berbew | b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4

Analysis

max time kernel
94s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
Size

352KB
MD5

f321aa6b78836f50e4d872c41f7d9730
SHA1

d155321e0b4103d67e2a74bbcc947532fdd483dc
SHA256

b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4
SHA512

b0c1976b3b3f29a8cd10753459bdb78e7ef7a0ece60e2aa5012d5a20d9533b249cd472ac50dabbe71fe680bb512f82101f088745ec5f00dac0f9a673a6140805
SSDEEP

6144:GeOihAawCF0iezpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdN:Oih3lF2rCZYE6YYBHpd0uD319ZvSntnr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2344	Mckemg32.exe
2780	Meiaib32.exe
392	Mmpijp32.exe
732	Mlcifmbl.exe
3480	Mmbfpp32.exe
3620	Mcpnhfhf.exe
4852	Mlhbal32.exe
824	Ngmgne32.exe
1816	Nngokoej.exe
4304	Ncdgcf32.exe
1700	Njnpppkn.exe
2000	Nlmllkja.exe
3768	Ngbpidjh.exe
3048	Ndfqbhia.exe
3632	Njciko32.exe
4760	Ndhmhh32.exe
1212	Nfjjppmm.exe
1192	Oponmilc.exe
4544	Ocnjidkf.exe
4816	Olfobjbg.exe
3952	Ogkcpbam.exe
2196	Ojjolnaq.exe
2952	Oneklm32.exe
1372	Odocigqg.exe
3204	Ocbddc32.exe
3424	Onhhamgg.exe
3064	Oqfdnhfk.exe
1868	Onjegled.exe
4024	Ojaelm32.exe
5040	Pnonbk32.exe
4868	Pnakhkol.exe
1264	Pcncpbmd.exe
3476	Pjhlml32.exe
868	Pqbdjfln.exe
4408	Pcppfaka.exe
4416	Pnfdcjkg.exe
440	Pqdqof32.exe
3832	Pgnilpah.exe
4668	Qnhahj32.exe
896	Qmkadgpo.exe
2336	Qceiaa32.exe
4272	Qjoankoi.exe
1600	Qmmnjfnl.exe
448	Anmjcieo.exe
3124	Ampkof32.exe
1584	Acjclpcf.exe
4316	Ajckij32.exe
2556	Ambgef32.exe
1864	Aclpap32.exe
2668	Ajfhnjhq.exe
3328	Amddjegd.exe
3252	Aeklkchg.exe
720	Ajhddjfn.exe
2788	Amgapeea.exe
4208	Acqimo32.exe
4360	Afoeiklb.exe
2612	Anfmjhmd.exe
2940	Aadifclh.exe
3452	Agoabn32.exe
316	Bnhjohkb.exe
768	Bagflcje.exe
5024	Bganhm32.exe
3384	Bjokdipf.exe
452	Bmngqdpj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4112	1464	WerFault.exe	185

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2344	4856	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe	82
PID 4856 wrote to memory of 2344	4856	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe	82
PID 4856 wrote to memory of 2344	4856	b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe	82
PID 2344 wrote to memory of 2780	2344	Mckemg32.exe	83
PID 2344 wrote to memory of 2780	2344	Mckemg32.exe	83
PID 2344 wrote to memory of 2780	2344	Mckemg32.exe	83
PID 2780 wrote to memory of 392	2780	Meiaib32.exe	84
PID 2780 wrote to memory of 392	2780	Meiaib32.exe	84
PID 2780 wrote to memory of 392	2780	Meiaib32.exe	84
PID 392 wrote to memory of 732	392	Mmpijp32.exe	85
PID 392 wrote to memory of 732	392	Mmpijp32.exe	85
PID 392 wrote to memory of 732	392	Mmpijp32.exe	85
PID 732 wrote to memory of 3480	732	Mlcifmbl.exe	86
PID 732 wrote to memory of 3480	732	Mlcifmbl.exe	86
PID 732 wrote to memory of 3480	732	Mlcifmbl.exe	86
PID 3480 wrote to memory of 3620	3480	Mmbfpp32.exe	87
PID 3480 wrote to memory of 3620	3480	Mmbfpp32.exe	87
PID 3480 wrote to memory of 3620	3480	Mmbfpp32.exe	87
PID 3620 wrote to memory of 4852	3620	Mcpnhfhf.exe	88
PID 3620 wrote to memory of 4852	3620	Mcpnhfhf.exe	88
PID 3620 wrote to memory of 4852	3620	Mcpnhfhf.exe	88
PID 4852 wrote to memory of 824	4852	Mlhbal32.exe	89
PID 4852 wrote to memory of 824	4852	Mlhbal32.exe	89
PID 4852 wrote to memory of 824	4852	Mlhbal32.exe	89
PID 824 wrote to memory of 1816	824	Ngmgne32.exe	90
PID 824 wrote to memory of 1816	824	Ngmgne32.exe	90
PID 824 wrote to memory of 1816	824	Ngmgne32.exe	90
PID 1816 wrote to memory of 4304	1816	Nngokoej.exe	91
PID 1816 wrote to memory of 4304	1816	Nngokoej.exe	91
PID 1816 wrote to memory of 4304	1816	Nngokoej.exe	91
PID 4304 wrote to memory of 1700	4304	Ncdgcf32.exe	92
PID 4304 wrote to memory of 1700	4304	Ncdgcf32.exe	92
PID 4304 wrote to memory of 1700	4304	Ncdgcf32.exe	92
PID 1700 wrote to memory of 2000	1700	Njnpppkn.exe	93
PID 1700 wrote to memory of 2000	1700	Njnpppkn.exe	93
PID 1700 wrote to memory of 2000	1700	Njnpppkn.exe	93
PID 2000 wrote to memory of 3768	2000	Nlmllkja.exe	94
PID 2000 wrote to memory of 3768	2000	Nlmllkja.exe	94
PID 2000 wrote to memory of 3768	2000	Nlmllkja.exe	94
PID 3768 wrote to memory of 3048	3768	Ngbpidjh.exe	95
PID 3768 wrote to memory of 3048	3768	Ngbpidjh.exe	95
PID 3768 wrote to memory of 3048	3768	Ngbpidjh.exe	95
PID 3048 wrote to memory of 3632	3048	Ndfqbhia.exe	96
PID 3048 wrote to memory of 3632	3048	Ndfqbhia.exe	96
PID 3048 wrote to memory of 3632	3048	Ndfqbhia.exe	96
PID 3632 wrote to memory of 4760	3632	Njciko32.exe	97
PID 3632 wrote to memory of 4760	3632	Njciko32.exe	97
PID 3632 wrote to memory of 4760	3632	Njciko32.exe	97
PID 4760 wrote to memory of 1212	4760	Ndhmhh32.exe	98
PID 4760 wrote to memory of 1212	4760	Ndhmhh32.exe	98
PID 4760 wrote to memory of 1212	4760	Ndhmhh32.exe	98
PID 1212 wrote to memory of 1192	1212	Nfjjppmm.exe	99
PID 1212 wrote to memory of 1192	1212	Nfjjppmm.exe	99
PID 1212 wrote to memory of 1192	1212	Nfjjppmm.exe	99
PID 1192 wrote to memory of 4544	1192	Oponmilc.exe	100
PID 1192 wrote to memory of 4544	1192	Oponmilc.exe	100
PID 1192 wrote to memory of 4544	1192	Oponmilc.exe	100
PID 4544 wrote to memory of 4816	4544	Ocnjidkf.exe	101
PID 4544 wrote to memory of 4816	4544	Ocnjidkf.exe	101
PID 4544 wrote to memory of 4816	4544	Ocnjidkf.exe	101
PID 4816 wrote to memory of 3952	4816	Olfobjbg.exe	102
PID 4816 wrote to memory of 3952	4816	Olfobjbg.exe	102
PID 4816 wrote to memory of 3952	4816	Olfobjbg.exe	102
PID 3952 wrote to memory of 2196	3952	Ogkcpbam.exe	103

C:\Users\Admin\AppData\Local\Temp\b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe
"C:\Users\Admin\AppData\Local\Temp\b4e989d3b32e8bec1e92173ece4fad244f07da784b4c02e8b1488b9ebda3f1f4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\Mckemg32.exe
  C:\Windows\system32\Mckemg32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Meiaib32.exe
    C:\Windows\system32\Meiaib32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Mmpijp32.exe
      C:\Windows\system32\Mmpijp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        50⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        72⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        77⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:540
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        83⤵
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        93⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 216
        106⤵
        Program crash
        
        PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1464 -ip 1464
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
352KB

MD5
43352c4dbf0adab6913b4e8156c6f3ec

SHA1
121a6c5c04830faad1ad191b97eaea21279bec72

SHA256
0216ec38b5d3ae1ca56a224eef549cb743539bf42ee3c4cb3b43a493faeaca67

SHA512
8bf6c225f470bc8c283b2f95aaf9a6b2a5d48be83a99c02eae026139ab4aee12a3d40b684821ec28eb4a900cbcdbb7508922b44ae1029c2195406566d1875415

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
352KB

MD5
092f8b4055120023a5547987f99f0e19

SHA1
a7a5de1fe1204126c3974873b74dfd49cb0cd456

SHA256
71891a182c3d2d68392715208919523e45593ca83df562d24881000a1115a49b

SHA512
27c3fbccd3c9103715b1aebe120fa0abd11215b3cd8fb28006dd0a18fbaf745c2e6ae8a5eac38ab998b8b2506f325cc62537339b67038a9cc73fb5df41c85b64

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
128KB

MD5
320bde06ef19c40d14cf7096e3364e51

SHA1
32cf7c06dc119ca43cb1615a22a371359c8e78b0

SHA256
d4d30a32091e85bf3f24aa3fd95b2fdf7f9ab76410269000616316c94fb0c9cb

SHA512
115d45d9d7dc678f4610b9f7db7c2ed8cfb7305c9c1a50bcc19af5c100768c2e85e7a2feb24217eaf852f8c5e0c240f0a5541b60e0b9979a97cfd7d586295467

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
352KB

MD5
6d7533a0e5a0443667206fa4a937cbb4

SHA1
345279016f1d6f227fe5da711297a5211de15ffa

SHA256
aa5ef937f261ea668838165157b476c1c0c9f09af1c29c52688606e54aed3a6c

SHA512
a4b8c9739f61af6e4cb4a8a865887fbd21d65bedd7e262a826f0df9ebdb1bf13cd7d6197d0013d1e0c863b6c206377133de52952041075e684bd1989d9d876ed

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
352KB

MD5
859a31342d8f594e9114392c9614e3a8

SHA1
fa42b74b881306a3df697da1c4e07b6759b770c7

SHA256
d20981a46ca3488f77a7668f3fd8ac7e0ffd08d2942507dc74534ab8f62a140e

SHA512
53492ba602fe133cc370544b50af19c5600b7d6c89e17c126fda06528bd929d0119599dc40e01950ab500f2ecc0619d37b09723e8d93f85c24e0c011211bb029

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
352KB

MD5
e627f46a5db756bd6e0a355c91935bb3

SHA1
a041f6949e93d267fb776f236688e9ae94d47f27

SHA256
a9c7aaf493d750ee4c6191316a7980ecaaed14683d7c2ec0651ebdf356817bfa

SHA512
a873af8f15c0fd2b263cc3e4559991dddddb8b407b7df0634cf8ae452141cd9cb599cff4440b57e5b51439de0af88581caa6342bbb6c106908d6dd2eaba86844

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
352KB

MD5
18f9f001f65ff7134613d9072497ee00

SHA1
8c15aeef3be0f84d15e71e4f160ae78e77625326

SHA256
fa279f337853488ee42e9c144bb2d5892dd310301b89fd2ced2c386a244174c8

SHA512
70a739f92b518adde9697102566b4c6c5ac0447a2b8931ece04fd28850b30391353b34e0316e66426d359a7bb1e3f05abb13951a15e09025eb8338ff8b0dbac5

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
352KB

MD5
56ceca650c9959e2bf88c475e4443229

SHA1
4946c31a7c6e68b137da513c08a9aea855320342

SHA256
5a8da7cbe855bbb4db10ad8fd7df89ac00588150dc5116899acd4d68eb55617d

SHA512
9fed15343999c04bf261d2c3fd6eba1320d3754d1ffec57f5374c8fc5d628b44ea55c7ebec94bee025ce3b71ac9100310e642b66ec8ecc3dcb2ebd3d685ddf73

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
352KB

MD5
4ecf5b6c2c124a2c600d1fcd0f201dc5

SHA1
fb8b1ed30036edbb124e482c33676f3692a3c192

SHA256
0bf22d2cb99480a9f248b57b3268d99743e4cc7c33339a45c98812e19dfc7bad

SHA512
425c4052aff872197a78c9109cb438de09bc5a59d25508159b9f12d6b3c2fc28459a704ee86a2b98a0df3f73ac9d23786e515d85f1c5bcaa86dc709255ef8a7b

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
352KB

MD5
fa8eb416c68e329fa5742cad38c0f9e6

SHA1
190d229f62bfaea24c2bc4a900857613ed19cbb5

SHA256
649610172c66ea1c94a151bde10f64e60f47d5f9b51fbe133c1d140889474579

SHA512
3f0cce859c1bbc9a09b61eef9cb556b067278935e1b73d9026db672c93b47fc052ae1b78ede54bfe6bfa19a0086db643bd6c42f6c1b7c636947c88e566ca37c6

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
352KB

MD5
805589635f33d3971cf5a066be893fc4

SHA1
4f570154a0c3e73e8868ec55dd00f0fb3cc15795

SHA256
ba85a6e7083313ce3dc2baf9227c492da276a9a27fe420415d703cf663f839ee

SHA512
fe41dfda9be3a9fdc5fc4544256dd4cc4d70c24bf0a9b2ec43874fa74dadd9d4805d983cdcd85fee10d5b5690d258d8457c7ad4dd09190ab1a2d6d5a2357219b

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
352KB

MD5
bdf17bf1011e0b6c54f8b3161c1bcfcb

SHA1
db77be0f445754f3ed92f1436bbb4bd4ce79a5c9

SHA256
6b9c1bc49543f84267d13d1b63d4ecc2e90124f9d6a492ddca455313212ee7a0

SHA512
cfba0ff82a08bcfa41c686518b1f9df0f9ef5f76e69ec4b5cf12a97ab0de160fb947e100b5c891d3444b17c4b63f5dfb139f7abeeb09e0122e3e11b196eec85a

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
352KB

MD5
3525ceafcf9811a03fa51dd0f007f740

SHA1
8d17734494cacbc6c93927c7d3e704ffdb27f32e

SHA256
14486a422d8fb65f805071e19c598963e6422bc331a8bf27bf2d02915dcc99fd

SHA512
f4a9e82aaa9fbb84f722174ede3fb7e4bb56e5bfd300a03657496ce0faa5e71778663d04b8f0f4a2676b0810e403ef2cd305f4a38e934f1cbf775811db409192

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
352KB

MD5
120e1dee7d3d9baa5aca931f8f9af124

SHA1
1965ee7c3afb0b8616d8b6c2a778792dc562f4af

SHA256
cf5ea708e6386114ac185db97199f62e2479d4bc68866bbf0133c6ec6edcb50a

SHA512
ed69e2956bd24db4371d4fa7912b873eb53f19c2e37697291574bfd317cd428d5cbc0e33232b18bf6ee38cd77c872df258bb396fdaece1c12218789353f96d87

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
352KB

MD5
d96fe9877c57799e87fbfc0567bac8e4

SHA1
93c014b113c901cc00e0f635c9342d506ac6371b

SHA256
34a12efbb27f38d5a4d61e1b0616d9fed584e8a4cdee43be09321530c6093c27

SHA512
128fec89813470da98d1e4e8012ab69bb48248fd7a3f4cf7124ab5d0844a5cebc6d9a0514531e5c9d41c91918217a1d96245679d94a8d03d72004f418c5983c7

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
352KB

MD5
c274547d154567e903257bf8ecca7d47

SHA1
d4e8f0c1e1183ab404d372f6a85f1b2ca0a707c5

SHA256
6fd89f126e3bfb10f2d9703a7645d1c386238c619cebe27368727c08035cb5ce

SHA512
b8f18d66ffe80bf71f2f9cf999f444ed1cac27e4a67be92e7adee526fef59e856d2c8e5a103036a9aeaff0534b7b556c7c15551a65af0e6fb393588f05f9390e

Download Submit
C:\Windows\SysWOW64\Fmijnn32.dll

Filesize
7KB

MD5
2db690ac6a0c3a9653db6032a5755114

SHA1
adba80c19b4df95e761f9335d2ecb650e0852bd4

SHA256
c75644440ec3b1666e774e7f99c284ed0f5577bbb3d453e4c0769970fe78c3d7

SHA512
7d5da5b371f7cd15115a1ebcd5c23d272984db8fc69c351dc0abb7701bb51a1dc6e9b9f08899b257154b91ec1e1a08007848f79d41e9861f8a361053fbd52b93

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
352KB

MD5
2ce892f528c74d4808278459923ada63

SHA1
5ed0a3fc9b29ffbfd4081dcb5d28bc349380fcf3

SHA256
bebfd2985e2a60d6d8f71614f59e08311d029a079a49dab5a591e36d3c3ae082

SHA512
0215c6e8e7710f038743ba1bf305483b5a328bda4ea1be4600b7b53a83f6ee3a06011d1271a5438a7dadb52daa6dfe890ee736cb9a78256e02a5ef66b5b4349f

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
352KB

MD5
00ae89e2612cacccab2dd92638904ec3

SHA1
e5a2c687061c10259b16df7b1e4776b2710b3c54

SHA256
36a094e74ca568e69dbf4def346f8a7a6d2fe9957372503b9e4377e0abaaa07e

SHA512
2ab2e7cbe26333bd765cb3f155ebd5cc84db75966185c54274ff3b9de6d62695daba7c32ed5dde49fb3afb5386cfd7f3e5a6f3ada7736b280431292357cb1cd2

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
352KB

MD5
2ea1002934fb7fdb34ababb99269320b

SHA1
96b2962caa3374a310c028538a5a3b59485b4a48

SHA256
aa0600ca8c0b57799de3cae62b9761186af5b8dc516b4ecabb799d3c30df85bf

SHA512
220978a943e68312d4272cb95cbf4342b21a342b9395db9e6148fafda96e9f1bca7e7ea2807878dfd8a376bd5ce4b071d2be027d476e5422375eeed1c0332151

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
352KB

MD5
9227a7919fdcb53c522f754bf8117088

SHA1
8153ed2dc7eab3f3e9fe78d7a4df8d9a8e42b902

SHA256
bd2f654d2d1c7afd0164e3c4029211e4cc5fc7c3edfa027668920e97e2edc04c

SHA512
f8dd8336d3b6024279ca3453130e63ea53e4138a74816c41fb48a436a4622b25077fb831452a9644cdad6d27d1e095b4c11aead30b3af23523b567fd005ceef9

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
352KB

MD5
10bc955901cd6ca7eb8584817b078c7c

SHA1
e373d882fab4a975722e90a134f1154149eb7813

SHA256
960350a16539fc58c30c4c33cc3a549a0ab07fbc4f2043e59ed81d7254241b46

SHA512
05e928eb1af380d85ff4c44be1f7c05d85329ff5dfd597d458ba3bbfdd94ce5de2ae5320dabb8a200e509ff1793dd274f7b30419ba418c581424269f9b21f93f

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
352KB

MD5
8ffc41fda6289497729ef07a0acd1150

SHA1
977598e74919fb0fc15b483d64520f4ff2b399aa

SHA256
43a887461d5f1c6a1ff31e5413e6b4e21ad60570567c6614aec02399a7f53c86

SHA512
0ee232c07ab88f01a93e0393c5d12cfe568180ef7e3454cf3f840d0aec2da5e6a36b567f315bfb8aa2b474d88b9f9b91190335ef234a4cce3670c131554accd9

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
352KB

MD5
d94b71962fe54ed1c9d9a7d3cafed37d

SHA1
e009836c37c83c7d1b6db556a1d75c0af4210d22

SHA256
0583dc18ab4c3f2fefef6c78d682e2035642106f2ccdedf4aa3f76f413d16f50

SHA512
5638acc3f0249c73684940b665ddc981717e6ee1734ba471e6284ecef10291bb7aec108684a6ac16141a39980229db4178abadca2f0ecbda10e380210519de7f

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
352KB

MD5
7686705f07f5ed0ed77a99e1ad7e88fb

SHA1
46f0951ffb032203fa2d852f6db109cc5d8c865a

SHA256
8fd3464de6b88242f6109d11ec754fb2e7c236798716b735643475e0710a05f1

SHA512
612b245e65661765ced98271d8b03f30de776b169ec48d44e17ddf40f06816e56b66df15af8ae3e0939c668b9462c32a32ca932c93abc4b1e53e7e7b04898211

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
352KB

MD5
f0d5c67a4eba6a76ce5c5293290dce90

SHA1
fbd886f93906014f3732c1db6e83b9a4ea7c6e0d

SHA256
96e4aee17670544421e2a2eccdfa3f70eafa8fa6c7f1e2e5fbc3303c03722072

SHA512
1870bbc8d071ba32dd3e25a8c04d37017cf1da0b327fda4df904f4187a2065b1097e628d2f6745b7ca972aa75d64f730bc550c50c5444586f3f99049cb8d5085

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
352KB

MD5
e1ab2c0b6f7c8c22fe47333bebdf4c32

SHA1
21a12eb2e2d5f4106af6b857aedf012275439744

SHA256
7d99c6a4dfaefd265b2e8c4f025981e7d9f531b4b63408504cc0ac28d19f518a

SHA512
1432797148707ce1c6da23f608f3a3f01b1d09e34488e700beb8154df0b2648c4744b6c3fd0c61bcc9bb9d8daa3a76e3421200b6aeb8dc5f52b329dbab996f7f

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
352KB

MD5
4fb4183bc6f18209feef8615993528ca

SHA1
089ad16b700950be0f9eaa3f334e82f3c12cafc4

SHA256
54326fa09e93ca5db4f158fd5c528a07a7ce8b27c8f57f1f5279f8076bf74b3e

SHA512
67a3fcc7989a75d5a32231171b26135ba476f04071bdedd2f67d48adc1cfa066e8534d29b55115265a68145b41cc7495847d704da8d06ddddca2453b4499b120

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
352KB

MD5
027ece679db46f9a3b51f73a2ed19406

SHA1
7851d19c531265dcbf71982308e7719488c610cc

SHA256
b807a85339f11d1d5b41d4fc1cb7d4e2a84e6605e07374640d126df2b0f111b3

SHA512
1a9eba4386aa41d9f4529083aca9c2316e38af7af2ed91edc43da961b2e80a3dbbbe40e9666dfa41212dc43d619a79c7f11bb32aadf09b0c08c413d0253460d4

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
352KB

MD5
fce165243d3b69ade1c236a980d63273

SHA1
d89c0f78e500d49d1941864736266c580e15dea2

SHA256
f642ac0957bd71b6449bca6392e1488e5900f37d1ea9946a688c61325c410c3c

SHA512
ee252e614c3a68bea28c41543616ae0978a835151602bb4868853bd475ea424fd11deb4e5ba5a088e58a059dcad9a85040f108423153e1ce0272a150aabaab20

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
352KB

MD5
a2d3c23f5edac5c62f19556f301940d5

SHA1
3d7a161ff83f2d2a36f5474956122f115c2e748e

SHA256
01504c961bb2174eeae4aee9a5da5377adf92e2a12c449622f2865072ebcc189

SHA512
4edae5957a6969cebd08eaf538f5a12e3cee282018b0310a7267c1f5bc41135ca27cceb722ca71eb0198fb3153d7e47989d4622b772bb54038eb4dfc13b410b3

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
352KB

MD5
87d3d012b3bf4fb7b76a162ac338b210

SHA1
a2b94495281a56d275892d8fe9c676bd290d9279

SHA256
b33ae6247e76d6fe11bdd2a98375af1ed13eb56b2680a3661d9ce09099da4c59

SHA512
6ea25e1ec4630a67b26c29a603509ef39607d3e8d877a35dd0c71fc6c2a595e3dc78b8372ba24d6ea8113b1adf58259054fb302ec2d308e549afe8597d22eb20

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
352KB

MD5
93f8f8c3b626cb2a0dd71aede2688aec

SHA1
320ba4b3019499ab396c5ad7c5e2e70af80eeb53

SHA256
340b3b5347ab9b21377418c1590a81c414adf912c69c663a4904a9daf710aba9

SHA512
6181cd3be5da97894bbc7280b86ea99772430432317df446c2f908cfd6e287e3a68013e150ed5bcfaf653e2391150e3b6925ee7024eca5dee4c5242fdf3aba8d

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
352KB

MD5
2738c8d1aa430475ba68fb7e5648921f

SHA1
d7e23e5e201c0a635ba7f96485de32c30364074a

SHA256
baa21974b64ac2729387320fc1590696609c56bb94a1ee02b980deef337013a2

SHA512
2152d14dd875fa447995bfe9d9d43689f4ee702423c07a2a8f58117d6999c95c2e23926220f7c383cbc8c488197576ad862fe38a153f6e0e7f26806abfe7c576

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
352KB

MD5
d272e239f1cecf9a1b31a379d17ba2e9

SHA1
495a97eb8e47b2e298b0cb037d29d8dfc67abe57

SHA256
dcd20316036931998457a99d3649bded5227f27f84d92b56b85817ba5c06f1bf

SHA512
ad73dadd2b6637295a85dc6da8f16795179965be9f4074523fd7bbcbcec74772bb7b9cfb553141e590a6970b0612e95fddcbb951c5a7403d6d6cad3e634adde0

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
352KB

MD5
84ebca57585d71bc314278b8703b1e56

SHA1
3cf5127e3154989add36cf5237d5577fd6495eb7

SHA256
0998ec02fbd621ff9fab6462debd0cba284e83211a9286bf274c7d6b7b60b0c8

SHA512
c8ed811a9b78abd062a15225ea7fc08e860ebf48ca8d8507dc7f455e9e3f9e6cb174204122e6cece5002ff3b4a735083ea74172abd3ca1465ea31d8e4b08fca3

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
352KB

MD5
11d7dca0887212a22139bd08952ba78a

SHA1
d0628eca0b08020c423b8e732ea1806e6316ccab

SHA256
3d5fe85726783424b9ed36fd8b8711749ba1e2f49ceeb890dbefce5eef91de4c

SHA512
fccbee2935cae71638902f326c3e7652ed2165c062b90ce80b36bceda6af5c479169b34f6385cce2ca76adb2e011cac9e9991eb942b00e18ecca50652e1618c3

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
352KB

MD5
c095c7dcb9ba4816b13367850adfcbc7

SHA1
61669a2ebc438bb3609925d6a8a52f41613dcc6e

SHA256
bbe9bc0aff32e11ea460820e2afccb49a311715f929582f22b319508bbd5578f

SHA512
e45dd8223c3c5c02bb42e2d468235b4bed4f0074683c8ae3c985aea3e7908070d3cf05d2eb6af4ef62dc4088b79ea10cba8fc3094360d4b858d13d504c5ee58a

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
352KB

MD5
fee56cbc53d77ba1b2bc27d297b8ec41

SHA1
f29fcb994920d554728b315e271c527c36c1e95b

SHA256
05008cd924fb353c02d96c950f70027e030e3f80e9f1055f8eeda8e8b307b28c

SHA512
a2713441b6585f18d09f8ae415ac1b044ef493920e7e2cc170108a6cabe22ea8c67da3f7b1aace13f89a944b8cc2b7b94b68334af6af1d6bc596f4637eb2d559

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
352KB

MD5
8516201977d30c83960173abab7fd12d

SHA1
31f2f4372414cd1891ed768f8cba89d92486f81b

SHA256
54104d3dc721a3ac4b1d1d5cab0945617139fd3a88ca3abcfb6a4c73e10fc518

SHA512
1e8c093859b8f7a0b73674807d0797ef128de4dbeddf8da96e39557c52db4219983e74b0f57b30c3408b9cf05a66befb09ef3ec16f316887654ffe32f3ede527

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
352KB

MD5
1342b8948a4a21517eca1ee047843d84

SHA1
bf3e8184c9a48550ca99647ae18caab77cece6ba

SHA256
434410c68ec3b762f443e741990583310df02027ca21b102ea3187b49132ef8f

SHA512
5e360050a038ac4972e1bac645d058fe989080b4d07b0b7860aef1a9fa7bdd61897a388f635eda2c788bc23ddf03344cba6f213237fae23f30b982c6c3d86ae2

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
352KB

MD5
d5b460c49aea4f67793bb60fd29e960a

SHA1
66f54878d7b89ec436565c5d33f7ab809ae1ad37

SHA256
0c6a3c6a664a65c810306b6e157b3af5dd3407cac609584d1225bcaf0c71b71e

SHA512
1472d9dd5bee2b671907ae566c71c69059fbb647fd67bf8a63fc3ebe0aa4bd2a613e7131cb02d9d85d15d0548aacab171ad873333dfd4768dd97ac9dcae0ce63

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
352KB

MD5
981876b5d829a1e8d748ada73db0caf4

SHA1
c919eedf78da62a26482239a0a03d1865c1b063c

SHA256
b69e05b3a180285e2053d0ae3206a20b3810bcbde95e5ebfc5c9f793b8069756

SHA512
520ef73152b739c06993f840f94f5cf3bfb47f58b1d4aaef46ef615c561ce71186062bce1c35008caee4cdc1e971fdcb33ee6ed76b7cd21b8c76fc10b61f078d

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
352KB

MD5
5ad06240f117400b6c6c038539a353c5

SHA1
ef2694fd85d5cd153e0212e732b0817c7bbdf5d3

SHA256
832833211b702717f71c1930a0d169e4c0d18cff7393c5c27556989e51ae95c8

SHA512
f9c0c90777bcac4bfce9d0610c0b441ba276bee74caa6dc0c7014a3ce760d77244f21dbda47cbf2a0d21f9baa72703a489e01557ed9d9190f2fe670ce888d02d

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
352KB

MD5
eda5a0cd307f585ee57914c1e90b9268

SHA1
1f06779b7a5aa9c330775243fa2398fcce1d2dc4

SHA256
a4dddd180578a3ebe626c88b55846d72f762225a31bb084181cdb25027719c76

SHA512
a9621806c58ba4fe7e78b63ea64f7e5b286875092c6b804f4b7078ea6ad3736c72a1d0982be6a6fd82e3bd200409b933b6b6c9fea27d2e55e8e5e5efa1988c67

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
352KB

MD5
de89cb26f6df6214140338f68d4788d6

SHA1
7dada880d54a026ffe3d36d1e2fd44090457ab34

SHA256
1ec96ae8d969dfe5a645b30856e5f172abd94b21ec79d27851465bf1c8f6017d

SHA512
1153cf0da6db9f514857ac02f5e013a68a4150be6428e74435acd94220079ecc87d51204b5b386cc4f8e94b23f432b0c9531edf35435338e0938faf713788d08

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
352KB

MD5
932d7f3c6d90995d63dbffb0c6ab718b

SHA1
63d8737f25e7d5395db328e872f51d5b5825a031

SHA256
19c83cfe4e1bad8c1af1c0129b9fc8855727f1c5c38e9b9812d8f7520a085280

SHA512
8c3076e7a910cacc1513cc8d9710793732cd208c35cc7dde9d37b556a361fde77691a64159f158698b9836f161e2dbf2670b60d3a52df1b73fa7c513c4d08507

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
352KB

MD5
6b66da0a2a945f63466eb6debd2cadce

SHA1
1ad84cb3b43b0b40c007f43f5b455900ab48d6a7

SHA256
0ceacae514a46f23bc85bc4d765a5fcb9b11f7c2bc41a5de1d9a2f1f5aa9cd31

SHA512
639bffba0ab9d23c47744412cad13fd426d6348e619746e31ce2a57a9cf6190ee44db597ff084c5abdf559c78bca7a3472f87609013d7eb8a3697f19fced4336

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
352KB

MD5
4e8f776b889194729fcab8d7a0ae8328

SHA1
6080001f4172a16fe7988b5d7400493e0d1852cd

SHA256
a5fadded866055811ef215e2e01b26eb8f0c88d599e9b6afbf928432b9be7d4e

SHA512
d6d1ac6da8a7fcbc5e25f74632f69c071eadf924e03e1ec2d3306e45d99f3c9d1bc8941fb136b318bb4283baf61392b9918a8f3bb6087a524839243414180a55

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
352KB

MD5
4a6fd357d2f383b3c68c005dd77545ef

SHA1
8405ae38c994645cdb564e99df7061b9a237d241

SHA256
71f97b42a09d2672569d52609e1309b4a48e10097763347c72b64e1981e5f9db

SHA512
7f236c9b84908ece1a0b6f12735283f8fb3f9c19346c4a1627818726c77930cdc09e7d9a93b07f71dcbfd2c69aa087e0ab89fdf0915a05bc6b3cacacd08274da

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
192KB

MD5
b028ade691f8fc4b1a467e2eab70a875

SHA1
c1739ffefab99aa001a82211f716794dcbd580e5

SHA256
928acd0dbe2f2c92a0fbfb80f97621c6da8b1bc0f9bc4ea75d0c46a0d912575b

SHA512
4ff93087e2c34672579a3bf2e8977cfccc54e57f1ee7d2af94ce0b113dae9477ceda6b43e957c5321b6640a5d8cdf280541ff8e516657ce2e5f0066c82e1d6ed

Download Submit
memory/316-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/392-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/440-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/452-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/540-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/720-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/732-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/732-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/896-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-498-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/980-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1132-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1140-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1192-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1264-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1372-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1572-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1700-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1752-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1800-591-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1816-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1868-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2000-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2028-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2064-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2336-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2668-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3020-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3048-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3124-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3204-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3252-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3384-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3424-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3452-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3476-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3480-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3480-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3620-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3620-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3768-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3952-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3976-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4024-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4272-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4360-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4376-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4668-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4760-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4852-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4852-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5012-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5024-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads