Ldanqkki.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\Lgokmgjm.exe
      C:\Windows\system32\Lgokmgjm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:380
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        81⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        89⤵
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        90⤵
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        103⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        109⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        110⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 408
        116⤵
        Program crash
        
        PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6052 -ip 6052
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
67KB

MD5
df22772a8bb779510f82f35ee408948f

SHA1
b22fb8fa948f5cab0333b0b36a99cb5d86c611c6

SHA256
a34d93d4eb99cbbf8ea69db6c557de5790aa83376c23aa87f14123cf8569ddd4

SHA512
59f1f359cfa464a5655054fd13953025dc6f9756e90a22475c269ade5808210854cec1c824778d703db37130656be832e66fe6b2309b5aa6914f2407a7eb28f8

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
67KB

MD5
01f02a00f6b5e9e060e5fe558e2323a8

SHA1
5cc01fac228e80ce61e36cf460134568ad3af912

SHA256
753c21a5a3bd5b02d7f0c3b3b3a313aa81c01fa8400d728cd173cd04bac5390b

SHA512
e1be5c01d90f4c60da631a6d10c6fbe909213f901fd7a2d979f234b190b2afdfea16deccdde107864362bc41a796dba4e4a6376b85167a8a9cb16dd3e3132aec

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
67KB

MD5
1028da855bb268c4d22eaf8625df61e5

SHA1
31f2d96ee12e569e7f1753b65e52202a9c515c66

SHA256
0bbf15bd8a62a44e345082788f8aa5f53e5675eeca1e306c3306cf7c8e54ca75

SHA512
438b64cbf6543d4f4fcabb39c1bb5f325edffa6e846993d93252cd989f9203e152dfddf5a472749dd99b86c173d13fa010b05ae719ec32d1b4961f15144caecf

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
67KB

MD5
9e36d647fde6579eab18b16e7a4da312

SHA1
6e75a64495cbcb39f3e11bf3c4af4a68eff74ab3

SHA256
63daeb5fbc665e23b46568cc96ae031891aff18c77db772113288653e7e8bc35

SHA512
92d4f22db798744bdb982c7b242e7f9ecf2ec7494f554a060e137ed9c01bdccb5404772a147ea543e32a93c697ffc1c5672f2ace6c6285011233e468b47ff77a

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
67KB

MD5
1ec3ce1655fdc4afaf2dca7f78670862

SHA1
b43735402d5d9fc0a3badad8b771de4c228f30e8

SHA256
dafeed7e7ae9a60a8b2f6225962102df28e1c9b7b13c28faa67302eda385d3ea

SHA512
3800a68129e36810d0d7a1a2674cc28553c6fdb018fea9cd7820454d676ab49f6fd62d162dcb4c4be887c40aee5751754c73441d3a661d0543115f4849276f93

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
67KB

MD5
138324bf8f03d136c957ab7d7b18050b

SHA1
8cf108c97043ce2941edefbf6181a1f48d382b72

SHA256
962868e953fd2780caad4e56592dabc5df90c409a8e81c864f82b124484a2fb0

SHA512
6a23501c4b8a54f20a62fbcbedcddd5ed187db44d5053c92311af378b5346557e0b6763bf1f6ef856b15b3002005373475daa3572a436a6e7474633879f5fc9f

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
67KB

MD5
e2a19fb383919bfcf122ed3ef45ac9b8

SHA1
2748b57b575b716e7065cf13545954948d4e90c5

SHA256
eb6b0617222ebc3374a52838111f2c0c65afc011642fbaee3e5ca656976476f3

SHA512
e9fe42fe7c371e00b7ab9f79ec72f4b519f23436d0ac75096cdd6e215976ed3680fdbe5dc532608ec10c177d8a6bdd3a176ec42f751a987cbb77e53375943651

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
67KB

MD5
3a6b155d6d3f49f91c9ce61b94fbe33f

SHA1
d0e8774322f40ca2f3d899ace9957e5aa0a97ed4

SHA256
14aee5203494f2809c670ec3f59513ca1db2671048ab6dd9d3b2bf175bbdf059

SHA512
135d61381574e7f91ef45f7810a8dccc44a2f81e71f764c5f20570946c6390d505747e3e41a55bd246f318bbe88dfac3f9a9286af1ba54d20c341606b33359d7

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
67KB

MD5
8bbfb6d38f3c898dfc2f5749b408df4a

SHA1
f0ee5b642f7d7c9fd46062ea9c80b681701bc90c

SHA256
b8e2104c5ed38358b7fc8c09412cba62a7def9cf8fe61926318efe3e1fdd740e

SHA512
187602ffa24335337bbab1f0b0bebac76fe284de0d889989ec622e09c39f6d33246f23e9bae8bcbd46b36457d5b0de3604a88f0ef4416e3ddd2a8f46f7f26a36

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
67KB

MD5
9eb4a191b3203b2f4e3f909d5b52b317

SHA1
ad8a0b7677f8a10f0bbf5fdd636b519b58d42937

SHA256
8d3a0d48fc5db87b79b36ff50a3028063379a1be04e999ef60ffdf13b7d98795

SHA512
6b9aee71b35783c9e39c612f289a1e05708cf60a70742eedf9cb935b0e24bacc6573fd6e6a002774fa91927f6525fbac4485f5e5a914b2c4dc6aaa2857d88e2a

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
67KB

MD5
4432f811f70ceb7208dbc0373b9123e9

SHA1
01b5698d321e7d8dc17e28f91af86c07b55d58a2

SHA256
13a99b34bddcc161e1a1ba952685a53034daf4b9488eb69dd003382655f62b8c

SHA512
fef18b413e861e66e6a37b0ac5c24af2381c9a0b575636538820582208477e258b6a91d2de395269b0a2aff67b341c21ce475714008c25393642f2bcbf3e6cb6

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
67KB

MD5
e8b9ed464379e70b33f9121d4f95e4ee

SHA1
21bfbdfa42810b3cee34cd0c8aa81ff67f459837

SHA256
7a554746e5bcab9a2c9acbcc310fb0d51f85ad7594c646821d3c18c847e7ba9b

SHA512
766cf876f081b8d045e1b58dd5ff5947f9a17ce52936e7e288b75a30b7c2c329937205b93a89df13d4ea6f055b03ad4efe9e451af2383d795de85db645998168

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
67KB

MD5
ff0496ebfbc98d49b1d3cd6e9a6f1231

SHA1
306bc6525ab703c8668ca4cd3fc90b0d1de3156c

SHA256
a2fe75e0f672b1be6da6296ded6a4e8c599c2cd7fbfacb79af58ea2708201655

SHA512
3c8685cf82d9d2cee6db4498ae1d938835481dcd222140843151aea7ebf44ec375fb9811e5c8328f90c44bbed46703970c6f735deadbaec694a8141a0717fbb3

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
67KB

MD5
934dcfd341f42936f9f54c4b04c01219

SHA1
7b97611d713c8b9971223bc57bc7d7555d4ee030

SHA256
6ddc9a748fbde57b62417839b257e3105c17f315c030df33d10f9ecb94505595

SHA512
d6cb4ddfe96d10d5810209f29ab19447b9c12a1b4e1e78886734968f931e4d3de40a555531f09fa193e7cd8cbe7e8e7b87fce738aa97fb63ed1444244a03cf90

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
67KB

MD5
19050aeff4db4c1603a3bc4b2bc9aecd

SHA1
54b0d8e66036246c8c4087dca5c803e8527c57bf

SHA256
ee3545a4f39f125de9ce0a4e3db855491884dfcf2a319c7d848ff56d05355aa1

SHA512
073d7b43d26ec79ea3f63f43f7950660d84e90b6410cf277619d418d348e75187d73fd75b2cb4f7a46a549e4e9453a9a16c36e6d84bcca51fd7283735c974eb4

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
67KB

MD5
c5e7cef06d4e52cfa1200cbe4872d014

SHA1
a119a263e2efb02810db451feca84e75e6e4643b

SHA256
3135790b58022e865c45183eac32dbea5aff512890d79635b0a134db9764533b

SHA512
b604f84ac1a344457b7b4abc22336d1c9efcffdbc5ef32013a52733bdfd9056554095d27725b42bff8db1cdce263a7b0cd8ed94e44ba5f81d3566eb74a9556c0

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
67KB

MD5
bb1c4894196f6dc96ca2c492c6eef9c5

SHA1
b12e0cedc37209f3f2bd2e0fcd49dcd0c5c8656c

SHA256
08dccf49bd9e4f6e8aa70f11467ae5101d3754511342a3cdc1af22fa79571c32

SHA512
7f9ca639265575e5cb6fbfd77a7e609e3082b461aa2f98ccbebbdd33fef5d63e922af196644303220a0385015a1f36912c71bb2ddcdd5d0d3b8ca1973e3eb66f

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
67KB

MD5
7230d7f4b1b327a9fcdf157229e972ae

SHA1
5c7dd1e2698f10ef9388309498e07a7611222124

SHA256
0ffbdb2af00b05d99e1aa829f63cc00b4c60b7c5fdc2f25b8753cdc0e1392386

SHA512
0b34097fae75e2224ad2e20e47c683892c3994620dbd172ba395b873c99addf35d408a9daad455a783ce3f2efad5e8c1e211d37f3552e54e7b0da3bcfa73eb27

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
67KB

MD5
8b314dbfe84fb1a01a307f712da24d5d

SHA1
6a42fa0aaa94ea6ad732bd6b153ae55bda21631f

SHA256
75dd9ad959c2e8ab4ca71422c18ffa992abc5ef0422b850b1ab6728b4cc8a673

SHA512
100ee8adac7f50502e2d4021aba02150e98737b9607ce238e47d2d18e8cee8e6be5f0c0272eb0e81ab46ac5150f2ea61ecccbd0b556e9f4eced60fbf410b074f

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
67KB

MD5
c56cd6ef6c7871a16a11f55ce4f1ab68

SHA1
7bba0850451950c5ad5bc23a6ea05f0e071b08b0

SHA256
09fce2faa7d123c426aceb0bbae95dfb73ff226bbc72c500dbc7b112393a020c

SHA512
65790dfd22b3013b35a0ee7cb97a68f41f32174fec9581a1e0afcb5ac67eaa4cad20e3d60b0b6909ea85379b2aa75aebe24480b2b30490e621851dbb8e0e9cc7

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
67KB

MD5
4b242fb433d44549f6d5295642e7d2ee

SHA1
9413b36e955f49e1eb24dabd3e3a6f17e5d973f4

SHA256
6243b969768f84f9843eaad86b784840beffc09b0e575f4166fe32b810466948

SHA512
969582c5ad7c934c259ea3cd97682f8a16b0e9ca99a64efb6062f47e31a2c1af54ff538eb358741a2e03f66958e92a1dfa3efcf33563f96a3813f3d9d9ec8f02

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
67KB

MD5
6b2e161ee7fc2b55a3c329e46949ff1b

SHA1
af80ae1b864fe68bc9f2ebe35b2173b2cce9faf5

SHA256
e36f181dc85d67a7677c270875e508f1af4f7a10f0a03418da7f53ab6ee27dc9

SHA512
cbd3212369d58670159e141840ab749a360d140d44fb56b90d878f8f601d4bc98b63dd06f73916b89e98d0b2d8de0092bf0ad7e1ee0f744f8e5fad3308f2b4c9

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
67KB

MD5
3aff4ec724099d560fb03b078b28aea5

SHA1
045b8c516bcde34eab1b9d23447471bdc484270c

SHA256
f059cd271e0f510d3402bae8e3d9e4da6c5321158e6ec4477490cc86d40a3d93

SHA512
f2abe16aa9566d1fdfff0cec751a6204b0e01da2cc8f33dc73783d4b0e465cbec467607ef1de916c17e5f6a2b93664daaccfd1e3971d13553017c8ea0375e4b9

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
67KB

MD5
71c8a014cc77495d4aa547768742b59e

SHA1
490edd5311f2db1fc678a4090640cec968225242

SHA256
ddc73a5316751d636f53c6c356f938338eb9ec16ea725bdef5155fb2c30fc602

SHA512
955283941ef8a70041cc203b33a76566dfcfbb88bafcccd7a9558a30588b4a6b00c29e76c8862482108d13b68d45eb972bea11ecb307a06e1b4666445909b5ec

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
67KB

MD5
752f1b065c6d5b37101a3d9b15663e93

SHA1
ede47dbd634805d449c2b043659b6962f12ce017

SHA256
fea2e46038b34af54f8455af6b0a3a7ecd17986b6fa45b4513d7f0fcafcbf916

SHA512
7a99eb8116d205d75bfe3dd912c1d2812d59774ddfd7ff6ee306793eb114c3dca7046540a2f7e33b269e2c169ded28270b45ae0af9da9a356ebefcbf2006988b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
67KB

MD5
c2d45c2dd396434fad7e46ec0bbbebbc

SHA1
b7fc3fe5cd362d3fb4b0b80fe31edfcfec7d7403

SHA256
9592a201ef35e168ca6427b328e4e6324567dccc86464a8806ae1cacc346f9ac

SHA512
df2f9c241c4023e320d70efeaba5828fcea97bb7568de8197def81571940619b9f626432b2fec6fdc32724c464ea543459d4fa1593fea6e0fec47daf6efd182c

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
67KB

MD5
d41956859f9700d7f2bd6798b5e00ecd

SHA1
d1bacbcb48a7e66346060fb384dfcaa9f0abc96e

SHA256
90be340a1e7441c3af49a0cba607fb98b02f1988af2e4404348a31fb6ad8d13d

SHA512
61c12b5e8a0157ac61612db43e5a0bb545cfe84df94b344380d341a46e4262d4406ebb55572a5f173c960bba288d5fe511073ced5a833c5724008a88f468ebae

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
67KB

MD5
9617af165a1efec68e73b5082be8ed74

SHA1
d999e51c12fcec1c4e326e91a7db8a648d795e5e

SHA256
8635bef5c1042d82d936105d6ac4f0100d63b1aedefd600809e9ec3ed219fed6

SHA512
a9708a3f0aee0408204c4ee45a092e8264c8bafba19fe82da6b1564ed38ba59fb8ea17975267e761d4bf05dd7aeaa68d666729168b0c12d2ef752bd32634991d

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
67KB

MD5
3ec0e14851b20b43991189dec9a09808

SHA1
3ff708a713dd62e0ab79f084c83a2a25bdfb4d4c

SHA256
f661df9f28386c6a39d18f71f9c359e4151d9a957ef94c7864d88fa047ccaf1e

SHA512
d162f1409f5f5d6cceb1c95d18a72d7e04e06ba27ad4e9646f78deb0e0c8e6ac909361259505ab47112110bc9c42dfc5b50ca526f1590b2c6c45c98875132d83

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
2e3d65cdd5a2912e08c6d741f7085dc9

SHA1
47de6751571615b3a611554abeea78b04532c2a9

SHA256
47c4be117b6f6c8a6c4e22d87dc77b7a501fda5c027f0fd9b45f6c258f885620

SHA512
b506eb6d94ffd7b6405ae98131f9532361a12c6794ef3287cb2ae33dbd17b6aa1d06ade2cc45979bfe8c5f94aeb431f29119acf6187cd0821b6db0e51a16cf55

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
67KB

MD5
6d13b26402aeb03e627d4e6ba98d0285

SHA1
c3ae9e0af414a8c5744ffa09091fc58764353fb5

SHA256
d4890578eebe9d1b5e2fbc22332a840b1d403d5ef35d5ddeba0f7ff266f07972

SHA512
a1c60e038de3ee24a79249d2714c4aef6f3e115aa4e81beaf21ec65cd61e4431eb43ffde01615cb1a176a01a386edd42ae3006f7e82ab9635c801e8e301f17a9

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
67KB

MD5
d3b9ddb2c8f22f586d2900d3eaed0c44

SHA1
3ec7e4b7717e02d2678ce0aa9d3d57a0be71deed

SHA256
01719f13b6ffdee44098ff251348771ec35ed0f167257d9d66cfc9a04f1294c8

SHA512
2f637247073fb3984db96a928d14fd129827058b43b0f810a3d16a9be3160a1e5170a9c977dda54fda8eaea8094f0d1c1c20bdf7a7f2fe149b8cc91d77e74f10

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
67KB

MD5
4c5f5e528cce47155ecac659e0e452f5

SHA1
c9423d5d87ffe0a7a4c05e80f00229a7cb7036a7

SHA256
6918f7d79ad6dda1b553d623d186fb8a36c5c5e351041fc75282f1632208281e

SHA512
6d659a5687006351fb7b2e9347630f6c3e3e5f5713507d1a9e4d9f067ee4173e646b0a38962362d2ddd26890be680ace9ae31c8ef0b6979c1545f1cfd4dfee52

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
67KB

MD5
914a02aa5b48f133bcb1973d5a841847

SHA1
61806e4fda80c891868e7e8919aeb075c9b7924f

SHA256
32f4790b1fd89060743f9273d5f27af7797fd471202b5e25b4d153cd1cee5075

SHA512
4ea979a800763b496e45fd0972593ab407f2285c02669c8f62be6fddd802abb6c44698af9b15c2cbef5e1c59210c9e0ee6c65a3884f8391a57b4715075f2c09c

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
67KB

MD5
2f6b7fbe2aa276070ec47f837ec129d2

SHA1
e3b7c5fd44aa126894125d24f44be9844bf557ae

SHA256
789b4cb584b602c417d8ac2a2a80d453db3ed1858961edd10c51c97448af6ca4

SHA512
e48c02e7f3fa7c18f679d6c6fe4a4b98a14451f852b31959db43c14d682cad7c4851554991b55439aa9368465b2a5d2cce1b2dc37990a9f85162402347565d59

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
67KB

MD5
51a8eefe23862027e5a2dcbd9707163d

SHA1
1f4c2934ab28e19744ba94feb14a8b269fc6a732

SHA256
2e7e03721e2c7fb5528b0cd8798dc108b43b34bdde78a95a849dc014c51a694b

SHA512
4ff7ff5a273735d2b45c36cfc840a738f0e65db7e6661ab30e2ca45cb4e0950073015b0deea2afb03a812f4a452ba9860a2cf0d9abf30f87c7d512378b05c366

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
67KB

MD5
32a085d3841f9a1df523e7cf7b4b2016

SHA1
8240040700f624ecdc6e6ab18aa98a42b0d63f48

SHA256
204bf0c9bf0e77c7f4b262e64a99ac98f829e151ace3a4635d4dd4ca1d68cd1c

SHA512
3ef3ab9899f2d80a25b800e2cc4de0c927eb156ff95a2b53c3a1096d725f32f7f754df9956661abb382b2a166d592f777536fe0dc4a05f733ed84345788a6100

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
67KB

MD5
78d6f8f8ee6a50f4f5f50437f709487a

SHA1
39196912481e62b6ddbb731b315cd03a64c43440

SHA256
9d81daf05ae5265aad7f57a4edc065d3198318d8d1d617cb946100c6c4504837

SHA512
b33e5827b70e0ab69a1317e04faf38dff21af7b4a0aef1c71d5ff50ac8cd3b39b94c39076f4186bfcabc3b323281223e53404000d4b710c15d52a7aa2f89cf4e

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
67KB

MD5
3a3308bc35cf3b6b926e3b50968fcbac

SHA1
d1882782d06d35e4f65b6b5060a37edccde29aac

SHA256
592a2ab8de5e45cfea51f5daf4320001b9a00aeec05e5ff12750082f67d376a2

SHA512
f687b2f097b2da0b423c06e54f3c777733c0d5fbdbd631c32aecdd84a424401b9c8af60cd108eb89281f5f8ff8bcf5f488c86f02f42dd53c179ec25d3487485f

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
67KB

MD5
7e166200a103497b9d3865c9cb5a8cf9

SHA1
7a65c34b836610e21dac69eb85ce25e1ec4156e5

SHA256
9dce3390bd21eb082ead57d7d75b0e074025226dd4ecb646e315e4f99c782d19

SHA512
3a0d432c36eb0b4c25b7d4a16913dd4b9a2198ffbd6b7eee4aff8bc05f0ec75b4e786f968ac44306bf788bee92253afcc3ba43706d77dfd2cae2ed177b37a094

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
67KB

MD5
3c649866b4e72f79fba1713c55dd64d9

SHA1
16ce1f5e64d443cc6dd50c46e34ad75333fc13ed

SHA256
a19a506f48906f71e4a3a9868a37b1fcf048ba78068426d14f1ed902488ff1a7

SHA512
ff30637b4fafb80729d6ae1f628f0ed4a34efb26cd1127027f3c6df431f52e520961c25db7e963595ee9f4adedc0e978f732d3eaa9f6f9888c5d52dd90809296

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
67KB

MD5
ad7497ba6a65eb451688bc6235fad65d

SHA1
fea685df1e2b3917df5744fd27b1353450432c43

SHA256
578b09259b3f8f4959c5b04d0a9d18724ac5d1d4e86c92f25e8680a446599bd8

SHA512
1a4c73dc97ca6cd7e534ac910086c889aa8ee37a72d2ee3e86bd227ad7af6495cd83222dd2647ffeaf32bfb241c77084c41b213f3f7d8a927adfa2e94c771706

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
67KB

MD5
095213f366b6a46b84a4406b48b81b60

SHA1
3780f3a5838a8c0ca8d0c6e241c87a14fc6b8bfc

SHA256
a14887268f529fd4883e6a5743a33a0433953e5eca74ba0297a64e218b08d369

SHA512
73c33770b57ac51f9f4452db0d4626cf1e9b3cf1bbb30906d029a3e6f8231f491fbd8fca76eca5ff3eb35e3f9dcbd17508d0f376b40296be1f50f9d8affaeb50

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
67KB

MD5
ade6b579b5cd7f143abdedc6c84033f6

SHA1
ce2e80dd6fd429fe1e9295de7b40bd5a642c9f37

SHA256
489ccc269b392a96e4d912217a011c1a816bc58e9de2f5bc3ba3789040556965

SHA512
5498629f12a7a0e663c96c1cb11950dfdfc26e24a323a123a46c17c06743ee403f1d68db3f22f6b882e275d4ae91e4ae9aca7ca54644eeb5e58c8a0077e8c192

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
67KB

MD5
cea8e37b78e4b8d7473341ee4044e088

SHA1
a5b68f78d2848af83bc936aa281c13fc2ee8f8c0

SHA256
af8cf5dd224cb1c35bc30230448a1bdbb6f6b97141ea3d6b9a07ec9a168a0436

SHA512
20e4927190b8a3b8b09c6d91eea972850b18070549acc43bf2959ddcceda5c399e1309ee44db90c270bd4bf851dfba4eb8f4b4905f23931321667c550d715758

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
67KB

MD5
c40b1bf91f1ce157e7146b8276bf3370

SHA1
e16ba64c13069dc8d7e5edf1ddc4d8f1f0b65a32

SHA256
488ccf2d4cd8fbdd79c7b0e2b68d15d26b811775868b7ea1f67e54438a134227

SHA512
68576ab5c30e6915a84dd980388fc10189330b0d39f57e952170b3df8483e543708bcbfad693d77f7721e48d12d8a2f0cc8eb1364fac64482ef20ba09988f0e6

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
64KB

MD5
c8f75c62c097a1c6259f5325203a5fbf

SHA1
652526d5287e7b537f564577a9bf7d0fa855a31c

SHA256
71cfb42479e5558f76aa8ab39af2aa2c7d2094944e6d2568b4cf968b7b657b77

SHA512
7de7e4ce23869ddb71a244199093d2d93ca5c9b6b6880d36a7e5fad1ceb398778e67ca480452fa03ddb4e3dbad388dc41ab8ab3e20195d22f03e1376599a80d7

Download Submit
memory/208-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/244-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/380-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/460-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/460-587-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/508-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/684-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/724-540-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/872-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1056-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1348-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1508-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1944-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1952-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2072-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2280-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2288-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2576-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2604-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-580-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2896-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2924-539-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3016-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3136-564-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3168-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3172-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-521-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-594-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3892-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3964-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4084-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4188-573-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4188-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-519-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4296-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4316-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-566-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4580-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4688-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4704-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4748-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4760-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4860-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4876-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-581-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5068-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5112-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads