berbew | aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe
Size

96KB
MD5

6fdcd85795aacdb5802706944d445b00
SHA1

44f07f5825054212303f1e2f6264e24f3bd28865
SHA256

aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79
SHA512

457c618bdd66248badec887c8e10cea68c6e4d3ef2797a12ebbde118eac9aeee656afe0c74e17b053a2506d120f747eb49f6883a1a580a29acb1926ddf396693
SSDEEP

1536:ECP1/l8Bw8+mjJ1fnPYWTl2LusBMu/HCmiDcg3MZRP3cEW3AE:ECt/uBbgWKua6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2148	Mplhql32.exe
1672	Mckemg32.exe
4248	Meiaib32.exe
3196	Mmpijp32.exe
1736	Mpoefk32.exe
3004	Mgimcebb.exe
3660	Mmbfpp32.exe
4108	Mpablkhc.exe
3000	Mgkjhe32.exe
368	Miifeq32.exe
2312	Npcoakfp.exe
4976	Ngmgne32.exe
628	Nljofl32.exe
4520	Ncdgcf32.exe
1624	Nnjlpo32.exe
3280	Ncfdie32.exe
1224	Njqmepik.exe
2672	Ndfqbhia.exe
5068	Nfgmjqop.exe
804	Npmagine.exe
3380	Nfjjppmm.exe
4988	Olcbmj32.exe
4984	Ocnjidkf.exe
4068	Oncofm32.exe
3976	Opakbi32.exe
5092	Ofnckp32.exe
4432	Oneklm32.exe
3024	Odocigqg.exe
2512	Ognpebpj.exe
384	Onhhamgg.exe
1420	Odapnf32.exe
3968	Ogpmjb32.exe
3972	Ojoign32.exe
1988	Olmeci32.exe
3788	Oddmdf32.exe
4348	Ocgmpccl.exe
2652	Ojaelm32.exe
2304	Pmoahijl.exe
1584	Pcijeb32.exe
4440	Pjcbbmif.exe
972	Pclgkb32.exe
4008	Pnakhkol.exe
3420	Pgioqq32.exe
1372	Pncgmkmj.exe
5024	Pqbdjfln.exe
968	Pfolbmje.exe
3048	Pjjhbl32.exe
2440	Pmidog32.exe
2268	Ajanck32.exe
4696	Ampkof32.exe
5012	Acjclpcf.exe
4768	Ajckij32.exe
2444	Aqncedbp.exe
4080	Agglboim.exe
3756	Ajfhnjhq.exe
4260	Amddjegd.exe
4404	Acnlgp32.exe
3688	Ajhddjfn.exe
2168	Aabmqd32.exe
4900	Aglemn32.exe
2132	Anfmjhmd.exe
2000	Aepefb32.exe
60	Agoabn32.exe
3388	Bnhjohkb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5160	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2148	3128	aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe	82
PID 3128 wrote to memory of 2148	3128	aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe	82
PID 3128 wrote to memory of 2148	3128	aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe	82
PID 2148 wrote to memory of 1672	2148	Mplhql32.exe	83
PID 2148 wrote to memory of 1672	2148	Mplhql32.exe	83
PID 2148 wrote to memory of 1672	2148	Mplhql32.exe	83
PID 1672 wrote to memory of 4248	1672	Mckemg32.exe	84
PID 1672 wrote to memory of 4248	1672	Mckemg32.exe	84
PID 1672 wrote to memory of 4248	1672	Mckemg32.exe	84
PID 4248 wrote to memory of 3196	4248	Meiaib32.exe	85
PID 4248 wrote to memory of 3196	4248	Meiaib32.exe	85
PID 4248 wrote to memory of 3196	4248	Meiaib32.exe	85
PID 3196 wrote to memory of 1736	3196	Mmpijp32.exe	86
PID 3196 wrote to memory of 1736	3196	Mmpijp32.exe	86
PID 3196 wrote to memory of 1736	3196	Mmpijp32.exe	86
PID 1736 wrote to memory of 3004	1736	Mpoefk32.exe	87
PID 1736 wrote to memory of 3004	1736	Mpoefk32.exe	87
PID 1736 wrote to memory of 3004	1736	Mpoefk32.exe	87
PID 3004 wrote to memory of 3660	3004	Mgimcebb.exe	88
PID 3004 wrote to memory of 3660	3004	Mgimcebb.exe	88
PID 3004 wrote to memory of 3660	3004	Mgimcebb.exe	88
PID 3660 wrote to memory of 4108	3660	Mmbfpp32.exe	89
PID 3660 wrote to memory of 4108	3660	Mmbfpp32.exe	89
PID 3660 wrote to memory of 4108	3660	Mmbfpp32.exe	89
PID 4108 wrote to memory of 3000	4108	Mpablkhc.exe	90
PID 4108 wrote to memory of 3000	4108	Mpablkhc.exe	90
PID 4108 wrote to memory of 3000	4108	Mpablkhc.exe	90
PID 3000 wrote to memory of 368	3000	Mgkjhe32.exe	91
PID 3000 wrote to memory of 368	3000	Mgkjhe32.exe	91
PID 3000 wrote to memory of 368	3000	Mgkjhe32.exe	91
PID 368 wrote to memory of 2312	368	Miifeq32.exe	92
PID 368 wrote to memory of 2312	368	Miifeq32.exe	92
PID 368 wrote to memory of 2312	368	Miifeq32.exe	92
PID 2312 wrote to memory of 4976	2312	Npcoakfp.exe	93
PID 2312 wrote to memory of 4976	2312	Npcoakfp.exe	93
PID 2312 wrote to memory of 4976	2312	Npcoakfp.exe	93
PID 4976 wrote to memory of 628	4976	Ngmgne32.exe	94
PID 4976 wrote to memory of 628	4976	Ngmgne32.exe	94
PID 4976 wrote to memory of 628	4976	Ngmgne32.exe	94
PID 628 wrote to memory of 4520	628	Nljofl32.exe	95
PID 628 wrote to memory of 4520	628	Nljofl32.exe	95
PID 628 wrote to memory of 4520	628	Nljofl32.exe	95
PID 4520 wrote to memory of 1624	4520	Ncdgcf32.exe	96
PID 4520 wrote to memory of 1624	4520	Ncdgcf32.exe	96
PID 4520 wrote to memory of 1624	4520	Ncdgcf32.exe	96
PID 1624 wrote to memory of 3280	1624	Nnjlpo32.exe	97
PID 1624 wrote to memory of 3280	1624	Nnjlpo32.exe	97
PID 1624 wrote to memory of 3280	1624	Nnjlpo32.exe	97
PID 3280 wrote to memory of 1224	3280	Ncfdie32.exe	98
PID 3280 wrote to memory of 1224	3280	Ncfdie32.exe	98
PID 3280 wrote to memory of 1224	3280	Ncfdie32.exe	98
PID 1224 wrote to memory of 2672	1224	Njqmepik.exe	99
PID 1224 wrote to memory of 2672	1224	Njqmepik.exe	99
PID 1224 wrote to memory of 2672	1224	Njqmepik.exe	99
PID 2672 wrote to memory of 5068	2672	Ndfqbhia.exe	100
PID 2672 wrote to memory of 5068	2672	Ndfqbhia.exe	100
PID 2672 wrote to memory of 5068	2672	Ndfqbhia.exe	100
PID 5068 wrote to memory of 804	5068	Nfgmjqop.exe	101
PID 5068 wrote to memory of 804	5068	Nfgmjqop.exe	101
PID 5068 wrote to memory of 804	5068	Nfgmjqop.exe	101
PID 804 wrote to memory of 3380	804	Npmagine.exe	102
PID 804 wrote to memory of 3380	804	Npmagine.exe	102
PID 804 wrote to memory of 3380	804	Npmagine.exe	102
PID 3380 wrote to memory of 4988	3380	Nfjjppmm.exe	103

C:\Users\Admin\AppData\Local\Temp\aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe
"C:\Users\Admin\AppData\Local\Temp\aeee4653143e01806d1e779750caf3e6ad2532dee31d189f81488f32cdc1ba79N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\Meiaib32.exe
      C:\Windows\system32\Meiaib32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
      - C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        30⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        32⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        33⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        50⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        51⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        78⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3460
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        93⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        94⤵
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 396
        111⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5160 -ip 5160
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
1e2d3450daead6bcb947f33642d1ae0b

SHA1
188b946364177d07c80eca3fba831e7f799a331d

SHA256
e74f0591b7c22e438b72ac9a5ff4b33f92761c83961099fd9b636737e8ae0b37

SHA512
2c330fc7987150c10dd5a7cd279bca7424c8af95a1b057e8a0ef96ef4210ee48b6f62d7efab494801ce7c045b8ba7fcc85ca4262978588b463b8ebfa36cff871

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
a1b0162112816b70db7fbf6c3a3e4305

SHA1
ca89507cdd412e726ccd4dea50a1fa329d4674ea

SHA256
0a877e8af7e92ef0b911ba915a8442351c5cdce2acc9c11d97e579f557c2badb

SHA512
476179c6936fa6a4d63d09853edf60a6a44473b25ea32b19c2cedbbf441289a212a7a14b11395b17bd9e12d83e1c3a7546cf11556d9073f17454f7bdf1b7bfc4

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
e3f3863471674c937bb4a1bcc18a900b

SHA1
b6395ea828c0f7b3ae52c57bd205bc8e54594a3f

SHA256
6d86de7c8dabdcd6222e66f869eef4f10b96a65482c37583b78dacbefb1ddfda

SHA512
24c262b775638de8b5576c2bc4f044a024456416f6b497d518accbbb07aa89b3e99a64d8810b282dd31a34b766dbd701eece73b57ac0905ca6329ac6c3a29c4e

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
6f49da2b83b375928926519e3e632b52

SHA1
e2817667653a6d7671e4f287230d715f6db4a4aa

SHA256
66bb97f6b5371adc3bad4bf9369a19b4b16613c49a723fa57fd1343cd9c2532b

SHA512
9e3747775e02ecf2515c5121d3e326609e4f3be1bb8102ed80b86f9c0e7c871bc793c3f23e7b161acadd96da7b5d3959f0e251acfdb315c75fcf598969d0bdcf

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
d458586123a15b26cad2edb3e2696cae

SHA1
c573989391a857fbba40579ea52648c9dd0a569d

SHA256
d3d28b4876e22ba8d76c901356337b415afa2e33477797944792b745c77ba9b2

SHA512
8b42730befd6c421404cb244eef5540729217af1ad589f575368ea86648b3cb2deb573792285e5bddc0f139fb0bb79ed60f4453aba0109183a3bc750f8de453e

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
2efb8aed19b3c752f12ab89647c21a84

SHA1
3f05644c4e4ac865531277f0d1562d932100adf5

SHA256
852960e54da04b08dda6557d4e38d7b72468816342dd794dd8cb73c02ca5669a

SHA512
a17c2b6d529d7baba5003943e6615e1411116d51cfbc99765923715ef7eb133cb0e80cc52c82e3c90a370646be8faff72e3dd278d5776960bad5f2f136139798

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
1ca0104957a8dca32b3e6d859a58eebf

SHA1
b9ad5c6804e902926d1b2f43a3d12be93aace3ab

SHA256
102927f202ac0c10bb5a9d9e7cf972c2c1aea2f7aa784e0dacccdf207dc6abfe

SHA512
4900fde95a424276cb9a31cd919f34e8dd59a39192fcc7f47bbdfa8ada4c3e2fcc931dbc566d510de031e4e9e77d223a84f34e60bf2f87aa834f3e38108c82b4

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
201cc746325abcd42f37c65575af370e

SHA1
514ff6063c80445b364a71ac39c3a1b0ac70f4b2

SHA256
c39cb99353c5ff8ffa0abdbafb0fd66f79670d3b3260a567484e9041c94f2398

SHA512
af47b34fe5806d7bd5f528896e820b52fd95849000e9efe84c5082bc5d1f8940980a2adcbfef39ec140a82b49a2d9b0409ad17cd07c73a7c97ee6d0d2e04c10c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
e43d2eb01a42f5a0aed3dfa3a21286bd

SHA1
bfd34ad98037a5c2730cac23d5284a4887164d6d

SHA256
8df6f174479a423e986c7a9c0147d8debcd7a70edd3277a01a8dc5f0e1f48ea4

SHA512
f47e7a603cae08d43af031d08ce5e990d6f04287d3e00216f376ca2e56b1d8ce5986a81e56f856298f46c0582fdf259502577e7a100415c6ef4033527caa5530

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
6dbd4ade63c656a78b17e38248ccbd7d

SHA1
e1a02f5c41f8436b8bd1e79bf166fd103a845396

SHA256
bacfd34249bae9f8bdfc74d4fcafb1b7657131a28eb2a91567c0cc0a876cf218

SHA512
f8ea1a862afa63b693f1e30d231ffe39f714f25b97792500ceba28dadf8223ba4566e67e7a8c80e0223660d4832849259c4918c8c64eeb3ec9f0f5e01fbc8122

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
f9d7797a071713d37750f0f2fe7462d8

SHA1
9149912f8bf9785dc29c051eef775509c7830560

SHA256
cded28e4fb2e819e1ac38b41b44767aaeb441d81a35210f91f957289b0ffb90b

SHA512
722326a1a2d09138d77d8d6ed1ab7c29c85da84efd482a49df753a68e35d6524d51a4b999f035cb43c95a25840bf9a87b4ae9d7a226e2c69e4e1b506a94bd682

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
8fdce46916504c1b855f11b0a8db6de0

SHA1
f4352759cd236d21563d6b92e4103790559c3ee0

SHA256
fd074262371912fd09548f1b566c783fa361a1496af86a6756392abb72764dfd

SHA512
bc300bd3a1753e49504b52bf7dc760b3ba65fcc6c5bf2b4832814eedce549186181efbd766ed20fc0f410cd4c33edceef37dfdbe7f509fb8094b7cce97ae486b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
5f74a9fd2b08b4d49e276876bbe4a2a7

SHA1
7a1e4f76931ab591b598b041c97062c824c76724

SHA256
5ba28b0418fb85eaba7c2e8df3bd456363ded97e07b12e9cce988f3df2f9b40c

SHA512
75bdfff8e305bfa54bb432479455b32a084dfd916c20e9055cd76fc9dd9c75126e1349341c95cb289e9102afe39fd39dd5a63c782e54eade7912f40c738fcc45

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
b88b8f9a36aac03cecef534e499ad71f

SHA1
4a202f841c12c712fa7aefb4ea3e98b6cb5675f8

SHA256
60344e8a68cd610dcf1739264ce75f0dac3289485b03751b21623fe42795961a

SHA512
ebe53c45e086efdcca9a361ab1075778636391071e69da5708ebd1bbbf775f0f5b2c8659a41d575fe0ea27fea7ad62b5ba3f9fdca25ecd512a8c071ee6e328a4

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
4ac4f968ce26f85ce4b6bcd820e50c31

SHA1
329dd878f239fa727c4ab859a7079e35b52987c5

SHA256
6ee916fb41ab6f34bb61a89d329adfc0ebeff009d1f8e916ca5d7a668d49bdc9

SHA512
e27a14d40be9cb2e44079e71a503d2e36df97642cc6d379fc342b26db4bbe23fecbecda8863e22a5e7011173f78ec0c999f7260f5f2b7b7010fd7c99db131524

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
9f03fd7b1a563c59823fef6798120f63

SHA1
dc5188eea2b7bd283cc9bc4142f9c847a3c898ee

SHA256
6683d45b9ae81838f48f3fd2b33293c8fa55305a43388e69231ecdaebb85a12c

SHA512
d295b5722133282223117bee59f8b384c8deb598bf44286452f324a79553f7eebfd495dbc3df04576e6dd12c398d13ca6dfec7c2afbb2d9525c94c7dabc38f4d

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
5095e9f9b6154cc59de1904915664504

SHA1
3c8f1bb4b6bc29d47e805584365d0944da085989

SHA256
0796c8b0aeaf81002f4badb049ec1976c9a64a54e5a208113d4eb8b34046d002

SHA512
f0859179d8e2266485bdb5f27e53fd9f1ad57cffff81435194b66e25bee7bec8eeb4135404c56ea7d272f436329255164a3f188f426eab69dac546278c216323

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
ae9b98ad114651d7887d18997d144e94

SHA1
20f9c8de980b0ab5a4feb2d64556517d045a1f39

SHA256
6bff06754db094bbe8e85f2f6470655b261d562e7d6a72e5e65d0261adb22a0b

SHA512
0f4dc6a53aa23a5152adcad37c9fb0f2cf9fd9da95c464079c2be7dd7b141672a76e363c47fa8affa8f85b033b7a52f09cec5a6ed150251ec082c3b712e0ca01

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
e03e0bc73011280fb29c5cd7056c47b8

SHA1
e74c78066080a0064076e7fee52df80d3d0b0a8d

SHA256
5a2eb0542e8bc56773f07ae0b871873da2f662675e03ea19f7d8d06fd753b837

SHA512
b66f71d1d3ff5eb4b1ec9f3d51b8a33a2b5d7fff6777c84c84ac1b438e94c6dafb7e0308d2df6fc59be09106cdede801c475f52719b7e3f290d837b92ebc7910

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
96KB

MD5
64e3141ffde0291731cb3a135752b29d

SHA1
bd9513abcac82ebc1cd80c0f60c8bd0649e2d9d2

SHA256
b35dc9c5c6a137eb7886ecab51592a7389f6dec230cb0308f225cc7069893775

SHA512
a2a563cd208308167eb17b1731a5cee5af8e5308df157fbced74eefcf45b6de497a7428276c4732b9e7e2c6cdfd7b1503c03e5cc91e5479c2f3809d9000cb464

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
2938c48344e35647072cc9409b5ff7ff

SHA1
6cae480a5ee09605d865e93c0449e1da290a7c0d

SHA256
1e89bd0d27bd979e20f5dc05783a1f4fd24d613be807048b43b7ac4a84a9eb78

SHA512
91794d9971f03bf4d55a81bc802c09e69f4ab702ce92ae891717c823305f50c30957acd621759d084eb7fa9235a5411c6e905f271263f1702957d36d37cd2240

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
96KB

MD5
ab23d39a35d5865d1363352806645c0c

SHA1
7550124df40407207fcfe017b4ceb2c8b026e9f8

SHA256
f9b1f1dc7423a26626fa2f52cfbd3b017f30c4e73c9573ef5e52fe0b851eaf1d

SHA512
d8b7d2afd6182eb2a19b99766fac564389cb2b75c7a9d853e763bac01fa206c68bf485c0907d9467859d92a27f558c18aee2fad5f70dd2e931a6f78c98e0d32e

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
411e121ada1723225d4fd6d4cad5dc10

SHA1
4b7aab6f6dfb037923a51ebaa3df283e092ba98a

SHA256
ec967db5d5c96f2fbd9fa842515a0d3f1205a30cc39bd124fb89d7dbaf9d9c3c

SHA512
289ab694a88c01504e89148836db3b2e19a7f3f9026c5b189689210c6b0040837178d74327fd0af625ac6c78ba051b97ff263f8f844a672f370ae9ff16805910

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
ccd7b2c1f21e9b9eb0b426e875a2404c

SHA1
2ceb5bd2b13ec5d03eb173fb7a361efd4699b957

SHA256
71da10cfb9a9e1a1779e8282f2a3069caec424b1f02f8f19bad83e7571a438ea

SHA512
fad70a37a6618200afe72f7051070130be988d05dc03cb32493260b90737418a823a985cc996d402c9e5550e9bf970fa79391c93650a98338e4e3eef64683286

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
9ca013cd789d322158b0c5f6426e64ca

SHA1
a71db8e7b41996f8fc4f3ef0881da957e5c8b828

SHA256
5f4eae0a3c2aa88e7a5be596205d7457df5a40d6165a5f213ae115df9bc410e9

SHA512
37677d72572ca6cbb896b59c26c70239f0ec65c4bc7671524c8a3c3372e554e5fada638a4e30036ba2c3a175e34221ea9fe0bdda3cf2f1d5ef62b3f0299cb5c5

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
4e8e5bee715032f14d24770dcc222205

SHA1
242c8161327be506b191ebea14343523a87451ca

SHA256
5b4dc82a2735f2ef7ab7fceecc79fbcd1f416dce64e1df36c04ea3f9c2dc1f7f

SHA512
3ddc431b2c03b62774acfc34802a7c0cfc13ced5bcc46b93e6b4120238703ee4728e19e3c3b44c0aad12316947fa355091b8b4f2028bce8cdc53077e0ced10ce

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
fc41222cb215222352fea8fb491ece46

SHA1
9524b47b3da259b61a21f7f18f135ad98d3c7307

SHA256
cefd279037b4006f2e29c3f8bc0a7dd26fb62e1ccae6ffc013951c41da99e0c1

SHA512
bfbf216c2c97574f48c36bd0b2a7e18be5c1de27c52e6a023ea86db7802b7d40eecc33d7e8a7618d45f69fab6970eaa2c7f845e4ac78fa11a5942c6265b0bbf9

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
96KB

MD5
a2a31b2e527d062deef82358024157f1

SHA1
b150d3e782f86ed9e2b00326ef26eae6314f1e10

SHA256
43746f434cb8b7a79e6790fdddf27ce64607aa63e50dd5d25a6a43c5db7c096c

SHA512
cf3d40bef4c2399351c3be0189ed9e64032ee7925f58d6fd60467e57af83e509b83131b01e8af93fc211fe2a6c60dcdde8a9fc20a2daaa1782e244b01c700631

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
504b5b9d0842e5800f7bd14e05adbc03

SHA1
4452c61350f28b9f2d91821b8ce2338d5af97913

SHA256
f4aa5c908486bfe9c78a76c5946f40a12f8a4541549dbdf2ccc95d52e585dbba

SHA512
6f357afc8b4c76cc055cf6a609a39ccef49cf2760590ef5402eb74180f2652a6c952516ffd93f052c8548958922bd26378958fb9b0a444b06957c748264182a3

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
6fa351e0e5155ac2a52cf6057afa984d

SHA1
53919927d04cfbfe4891fc24fa02dc1826852337

SHA256
dc13f05c23e8bc71948a86fe67650aa6d63d4cc11744eb85d9e7a2c342e771d0

SHA512
65cc1271178812211edf1456d20f2d95a3423157e9ab20d5ffa405e85eaf2ac4ab3e9106b6dfdf3f9cf43061dacc922d8db438cc20b0f2e199c633af80d20d4a

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
79d6017556eb9bf5be2b930baeedb339

SHA1
214316bfde662d9e0d77539416e5e0c1fd4b4417

SHA256
c4408d97bc5d2ec5404fd570b68011608db58d28124c50b5780a33909428e9c0

SHA512
bc928a4a34c6d7d729074415da13fff83008fbe63c50d893f9afc92d051e28635719d1bcf9295b4a981099a4a69f4d542679eb29fa488f6061bca324b9c4bae4

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
4e7e409f09f80cb44efce5b7402ae4ca

SHA1
40697da5bd32f33ac2469cb42683a6c54c539c8a

SHA256
02a7879cdb6670809c40e0f0b3c7e5fdeb7c913d31eee57c79f8842dad0d86d4

SHA512
105d88c3e0588e384ace7acd368cba65b520be9230b875ac7ba696152e7ac9e954a9f97da7b93bd87534c0a081a8925aa01c3d1be08ed9786e61472b1d6eee48

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
db60dc4f75e873090bf429a91bd6cec5

SHA1
a43b2a4076290584228413aa65bdde5a3751ff49

SHA256
5a8340efa014edeac6bf560ff8249d291c988a5f0e773b656bc6bb4ace70bc44

SHA512
dcd80d88719fbd12eb80bd1228148e0992005886e341c4c8c8720a7a7ea71cb426b465d96fb355df938d612d5a2544e059b9960ab0fe59a30c7cd163f99ec918

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
465605bb6a81b009cd84b03e8353c9a4

SHA1
592ac751658259d2e77e07e00cb9ca4fded142b2

SHA256
ed25c0fa07bcdca798f6fd141b7c994ebb57a0b0d6d75a17cc74fb9e25180fb4

SHA512
11f2af0aeba2ca40a7a0ac0b7dadec0250aaffa6b8e0137b1b00619c455fcecbbd68fa4eee687ff6a7777d79f51efab9ac218840d22be8dadcc48fc8e2e2d5c1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
7bbfdf17f1433820938085e508dc4489

SHA1
42c8734b97b2b82e8e8c73368d789540e3f2fb61

SHA256
bdbd099dfa65b61bfa4a554c2ff5505a0e78309a02d77d46314488b0ae122d25

SHA512
9fd5b43b3141ab6ceb78aa5bc39eee277b8e209a240927c366b1b6ed1f3587b091e8f65e6f9a699b41b361c380fc5e11fcc87f669ab2bd8a1892a2273f1a105c

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
47ad00b215dd4985f1a4e1606c3ba08d

SHA1
8e1673826e131bc3397a9a5ffffddadfe77af701

SHA256
a3384f766899678d2c1c125f426022036e7b6cf4f86a79dfde84fd3eac683ee2

SHA512
0f6421e417a0016d112f9c15f8b47900810199e06ece8f7a3da7821b373c8e47ba1f85db463c6f324ae9e09fd7bebf54d560239224c8b38dba17fdb986eaa99e

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
481eb6477f6f25c8688fb391e1a29ec0

SHA1
70631fe88e9ee977d171e78b0c3b342a5f219973

SHA256
5d6cd6768c8a19bbbdd49d3a8a9a9132df5453c026741aa18b7cd20838cb7163

SHA512
fcb91d2b01c9069f3ccbcb40ccf7d73829d947539edc2b6084b5bb2f5cbe8a5b5ef4910133efcf08f5483c17835fd84aad93a8357bdbe0dcc2ec470f30254156

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
b747002f4781f8e4961ce9312edce33a

SHA1
9c74e7c3ca895709c66dee1896ebc4daeff37325

SHA256
3718ddba858a9b917dea62cf45d5bb2248863afb625e4c3dde601f2b4468fbc3

SHA512
6525e7488a7ada9bdb7d09074782930d3049068b1e4d7600e4b8e8a9e80c81403a661bc6567223e2fd9c8548ec9f2e9df810b0df18424fed54b09a417920afd1

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
6313bf0b372868653522818bbef2c2e0

SHA1
0049873bf7e42ad8a63b64f1e951c29048ab2d8c

SHA256
7f129ccbc19d874d96c452f6ad7704c5569eb6531113a60c0f729259a0c1827e

SHA512
84907623a2ff41a47ed080b6aeabf2ead7c87a712ee5810a778a0f2c80ca608bf39f4e2de189f01eff3b08d9aae8313dca659a3485dbb88551a4820b5ffc1551

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
72ef117136a7a7e4acc94373c02b87b8

SHA1
d9e7fc19b1cee8bc6064d6435b62ffbc612dc594

SHA256
224d017dd7cdddfc848577943066e6647d6734986dc31b7112a875095b84f934

SHA512
f55dc431f4bdbeb5da58f66c58ac05e9c41c8c1eaa73140cad37431bc38dbeac5b5662f361e0946c020960954433a921c3ffed6448e40d6025465e3ec17b0d58

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
26b98ab498fa3b8c6acd9dfeb9152f98

SHA1
1c7f9de36968dfbcf4567341f22b86ed799ee769

SHA256
7c6b0acf3dcd484c48bf965bdc011d18b95d37548bcdc1ab928c27c674a94162

SHA512
ef1624c8ba56f257c8615cccad15e68fbb0b97b81d9271833543d999fe720f61946b37d6485219ef6456b4f11a6b5c9303d71c6f1e3cbee4ab04cfdaa963beef

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
35ef15d9ef9172ec1c779b2141c7d0b9

SHA1
ed91c53e6e89dfffe231b51644808ff050f97773

SHA256
4bfde3cfa88ffa437aca2d10d708ad5bb55865dd70f83386b1b13698c7887342

SHA512
b81714e286dab79a80ff1c42fc640034b654df3ade1a38c20d24c1f4a0be0b31b324ec678490bf38b27b9ee3a7c026445a87c0bc34de4e22e5d79c358eeda70e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
a8cfac0d28088504df7b0c3b232d7033

SHA1
efec06339ab93a845c3faf4bafade9ddcf35be25

SHA256
7ce95d952e19133b5061876d74fafb4fc4bc9c0b2b027b9f2a4ca8663b37af85

SHA512
e2f250f691c0eac45ec69ae2ead16a58160e354f17ae90b3d39892ad057ca659e94fa4a150459ba5ff2027c0cd062a642265359ab60b5bde554a35357748a940

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
88d9ff7c8c1f5b1048fb06c0469ac203

SHA1
5153f43f039d284871251c837d085c641bcc32d1

SHA256
c8b92884bef4706a0be67c2e37e9c1243183f618c7e019bacda0a1b009523f13

SHA512
65c8894f9da07e0127dd7bd6cb065d814e2fd5359c4c88e26e05e34bc66211ae696a80bb10e0be42c7fcbb2a23f7959f313cfda630fa0d9a2f702484add4b042

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
7b2ba8811c1901276968137478006056

SHA1
3bc1bddb12d4076d2c94d3486af7683f57379b93

SHA256
cc60499f57ffd516984220784f385f67a2330f4cdad42e85cd016c60d516f079

SHA512
d83ed6edb1e12a0d8d96876edf313705be61a83f16485ee10f88acbdc1d09e0cdf83fa2cdeb5b3f3fd19d9e8c95d8e810dbb1f2311366efdc34f1d36cc5f07f1

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
a8b46c95920b510674845ddd3b5116ea

SHA1
0a345a59c9043c97f02614db7a46e6a9850a4b96

SHA256
e30cc1c1c0a3d0a7ff81a394037b63a3984f3a1c3af242ac9f15ab09517f1f34

SHA512
9b0b2574c5358845991f8f934d62c98a85181e2897a0fe9b2c13543406ee01dead72336dc9bdd11f5f5c940f1207c69b5c788473c2e5172067d7f8172606e2b2

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
9a375cb13608454313030fc3faa9a1cc

SHA1
616ce85eb04ecbb1816d87ad8407b18ffae5aec0

SHA256
72e50c3b1e9883ba2d9cc3faf3315c0e460c62e3d296b779e031e07bd471c1f1

SHA512
5538da98201aad997c63e19277706a31619da84cb99d0c88711b805a8ac95bfc0127e38771ec12f9cc8484b45dd2629c9b24057b835eb232112db0af6b02af79

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
d07d9d173de3747a02e023baa3be718a

SHA1
04e06ec9bf274744fcaec78c9bbee14298cb2c65

SHA256
576a59a102e3b7f1d3ab3506e94b83a14a37f03bef944da19802565e22d6c6ca

SHA512
254ba24a107cae5b79d652790c3c722950770710f7f5e9f6ac70c9dd52b1d1a4de2746bb88f96f23ba39d15ff2ee9ddc929a50d9830d957161a1aeda425db36f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
154e42d39c0d21b02e468339eb86c5c8

SHA1
e534e1f4627c614c0275f569e1f6d3222fa177ca

SHA256
1f32e114fb560332483dda361028b75411f21a742a5e514db4580ce71f0a712e

SHA512
3a39c3f1d3bda575062b198da9dfc53f574fbc689131c49c7f74587e9facd5a77ea0b65a87b1e1c77d54a9e77ee22771625b91d2930cbbe994eea8676de9fd40

Download Submit
memory/60-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3128-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-765-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads