berbew | eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dc

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
Size

186KB
MD5

e439f5d5f2fdf27c39d05d59337d11c0
SHA1

c13b968227ffa0c08745bc1fb5b485e0c45bebbd
SHA256

eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dc
SHA512

3737c46299c8b29150efe3df987ac5f20858aacf5c0347c2707715a2aee795835a1e11a91410a4bd5eaa837ebef62ee72133c281603325b375cd35877bf13793
SSDEEP

3072:M+ZwxopoxSjOhGFv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:NCoyxpGF+Jk/4AcgHuv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2220	Mmbfpp32.exe
3636	Mdmnlj32.exe
3440	Menjdbgj.exe
3920	Mnebeogl.exe
2472	Ncbknfed.exe
3820	Nepgjaeg.exe
4124	Nljofl32.exe
3196	Ngpccdlj.exe
4516	Njnpppkn.exe
4084	Nphhmj32.exe
5056	Ngbpidjh.exe
5008	Nloiakho.exe
1956	Ncianepl.exe
2124	Njciko32.exe
5076	Nlaegk32.exe
920	Nckndeni.exe
1400	Nfjjppmm.exe
1916	Olcbmj32.exe
3568	Odkjng32.exe
4500	Ogifjcdp.exe
696	Oncofm32.exe
2032	Ojjolnaq.exe
2280	Odocigqg.exe
2564	Ognpebpj.exe
3048	Odapnf32.exe
2240	Oqhacgdh.exe
1704	Ogbipa32.exe
4924	Pdfjifjo.exe
3212	Pnonbk32.exe
1244	Pfjcgn32.exe
2532	Pgioqq32.exe
4804	Pdmpje32.exe
2036	Pfolbmje.exe
2196	Pmidog32.exe
3252	Pcbmka32.exe
2800	Qnhahj32.exe
3936	Qdbiedpa.exe
2340	Qfcfml32.exe
2452	Qmmnjfnl.exe
1324	Qcgffqei.exe
4512	Qffbbldm.exe
2388	Ampkof32.exe
1524	Adgbpc32.exe
816	Ageolo32.exe
3504	Aeiofcji.exe
2860	Agglboim.exe
4884	Amddjegd.exe
2660	Aeklkchg.exe
752	Ajhddjfn.exe
1036	Aabmqd32.exe
3976	Afoeiklb.exe
4796	Ajkaii32.exe
3908	Aadifclh.exe
2184	Agoabn32.exe
888	Bjmnoi32.exe
2440	Bagflcje.exe
2116	Bcebhoii.exe
4028	Bjokdipf.exe
4936	Baicac32.exe
1020	Bchomn32.exe
640	Bnmcjg32.exe
2928	Balpgb32.exe
1532	Bgehcmmm.exe
3208	Bnpppgdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ogbipa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	1968	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2220	3168	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe	82
PID 3168 wrote to memory of 2220	3168	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe	82
PID 3168 wrote to memory of 2220	3168	eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe	82
PID 2220 wrote to memory of 3636	2220	Mmbfpp32.exe	83
PID 2220 wrote to memory of 3636	2220	Mmbfpp32.exe	83
PID 2220 wrote to memory of 3636	2220	Mmbfpp32.exe	83
PID 3636 wrote to memory of 3440	3636	Mdmnlj32.exe	84
PID 3636 wrote to memory of 3440	3636	Mdmnlj32.exe	84
PID 3636 wrote to memory of 3440	3636	Mdmnlj32.exe	84
PID 3440 wrote to memory of 3920	3440	Menjdbgj.exe	85
PID 3440 wrote to memory of 3920	3440	Menjdbgj.exe	85
PID 3440 wrote to memory of 3920	3440	Menjdbgj.exe	85
PID 3920 wrote to memory of 2472	3920	Mnebeogl.exe	86
PID 3920 wrote to memory of 2472	3920	Mnebeogl.exe	86
PID 3920 wrote to memory of 2472	3920	Mnebeogl.exe	86
PID 2472 wrote to memory of 3820	2472	Ncbknfed.exe	87
PID 2472 wrote to memory of 3820	2472	Ncbknfed.exe	87
PID 2472 wrote to memory of 3820	2472	Ncbknfed.exe	87
PID 3820 wrote to memory of 4124	3820	Nepgjaeg.exe	88
PID 3820 wrote to memory of 4124	3820	Nepgjaeg.exe	88
PID 3820 wrote to memory of 4124	3820	Nepgjaeg.exe	88
PID 4124 wrote to memory of 3196	4124	Nljofl32.exe	89
PID 4124 wrote to memory of 3196	4124	Nljofl32.exe	89
PID 4124 wrote to memory of 3196	4124	Nljofl32.exe	89
PID 3196 wrote to memory of 4516	3196	Ngpccdlj.exe	90
PID 3196 wrote to memory of 4516	3196	Ngpccdlj.exe	90
PID 3196 wrote to memory of 4516	3196	Ngpccdlj.exe	90
PID 4516 wrote to memory of 4084	4516	Njnpppkn.exe	91
PID 4516 wrote to memory of 4084	4516	Njnpppkn.exe	91
PID 4516 wrote to memory of 4084	4516	Njnpppkn.exe	91
PID 4084 wrote to memory of 5056	4084	Nphhmj32.exe	92
PID 4084 wrote to memory of 5056	4084	Nphhmj32.exe	92
PID 4084 wrote to memory of 5056	4084	Nphhmj32.exe	92
PID 5056 wrote to memory of 5008	5056	Ngbpidjh.exe	93
PID 5056 wrote to memory of 5008	5056	Ngbpidjh.exe	93
PID 5056 wrote to memory of 5008	5056	Ngbpidjh.exe	93
PID 5008 wrote to memory of 1956	5008	Nloiakho.exe	94
PID 5008 wrote to memory of 1956	5008	Nloiakho.exe	94
PID 5008 wrote to memory of 1956	5008	Nloiakho.exe	94
PID 1956 wrote to memory of 2124	1956	Ncianepl.exe	95
PID 1956 wrote to memory of 2124	1956	Ncianepl.exe	95
PID 1956 wrote to memory of 2124	1956	Ncianepl.exe	95
PID 2124 wrote to memory of 5076	2124	Njciko32.exe	96
PID 2124 wrote to memory of 5076	2124	Njciko32.exe	96
PID 2124 wrote to memory of 5076	2124	Njciko32.exe	96
PID 5076 wrote to memory of 920	5076	Nlaegk32.exe	97
PID 5076 wrote to memory of 920	5076	Nlaegk32.exe	97
PID 5076 wrote to memory of 920	5076	Nlaegk32.exe	97
PID 920 wrote to memory of 1400	920	Nckndeni.exe	98
PID 920 wrote to memory of 1400	920	Nckndeni.exe	98
PID 920 wrote to memory of 1400	920	Nckndeni.exe	98
PID 1400 wrote to memory of 1916	1400	Nfjjppmm.exe	99
PID 1400 wrote to memory of 1916	1400	Nfjjppmm.exe	99
PID 1400 wrote to memory of 1916	1400	Nfjjppmm.exe	99
PID 1916 wrote to memory of 3568	1916	Olcbmj32.exe	100
PID 1916 wrote to memory of 3568	1916	Olcbmj32.exe	100
PID 1916 wrote to memory of 3568	1916	Olcbmj32.exe	100
PID 3568 wrote to memory of 4500	3568	Odkjng32.exe	101
PID 3568 wrote to memory of 4500	3568	Odkjng32.exe	101
PID 3568 wrote to memory of 4500	3568	Odkjng32.exe	101
PID 4500 wrote to memory of 696	4500	Ogifjcdp.exe	102
PID 4500 wrote to memory of 696	4500	Ogifjcdp.exe	102
PID 4500 wrote to memory of 696	4500	Ogifjcdp.exe	102
PID 696 wrote to memory of 2032	696	Oncofm32.exe	103

C:\Users\Admin\AppData\Local\Temp\eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe
"C:\Users\Admin\AppData\Local\Temp\eac85f5c2e9ff62aa3b27e79dce0f4db41910c9899eae1322dc3b53e2807f0dcN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\Mmbfpp32.exe
  C:\Windows\system32\Mmbfpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Mdmnlj32.exe
    C:\Windows\system32\Mdmnlj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\Menjdbgj.exe
      C:\Windows\system32\Menjdbgj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
      - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        71⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2672
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        78⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        79⤵
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        88⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        95⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        97⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 396
        98⤵
        Program crash
        
        PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1968 -ip 1968
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
186KB

MD5
f0fd6fef896180e990ffb0d41dd61ce2

SHA1
4a42415b8d8d351936c52211c11818aad147c157

SHA256
476c878a7ae593da4c4a537e564084d8f7607a202cec13195aea7204f80c6e27

SHA512
af94360e0dabe048db9bdbb5175fe4ecfb0a83b2cdacd414d461202f8266df21904033e1c4167baa0a721ee52bd5732c47a4c3e7d8e7e8fc394d99e123e6f4d6

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
186KB

MD5
ca2dfcebb26d870e6131459c906d7042

SHA1
a47d959de1772970b627ddd0e0ae9fdd69174f40

SHA256
3846eaa09c52294ca6806b0185547e118a5340a2b3bd8f8e28ed381a321e9408

SHA512
50a3b1db60d4ef4dfa39005663132c9db2401c706c50730bb5e028e2219b816409f522c9b6f7c1e26915fd33f450751742aa0b16ff2e786179e9de423236f11b

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
186KB

MD5
06cc7d88960beca267a6a081dde6e5d8

SHA1
1263ae688a69b44b91367d56283a3495335e7edd

SHA256
808ba025f1fb8f6be8676fd83c54eaff256f0fff899d7991dabcfe3f258702bc

SHA512
b2bbb9345a835750e5b91c4d2ffc1cffb6ca46c85a4eaac2917c9255fb75951c7c2190b38e464ef541b03c5e2713976a4716437d8d0b18e47c2bda74a4fe3348

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
186KB

MD5
554faeb95479ab154284ee1ca1e41ae0

SHA1
213f9fb498472410f358306e9b4b57868931c8f4

SHA256
7b2da72c641119f062c1ffa5dc2b0fe80197d369f89bc366b7e877d497aec669

SHA512
f449294bab2f7e07bc2e7998a0ead4c7866fe79f42f343c8b54fdd6c657bc81f1504405d9b1d1db197c1476a4d8770a4e2bcd3fb8a079d9a9ca05080561b3f0c

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
186KB

MD5
25ab0b487ba85677fbc6debb5791254b

SHA1
452e73c24a2469d5414c7682d65cbb0558345384

SHA256
644a4b0ad122e6b0a7304814ac4a26f81c2b0daf2e4fedab368ef9de4cfade69

SHA512
8ec8754e8f165a7ecdd0623bd12fae2674e607ed57e751069286de6e3d2f32a084f0cbcc00dfca6d5f8c10a5cb68e204d0a127134273b81f16762ec3e7b8bc11

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
186KB

MD5
c5133b37e02cfd252dec6333ccc1add0

SHA1
2a80750cb23ab7ae899432f115f42f96038f718d

SHA256
8ad4dbfd81c60d11de7a392b2da461467ca68840669ddcd68536e7006be7b335

SHA512
e8fd7737bbe40792d60aa0c7daffe1a99d9c9187b49a304d8d5997df902e4f1cffa6166dcdeb1e49c55155ed9a6c94f45b6e67d0d5f8c67b25dd05065c1a1bc2

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
186KB

MD5
0a023a2841d277c7416300d4c8ace241

SHA1
87b70e70bb198003f2d861d3baa883edfda802e8

SHA256
fcec16e8f9c58ae3ea5b37128f2084705a9a9d8310343d35350a1b515749f304

SHA512
76dc8bfbdc771568bde986767358e0b101d76f0ee05fe42256c7473069e853c515d3ddd81029c9d72fc731ca9760046de2223a2b92eae1139b09dab67d204043

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
186KB

MD5
5620e6f8824d3ba6860541fd6dc7c619

SHA1
3974aefbb5b2eb97e82f777f31b1d575d22df41b

SHA256
90cca15a9412ee005ff6afb46953c0a4a50e1b9a0bd74a1a40433b81b87a02c9

SHA512
28824b0a6095206e524c9e81b04b7dfa28e527df6dda88e6cae4cff847907790fa99b928d142c52cd2192b2052c1b512fc4027e9e227549f839834c9176bb226

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
186KB

MD5
295f691c074e9104b6e37845c98b75f4

SHA1
3e214f6aced8c48798a76349ed82cec2f5cc3bde

SHA256
afccc6997c28c590dc9b031a681b8c296b6fc42d95daa5cb2acd1508fdcabba4

SHA512
c9b6d39d79d8b942b5c7d39bb73a5630ee0f8311e67b9dd07a31175f51011256253be3248c4554815b65db1d5b827e3c4348b9f9e39f1a024cb360f07b191966

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
186KB

MD5
71c2fa0a52530d5b36b93300f8b6a94c

SHA1
489417b3f32378ffb755a21e88f98a3c1ac8227d

SHA256
9f226900244ca276a8ba397ba901e9bb78abe4fb2442ab4f1325da5d8339a0ff

SHA512
d615adcbfbde72d39fb580025694f3fc21765459f555cf9b17eb29913886d0a579c038c98cd98872ca2a7d3d4b03edfe7378dab4b2cb9d761d90d78c3a3ff3a4

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
186KB

MD5
44de30c540ed1b4529da8ea70cf92bab

SHA1
e3a9f8716892dfb2383954fde90394caa6f77365

SHA256
130e57eebab9d69aa83df4907479a3fa9834a93833af913201a0003895e3d891

SHA512
3e03e6d1f5e1adb2a591f934ac5483862d074ca9a7133273a9e99bc75e54597238b692367c22701ed7ca207285880123f7e804073c4b0481aabdb5886f373466

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
186KB

MD5
17e581e7a8d2a361e741cb4ffd680468

SHA1
51cc56e7e025dd0272a8a1a26b4fabf70e4e45e2

SHA256
10acc25002eeee1e185da54432c525621c62a6e56c0d276aa8e02bf1f42e807b

SHA512
615602c306909449612a474cc93b2d2e8c9ebe2d8121e83aecfb4510cc6f3d73671a461808a5800fbcf7e7e3840d08311b97e5065165246032cfcfc6c39b6d51

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
186KB

MD5
ec16fd70041c19ce5391013fcf3ed493

SHA1
f64fb611175073e42fbc28910c424d5f7b5cce59

SHA256
1bacdd2c196ce32d00d2297c17f78f41935d93159b86e6b8ecd887e3eca86ab0

SHA512
f963cde947339bb358acc89ddb25d562fc65c08afdfde11f4be86bfa19c330432204af990cc1a3167886a94c8d71af90c0e7e8948cecc4509744f08eb3149647

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
186KB

MD5
d79fb0da36878b57fdda8d64b86fc1f3

SHA1
a9d8bddeda759a44a0fdf552491304f027c81fba

SHA256
8e055b6bf60c78b994c856467e159527771860d1a31e1d6ff5bec6b7aeb9dcb6

SHA512
7c5c37d1ca73947749cfc45759fbd7b9decc4da4005478b02d966c5d838918a5b990b2b1db3d922e50d8cb673f3a338d153a4af387c4f8b62733eca7fe619f3b

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
186KB

MD5
46afc07dbe42fa8764518ec12d27fe9b

SHA1
0ebe238e90ccdf08b96b8a3ac84d979670f97227

SHA256
870848941bfdd50d8a85d3d16be9b5811ef5973c08e21999ef8a768a3ab89784

SHA512
47d6fe05abdb6e28bff31fbed000e68ae1dd5eeb8f2db510b1e266748fbde95a8ca1cc57e3e0a2f7e38f3448c8d93629dc3795f0c91d5f8d5dbbde614830a4d8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
186KB

MD5
0cbbc1869bdb5415983c7b42504c565a

SHA1
2c955ef26bcab9dc8388016debad96171e8474c6

SHA256
3236d615050f7d17448a295db29d7fd64dba40b6f93b8e618627c184c8e9c4b5

SHA512
ea7920e309ae4d2f04a9a270c408a9782b0de5d6467e82690b38659a8de9126d0cbc59fc87f9134b86027c165b3a28bf7a0496cf88b7c7c9d02f743763548bab

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
186KB

MD5
6fc638683f0d301cc7ce20e2b253e17b

SHA1
abc91f485c9aa2a62519e6cfd58ff41f9190f0cf

SHA256
ce254d70f9531630d80aa960ff313268734fa25938fcef5d7eb414838b2912af

SHA512
d72739689f199da6da16aeea105dbbc0122df1335764099179a1296d69b4ff055e994755206b8fc9284d7b30432d07644606c210e66d1837cc58694b3890b9ba

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
186KB

MD5
acb1e0a5af988b966aa426c7e15663bf

SHA1
263c65bb242ffb22d9ac2ba6788139ee56222f5d

SHA256
3b0983888a2d067449606a3b6c393c6c65ddaeadc56c6c0b9fa64ee444b3546a

SHA512
117306e04ce424ef0874a8a22429a03df749223dbd91acc4305ebfb17cb773b2a8200ac4d517f32eec5bdf1f995b573449cc2974ddf5e3cb1bed4fbbcf5e7beb

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
186KB

MD5
19ea0a32d0d2db553ef5c4cee3adc316

SHA1
8a1a8bad8eeeedde3a361e6e7b16a9a7df551e67

SHA256
81edf621091f1df33066c31fc6d6b2f3c2feca4c4c4ec09d6b3f2be59abbf717

SHA512
12d10611bb75191f1b632f67bf856736ac313018ebefd8a6845582ef1e6086df0e9c8a1db9101dcdc90aba2228fad37ca84d2d6d5eb932edd5fc4bef2cf4583a

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
186KB

MD5
e7c53b0c6d3ef2b143e41481d7e3ef85

SHA1
68b4add98bbf244cc22cb8e0950baee09b6f9afb

SHA256
d8d8fee300a8bca5071dd2dd6acd1ea072e0bcd6ab5a9e7f3b426eec33de98af

SHA512
cfbb79a4fbb0e7158d8bf988520491a92cd9fb22e9e3bef2196f2b9427da0a41feb2144444686ebb8315974cf02e01b8500256d742cbfa2a416ade56510b1b7c

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
186KB

MD5
88b17aa7ec2b6d55a489131f40427c9f

SHA1
5b051026ed345ff1d641f20bd5138bc97963d64e

SHA256
40d766f33df37bbb2bae27ae8be67ff61ebde8d9f47378b6b6a516e21ca65f46

SHA512
c33d7e60611f7eee715df94e8b81fa907bb31ed4cd12329a33f93725c9458fbe140b0c2e135ee414aee0feb207ebeeee5960bf1ab16fe551885055936b9c66c6

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
186KB

MD5
50e71b92f1217d3a7ba4c216f02cbe2e

SHA1
95e42a2561a4f6ebae9132b88e7c64dd1d210314

SHA256
d09eca3b9574daa138351de6cc265ebafdac93fa17814f2b3a94d930bb462f9d

SHA512
13eae25f54241c661a68774a4b41863d0ba06d656d3e4af8dec304dd2c2f54edf393972defcdb9ed16a98c021302927da1a4b68ae3d1347628f0907b8826870b

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
186KB

MD5
4e29a1b4fe0a22386b3312ccecfe7495

SHA1
d4488784e6fe70f7b022495e10fc25dc33bec33e

SHA256
7338de8295ba03bcace1475f9f8a379ab1405be8afae1fee7cbfeebf37b873de

SHA512
54ef9a06ea7ceb95b403152c1ff5d4cd63eefb2168da6b800f681f148c36fed08f55a3fe213d157d9e964ab9386368bd3e18c8af443c76b116ad8f9903a6c9a0

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
186KB

MD5
ca192412520106ba64c64378e5cfb804

SHA1
819c6196440326fe9ac2c825f630742c1ac52737

SHA256
5a1fb7ae53584cbd571422fcd10df4ee8a165982a6a75de1e03fc7b5e5182c88

SHA512
deb207484243235afb4413c795b0618ba7b9aa1666ae64fe55bb541f2d416f20780bd5b59102c605ce7cfca84554c0e66097882b731e7557c2c194b6d4d5e236

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
186KB

MD5
ba2ce1f226a89390b7b5d09afc75a554

SHA1
dc6385b21432b1dad0d946e3ba6a12ac6338d60d

SHA256
c4285731cd81a49ad9d57b48a2d9d0a6964df9e5b8b51665832c46e1aa815a02

SHA512
9a08a0dac387037144e7cff34e5cd29063284dc7992052a067112a7337cf5dbe38e20ab073ea71419f66bf2aa802fabe49568cc1a261c3911e8be574a9beb999

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
186KB

MD5
74f8b14bfabb2c39c81c2fb0be126b67

SHA1
681d60cb3e401acc19a24a985c0fa183cdc0c38d

SHA256
e726f58067be02b2a76fb90886b3d128fca4af7a4050104042774a791c472336

SHA512
7d9c25049e5024a01c856a7c468b235c90cd4a7e86dfd5afb33069b7fe91e8bac3209ad748981db94ce1b3304af55699d7cc20378fdf7a7a71d185a7654580d5

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
186KB

MD5
c7a25e3918bb62e780d3e623da5993fb

SHA1
0bb2d42688fde9ec7e60e9c693dbb0cbdcc746d0

SHA256
30150c96b109d78d33af58713f54d0d62099af8b6dabf105d1d2651ce42ff875

SHA512
fd9d41091c227059a565707a69fabfa398a4562bc634660eea55b59b00927491f9edd202263f6b54eebee1e71e9cafdcc99b2f8365b8c0bcd7821315f89c5520

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
186KB

MD5
38158a8229fcaeb8ddcbef53f4ba910e

SHA1
a334cd58061cabc1176bac25955cb764831a252c

SHA256
6b3ddaf90f01d812c0b4b894fddb734ae52c7e7d6d5be02b78ad889a5114f347

SHA512
2f242c1d9908d90085a59d87073ac8d2e048ce1957b5e21a38b684da1f36dc76344f15d3d9f85eb7743efa0046db4112200dacef1ab9daa0ff46a3c0ab8b1029

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
186KB

MD5
8fcd715d612d3ca1c944a2d7463e3d3c

SHA1
a06aaffa3ad368646b97e42c255cd23d36aee0c8

SHA256
4ed5b7ca063f8d65d6e1c8238afe51727fb90f9f484e3521b5ccd3c2ecfed3a4

SHA512
c0ca846712f2d6f3561ab98fbf12b4903b7c6dce83130deb3eadecfd826987beeaf14989e6478673733ac278a004398b425d27b93944103c972f9eda9f735907

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
186KB

MD5
bf963be3f654bba10123889f6337c8f3

SHA1
7d1e7987e29196883c8c03bc032be257207bd8dc

SHA256
128fa83a739ee41f8f3e2361961f49739cf5374848144154c618efd7c04d8dd6

SHA512
40c76be6e6c1d10b52085cbb5c812ac9ffe4d99b34347ef3e2b673b7310a3a92a6017d0221e5e9e9c72f1cc38c21f5fc93e2e28c2ad5872eeca84371968ac7be

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
186KB

MD5
4d9b995f4eb3aeb08aef806cd3e68b9e

SHA1
7c9b5fba2b2a9bc6a08ee2d9b85818ddd46bc524

SHA256
04f65f252a3b60341a68ee89dce057fa7b092bbdeb63535a1ab36fdf82f21968

SHA512
76075b5d2d6aa5c2e8cf55a24f7a2ffdcf731dcada48de2e519e77ffb848508d7faf8a191618b3cb6795572d220b491279329ddf9be8d628be4dca242234294b

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
186KB

MD5
962ef2875bb3a2f8aff577ccd8051d7e

SHA1
b1a13eaf6d981fed010dd0b1e32eadeac126ae00

SHA256
0fdfc9137aaeb3555faf31aa09193a86c34c7436c6bf087da95076008bd2aef6

SHA512
66aa5a9c9ecd519972bf773df715db3894894f0e15dca1ac7b111e419ce23066bbe99e5f42d2b719a556b988fde3b05189fc6285168d39a20a62d907344a6ef7

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
186KB

MD5
7e8610d0e849d74ef8da13da4fe7c313

SHA1
0b7fbde4e6b29f69ff44b90d5be1fc74d388eafa

SHA256
b110a4491c71d39568022c21d12aa9b5e1e1489fbee0b2b0847b8fa0b279e51f

SHA512
79b30309a79023d1686313986b186cd0b143c66fa638caed9f95e06be5eea09c410d97b67afb3152d3b4514f4ddc563b81514e89ba3ae883e8813bee7421991c

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
186KB

MD5
26e15bacae259b478ed2c9a6c4a7f295

SHA1
3c63dca9fb62372fc88c547d845da1ca1f86a3d2

SHA256
a1ba3dbd4ae72c77fe030a636d73f8d0fb6deb7de084d9c40efb349e3b4571bf

SHA512
d766b8f5967cd78ed8e51b7f7143ab9c137ba0ecf749ad3dac68dd85cdf4b31070d063db6adc202fc14f9d89768235b2d610415f84f50d2312f73300dcc009e1

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
186KB

MD5
6cb609978e4c8d5888d064d3435ffe71

SHA1
e46d2085566357de7c6c72be424ae58e36a8106c

SHA256
57e755326adce0dedd99ed32a764af1d3aa9470e0e92cd6ad6c3c3d799bf6b4a

SHA512
a86f56fcbd6a00a056aaac8c0ce0d655a45f7bead2a672bbdbd33a4fb9cd935bdc7f59701d38fcc3d1587066e6f24be1053372db93b65d1c1b53094add45e5ea

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
186KB

MD5
827154b10b03744cc193b120d3c76289

SHA1
6b43d6ddf98885bd670f1496a6cb11500d16ac4d

SHA256
4404a67ff2816236eb86d5e5875ed2bb97067d24cededbfd8671319b42e06fb5

SHA512
09ad7afa3bcb9cd5580707fc3ad299144735c39d18928f4ab5fbbcd29c77232aaec703d2ce12b5acbd5d7d1f58bc3a7a1cd71cbe4f78f455964bb187b5b17ee8

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
186KB

MD5
175e0bbf2afaf7a2bb047f8d3906e338

SHA1
ac8a7242ae4c9df1ec5e44d065001215f7ea84a3

SHA256
b4a7a8f4fce73274cff8c4736d0360dbcdd7d906a5a2abf67406b7747b4255ec

SHA512
5365f2db08e1d64903fd03ec39c833be9ac33ba8883c2ead0f6571be85e0e71a500ecc9187af3b3bac8791658d611cf80478b8ecbe05d3049fd52f9fe0475947

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
186KB

MD5
ba1d31fb9f8963fc184fcc26dec86908

SHA1
e81ee3fec1b19b320d44223123d2d7d07edf12b3

SHA256
85c799c9e5da449d06537e9dd0356993460faa1c6c23cddd1d0ec9dcbd9c0621

SHA512
70c28e4cad028fc3400d0a0a7c3b5321ae2cf4992fbeb90d1ad4835909bda5ebd4996c4a57dd7b4115c78ef01e9e7041dc075caebb45c965028cdbfd5a31b7f2

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
186KB

MD5
d381c4668a16216dc3c08373c6515d11

SHA1
67907d5fdd3ce4667402558e4125ed0f75d1014b

SHA256
6e4163ecf36f79654d81162583726b90025409502bb0789162fd9dd4d3eb1adf

SHA512
416797a997a7dc0efac87861acefb0e75a135bf3bed803a633ed32b0d1abda69bb3e2a9adedac7d4f43a5699c68582265dfa0ab35a888f75ba2a0884d8c86a92

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
186KB

MD5
032c75d1fe11d0b18f95914b6f556de4

SHA1
a3d75cf4b90821193a6c24fe88caf60ec86cc8f6

SHA256
684bd82e2b608f7521118fd3a9f57e2e901cac434985f30c50b151bf61449a14

SHA512
b3730cb9855910d19c16c65baf9b33adb8fe634266e9a95a00cdb90f7fb6b10024976d4747a1da680cddba3614d49d5b420e6a398aadd82b68bb5a087d7bb3c8

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
186KB

MD5
30cb4705829f2b4f4a6bb14187e9db9d

SHA1
ad8e8064bc8b8f3b9250bf345453c01731ec3d82

SHA256
3cffeda00959e907c1ff214bda28129b1eeef968d0ceb1cf62986a1b49b27cae

SHA512
fcf23dc479c8f9b3c324b16e993f6995dc5bf2d5edd3e280d50dad624133b3eb76fd8ef452ef2e962857347ed2589bf541f61baa1741cab30651f20b03919f46

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
186KB

MD5
c948ba81a2488e04619fb2ca57349fca

SHA1
169647d4747dba1a794026913c49acdd4eeeda9c

SHA256
69938d01b4393291bfd0f7e40ec45f54bc2a39ba55bb779ef3ffd4318d9f90e1

SHA512
8e5111f7d1d9d1f3ab427d1ff45b0cf6e8c695fee689e8d2a53aac177b96c0bc2b4a7ec62f11198272369ae8f657d51e16b337ec3fdc0b991b9b2b2d1984d1a8

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
186KB

MD5
03ecac87b803f0f031a68868e27a3653

SHA1
a43e403feb2110d098ae5cbee10337db4100aa0a

SHA256
102ed05b4e38fbdbfc87df2514b551dee067ecebd817867abc17fd02e95b7679

SHA512
64200ccfc0ec015e6bc98cd878011d1df206ba5b621d702f50c73f39a70f780aa580dc58f361af32ad2e35815554142f8d4f2dd47658194b0cd564c2c517e03f

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
186KB

MD5
bcf924d9aadac091146863dc998aa246

SHA1
d02d381fc8110dfc0b175071f2f7a822651b6886

SHA256
0369f290dc2b908f25343e6aa245a7d8ef2333a8842030411a7e381e251b1be4

SHA512
0468393dc3c8695d72b8486f35701bf377bbeaf1eb8a37d6c36d129c926d250d9f9400cbc6dd4d555f2e03dadafa5f96f78c86adbb658c05531af9e59e3c51f4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
186KB

MD5
01f4a578cc02b1616e3826f2030a74a1

SHA1
6de5d97bd4c407099acb3f40a13a2e02d5f5c2f6

SHA256
097362ec684607f3a7cf7a8676dbe0596627652037c41c1975d2f4a1308ea1af

SHA512
0ebc726b37d9ffbe1826eb8726034bc2b594897ca312b0441cfe454a5d5a7947d786270702f51277b7277305445d6c6da869c55033359075a74016596c4e6223

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
186KB

MD5
b1bca073c5270170087ae0acca6f4d13

SHA1
f89fc5db4b7b1a32473082b8e1dbcd49eca59352

SHA256
18166050200b4e1199253bb5e9b2e4811c2e1391e15004f1ee8e795630d04a24

SHA512
92755b82e259f0c990910b266200fceedce37174d9e3898d4f10b4159de54b64b7e2687ff43781ee86c61e6df30f22759be7a4ea32f0e20a83c8c1f2d9394d13

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
186KB

MD5
1ff826e2b2f39af42a976f5d2b9f8b20

SHA1
1f6e1f4c3e6c56df2595dd38165bf7dda9a9373c

SHA256
c10983ee1acde785026096046462977943aa1f1147d4dd7a5b422765fc9adb57

SHA512
695b2104f0988d091102de1d6f45a5d55102a9df1c8a2e7f6424b7451f2d7d5c513151bf35a7774daae45568bc8882b549cc10d88a2d7adcef586c82343b6149

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
186KB

MD5
60ddb428f55ac707c719f218ba59feea

SHA1
30987b913e61bce6893e5f64c965cce0574dd88e

SHA256
208ac850001e38ba2b93ac44a510fc37eb01685515687893e187d93048ee20b5

SHA512
f0ba007f736ec77a90ab7482ba3279fbc081667b4dd53ffb5f1155f7a3333efef909b0052789d9a45e47960886445503b9950c536df94e3f35a14a4a648c7b4a

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
186KB

MD5
895010fdf58b2b9372eefe2bc76b846f

SHA1
94791bcb4c5bf89e34dfa7911ea9fd1380751099

SHA256
1652ef9d25f6dac9d6d0ddb3282a8a2abef0c8876a3de4d3c64470d8e0b91079

SHA512
6745623517906dc19c97fb59e29e89748bceef4854b2e50f84c7900afb35c9106d58703240955d8582e2d10848372927291f6010a96264bc98227a9e880ec012

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
186KB

MD5
75a31de7bb9cc065e3da973a8f5da0d3

SHA1
847af84e6e7569e8996d88f4b7f465be1b312473

SHA256
c50a49d757dd748c343b519565578d10fed91bb3999db041ea1cf32c1ff74563

SHA512
61cac8f0e11264980104e82e0e66262156d159325f7660f7d2714a9cd953590e6e3a71b0ed6635d182cee911ca7fab2fc38d4dc1641baf59cf2a067978fbf9d4

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
186KB

MD5
bcbee0789cd580f5bab1281d5d8e536d

SHA1
68e0c671f2af5222122b8a009b82d630863c1dde

SHA256
3367537acdca314d647ea41125847dc4ae63af3c7eefc56dcded076f332c0beb

SHA512
e089ea5d215d6b88d0a33ab29a1a1ba05c40ff62eedf225adb6f1a5b911a7c91f94632939bfb8b4cb26639997c1252365f54fa9023a3e8d3efc36c1b6f2c6485

Download Submit
memory/628-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-747-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3168-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads