berbew | f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
Size

89KB
MD5

c3b158a2c592bdf24ef60ffece4c2690
SHA1

932f0cb6e2e60a7e06a8c4c24c13301d5d5d5248
SHA256

f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7
SHA512

0160c173b232ab3f44b9fa3333dea8c424e6e63c7ca65dac7e01b8713dae686d25e61c6a2607abc54fc1a8f37e65096ad5aa5ed6a403a29ca9f33797c598ea36
SSDEEP

1536:kwNqM4ScqKA1HHuAU6O5V3tn8AptMooWXQ8Ikp8ZobmsCIK282c8CPGCECa9bC7I:54JqKCHuRB18AptMfUwobmhD28Qxnd97

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4548	Lbdolh32.exe
116	Lmiciaaj.exe
2956	Lllcen32.exe
3180	Mdckfk32.exe
4172	Mipcob32.exe
3800	Mdehlk32.exe
5084	Mgddhf32.exe
4788	Mmnldp32.exe
5072	Mplhql32.exe
320	Mgfqmfde.exe
1616	Miemjaci.exe
5008	Mdjagjco.exe
1640	Mgimcebb.exe
4968	Mmbfpp32.exe
3752	Mcpnhfhf.exe
1208	Miifeq32.exe
4772	Npcoakfp.exe
540	Ndokbi32.exe
1220	Nepgjaeg.exe
3528	Nljofl32.exe
4624	Ndaggimg.exe
2804	Ngpccdlj.exe
1992	Nnjlpo32.exe
2228	Ncfdie32.exe
2284	Nnlhfn32.exe
920	Npjebj32.exe
1920	Ncianepl.exe
2636	Nnneknob.exe
3448	Nggjdc32.exe
1348	Oponmilc.exe
676	Ojgbfocc.exe
348	Odmgcgbi.exe
4720	Oneklm32.exe
4648	Odocigqg.exe
1620	Ojllan32.exe
3520	Ocdqjceo.exe
2684	Onjegled.exe
1216	Oqhacgdh.exe
4308	Pmoahijl.exe
2928	Pgefeajb.exe
3260	Pqmjog32.exe
1112	Pggbkagp.exe
4992	Pjeoglgc.exe
1696	Pmdkch32.exe
1792	Pqpgdfnp.exe
1708	Pjhlml32.exe
3112	Pncgmkmj.exe
4768	Pqbdjfln.exe
2908	Pfolbmje.exe
380	Pnfdcjkg.exe
2304	Pqdqof32.exe
4832	Pcbmka32.exe
3988	Qnhahj32.exe
1956	Qdbiedpa.exe
3424	Qfcfml32.exe
628	Qnjnnj32.exe
4224	Qcgffqei.exe
3648	Ajanck32.exe
1712	Ampkof32.exe
4320	Acjclpcf.exe
2872	Ajckij32.exe
2744	Aqncedbp.exe
4660	Aclpap32.exe
1068	Afjlnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mgfqmfde.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Mdckfk32.exe	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mdckfk32.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Mgfqmfde.exe	Mplhql32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ndaggimg.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5772	5688	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonefj32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mdjagjco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4548	3676	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe	82
PID 3676 wrote to memory of 4548	3676	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe	82
PID 3676 wrote to memory of 4548	3676	f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe	82
PID 4548 wrote to memory of 116	4548	Lbdolh32.exe	83
PID 4548 wrote to memory of 116	4548	Lbdolh32.exe	83
PID 4548 wrote to memory of 116	4548	Lbdolh32.exe	83
PID 116 wrote to memory of 2956	116	Lmiciaaj.exe	84
PID 116 wrote to memory of 2956	116	Lmiciaaj.exe	84
PID 116 wrote to memory of 2956	116	Lmiciaaj.exe	84
PID 2956 wrote to memory of 3180	2956	Lllcen32.exe	85
PID 2956 wrote to memory of 3180	2956	Lllcen32.exe	85
PID 2956 wrote to memory of 3180	2956	Lllcen32.exe	85
PID 3180 wrote to memory of 4172	3180	Mdckfk32.exe	86
PID 3180 wrote to memory of 4172	3180	Mdckfk32.exe	86
PID 3180 wrote to memory of 4172	3180	Mdckfk32.exe	86
PID 4172 wrote to memory of 3800	4172	Mipcob32.exe	87
PID 4172 wrote to memory of 3800	4172	Mipcob32.exe	87
PID 4172 wrote to memory of 3800	4172	Mipcob32.exe	87
PID 3800 wrote to memory of 5084	3800	Mdehlk32.exe	88
PID 3800 wrote to memory of 5084	3800	Mdehlk32.exe	88
PID 3800 wrote to memory of 5084	3800	Mdehlk32.exe	88
PID 5084 wrote to memory of 4788	5084	Mgddhf32.exe	89
PID 5084 wrote to memory of 4788	5084	Mgddhf32.exe	89
PID 5084 wrote to memory of 4788	5084	Mgddhf32.exe	89
PID 4788 wrote to memory of 5072	4788	Mmnldp32.exe	90
PID 4788 wrote to memory of 5072	4788	Mmnldp32.exe	90
PID 4788 wrote to memory of 5072	4788	Mmnldp32.exe	90
PID 5072 wrote to memory of 320	5072	Mplhql32.exe	91
PID 5072 wrote to memory of 320	5072	Mplhql32.exe	91
PID 5072 wrote to memory of 320	5072	Mplhql32.exe	91
PID 320 wrote to memory of 1616	320	Mgfqmfde.exe	92
PID 320 wrote to memory of 1616	320	Mgfqmfde.exe	92
PID 320 wrote to memory of 1616	320	Mgfqmfde.exe	92
PID 1616 wrote to memory of 5008	1616	Miemjaci.exe	93
PID 1616 wrote to memory of 5008	1616	Miemjaci.exe	93
PID 1616 wrote to memory of 5008	1616	Miemjaci.exe	93
PID 5008 wrote to memory of 1640	5008	Mdjagjco.exe	94
PID 5008 wrote to memory of 1640	5008	Mdjagjco.exe	94
PID 5008 wrote to memory of 1640	5008	Mdjagjco.exe	94
PID 1640 wrote to memory of 4968	1640	Mgimcebb.exe	95
PID 1640 wrote to memory of 4968	1640	Mgimcebb.exe	95
PID 1640 wrote to memory of 4968	1640	Mgimcebb.exe	95
PID 4968 wrote to memory of 3752	4968	Mmbfpp32.exe	96
PID 4968 wrote to memory of 3752	4968	Mmbfpp32.exe	96
PID 4968 wrote to memory of 3752	4968	Mmbfpp32.exe	96
PID 3752 wrote to memory of 1208	3752	Mcpnhfhf.exe	97
PID 3752 wrote to memory of 1208	3752	Mcpnhfhf.exe	97
PID 3752 wrote to memory of 1208	3752	Mcpnhfhf.exe	97
PID 1208 wrote to memory of 4772	1208	Miifeq32.exe	98
PID 1208 wrote to memory of 4772	1208	Miifeq32.exe	98
PID 1208 wrote to memory of 4772	1208	Miifeq32.exe	98
PID 4772 wrote to memory of 540	4772	Npcoakfp.exe	99
PID 4772 wrote to memory of 540	4772	Npcoakfp.exe	99
PID 4772 wrote to memory of 540	4772	Npcoakfp.exe	99
PID 540 wrote to memory of 1220	540	Ndokbi32.exe	100
PID 540 wrote to memory of 1220	540	Ndokbi32.exe	100
PID 540 wrote to memory of 1220	540	Ndokbi32.exe	100
PID 1220 wrote to memory of 3528	1220	Nepgjaeg.exe	101
PID 1220 wrote to memory of 3528	1220	Nepgjaeg.exe	101
PID 1220 wrote to memory of 3528	1220	Nepgjaeg.exe	101
PID 3528 wrote to memory of 4624	3528	Nljofl32.exe	102
PID 3528 wrote to memory of 4624	3528	Nljofl32.exe	102
PID 3528 wrote to memory of 4624	3528	Nljofl32.exe	102
PID 4624 wrote to memory of 2804	4624	Ndaggimg.exe	103

C:\Users\Admin\AppData\Local\Temp\f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe
"C:\Users\Admin\AppData\Local\Temp\f33fb6993df62746b4bae6f2a0a98c52e5be35a98c92d2b1830436e1b2356ff7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\Lbdolh32.exe
  C:\Windows\system32\Lbdolh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\Lmiciaaj.exe
    C:\Windows\system32\Lmiciaaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\Lllcen32.exe
      C:\Windows\system32\Lllcen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        24⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        56⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1016
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4628
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        79⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        87⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        92⤵
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        93⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        96⤵
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        101⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        114⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 396
        121⤵
        Program crash
        
        PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5688 -ip 5688
1⤵
PID:5748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
89KB

MD5
eda60827abf5786241e3263e3c06011a

SHA1
1c75a107ed77ad367944120655588ae46978cb62

SHA256
4d868053ee10cb087e4aff6636a856164742839349339cc0d8843ad40c855878

SHA512
6c62ce110a9c749e4cc1be8bc650eed43570b09acaf3fda51cd239c2cd8de9a5670de11636c8bb12c00a642eaf01e12948ef5fe2d278acc89aa2274e0a4388d7

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
89KB

MD5
0d5ef43c9efce392245d37261d237fd4

SHA1
25ad94287c749553c0064e99cdfecd766f69ba62

SHA256
17ed9c00f719e3764c77fafde8d6796cf709ed05b265d6db463f4328fed71c70

SHA512
3a53c0265d6670c2a6f2ef739be9e180b41346e0e3a2e608e178db0222c6b1bf85f1eac6d6ea7d14cea5c912bbaecb21017fe1cd2437beaeed13d7bd4f7b9853

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
89KB

MD5
de876aac05873593debcb57d5f9b594a

SHA1
56fa6f220c0518da0e6d8ecebfa3a1743c66af7a

SHA256
6e67d9196fc0a8d12b182602037a022854dd112d9c0bb9440f41f4b77a0669dd

SHA512
e232ace751dac8e0194cbf2430cf1ae07599cf426dce4d9240d03b59fa72dd1c5c99239837a0b7a2b634782fe901654cefef02b10748fb3efff34282794dd8ff

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
89KB

MD5
b4b94b25de1d2623ca3331dfd495003f

SHA1
1b18ab7855248a877ff5a737ed1d2d8cda99eefe

SHA256
ad2eb5cbcc8e052fc8eb41a156560ae53568f1e9e27712dc3a5bfbaba275f01a

SHA512
3f494ee9023e796cdfc910b36451ee05c80dce3fdd1bca2665c5bd574f740e951ca4f52b4bbfbab56bef614373dd711b00bac0dd64378adf5d3880f379e963a1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
89KB

MD5
c49c10fd5c20d538fc0f77cdeca792e1

SHA1
b1f893767b34d78215795c400b7d4504cafe8d6c

SHA256
3bd685ddae3590231ee5ed0cd8f02998b583852b3c6cda672cafb88a78177b3a

SHA512
c13174b860f35e0e5b5e353b45181cf498587c3d028a99131ecb4bc07bfc198f1c21cb444d3ac91351a51d72ff4935111b399551e9ec07459c91b905a53a09d0

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
89KB

MD5
afe6f130647629e533a81d1af027709b

SHA1
3f7d8cf3250f1f93e82cbdd135124d5624f1fcdb

SHA256
037019db29be38e52a6a79265dfacdfdc2af7a70bd034f2ccb0312f42db42125

SHA512
c7b236b041a48584ae2ed431b1a93a8089c0c0721d656c1ab9dea628d62abb0fd72ba618f643fd1765ee6f2e7b8b96bb1f6e81608da0c0a4bebcc591377df25d

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
89KB

MD5
42e4bcb78832f095bf7cbeafc7f041ea

SHA1
56f7e91c7302e937aa4ad46ce25d0dfa7a90d72c

SHA256
b601582c989e35748a997710b629ea1fc793572bd65528447f4ed3dfa7658c92

SHA512
3e29a9c053b83a6b808da03d2a1e44824acd9060f9cc153fefe9829e8785b2a42204c7f1215672135f074fb28c022f6e513d6995b80f267089272359eb768080

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
89KB

MD5
df19e0b8132f5fe648dfa66f2bed281c

SHA1
69e8d458f7e9b1306eaebb378e003e459eebb63e

SHA256
d6effd5a40c097597bcaf264b82446a7d79eb6f42e853dbdeae071368e1fa918

SHA512
7fd1d489838a499d22a1976316c35858f98e13352abd7f0cc5724bbb2b6c510f6c05d3b9cc8d4092a6f907b198852e3a8180f48d9874ddc818f0172767e49547

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
89KB

MD5
d876755da29cc7ecddfc94d9de1298f9

SHA1
1b6a53f724ad81f1d503282af31d53f38cdef0d5

SHA256
681e841a42faa5a326c97747097bf1807084c6ca2ee6568fc756978c22397724

SHA512
7983de56bd330a7a59e9201876606b479a17107e8ca244397c18a95c326c84f016b5cfefddea346e949cd8fb4a8f924b760b6882d6729d36d66601466e00b182

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
89KB

MD5
925a971745a88307ea37d9d43fa5a229

SHA1
03c6f181399eddd107ce8a568f03bd7b46a4e29d

SHA256
53e6a443d28007cf7126262cd3357ba125f4ab284ae34f58961d038371b92e38

SHA512
6ed245fbdf848f1ec3337f27f774245b5d3e7229d3f56badc92914f3b4e742b976a06390f6e7affd45a35b32c480b6de2e07e7063a8995ab83e2864cf2242118

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
f77bae37540b65050a0dac4575131aaa

SHA1
601b383a97dff2ba6cebbf46ef2b970f71056eb4

SHA256
ccda80cdf890ebcd7dfe903d92b994d820ed45f3ec88ac2b268972be567cffa3

SHA512
e11766e6b2941d93bd5fb210ff25419df5fae42bedfb0954c9cfd3b3a10fa6e53746f04ae64fdb24534978a7a664729cd6ed9b04ffee72f5413c7f31dfa9298a

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
b2962df073036975e069dc01c20b2aef

SHA1
7f775cbdd887c5bf05ddc518d60b94e0c627da30

SHA256
b436693f1871d9321474dcdb880b2f043ba64bc75541a09e75ff42b8d6e1696f

SHA512
f11dec834458e69720e1c79802035a7b4bf9ca26206e3265c38c8cd8195dd9c998f2f627b41ffa841acf0140d2b6fd66d36ab5c32a51b230cd4c1df00ed13395

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
89KB

MD5
852673d2ab5d073bd84d1e2bf1a4c0ce

SHA1
b5e0bd457fab57488bc93322a5d317663524873d

SHA256
f8aed115117dcfaf17255ab44b3ea1a79bf1fa3774a168d21fbd36387e47b072

SHA512
3ac8d920358d5dc958560c1d901c64f41b28005061037cf4c72c7ed7a89a905112a8c51fd4a0bbe3f5ac35f2cc1a1f7e5082457e09adb26761a272ee48bdef07

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
89KB

MD5
2778e4e6395298f07a835e81a6b944a0

SHA1
6520c158e51f9c4fa8800c937bb15b1358a171d3

SHA256
4cde72fb2155db05e65620d07e2e71a62be800a875556a974bc5fc821aba6bbe

SHA512
291ccb62a0b0a597f5233839f0b7a91c12b537d6721b0e88461e154a5b13c0bfe842f7964b6c5c67f68981e70a7b2c08f4d2a65d00f18a4718e47ccbb4c40c9b

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
89KB

MD5
e3b09e60d73f32bb08b9218a0359932b

SHA1
00312b2a9082e6fd3e64a4ac11f1b959def8f8ea

SHA256
fcd4386518bb26da56d0604c508313c618116dc0f1341cb7f2d906fdad3fe868

SHA512
40ff9ade9805eb04a39fa0f5e7cd0300bf6cbc85b1ce03d9dec63b728c790be96d9b4b8695366c5e6a5f08a4f85dc9971fc6a911c6621b03f0858a541c15ad83

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
89KB

MD5
0924a4d0fa5e7e8a6a3d982775df44e5

SHA1
17d276e95104d36c38424829a2efb9740da13a7e

SHA256
5f47759661461da8da1ead51d2f538376a8d9c048fe26166c11a0b1c71aea6ca

SHA512
4a5bca5ffa5a1fe4ecf0cec664b79d305e463833117d8e5c38997c6b796cfe286e4a21eeb3c9a08bf923c27f67e22c01dcd1a928b53cc1d12c7d937dd7668a48

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
89KB

MD5
7280487f7ef33c2ea8c031dea30c9cb6

SHA1
78d183d00c6ed034fa1f50ead8414d7fc954867e

SHA256
b805246cc1e4b73353c9a6012af820748b9ce6c6116b431514f1809b9c4b022a

SHA512
d264d68f5247812aab91af6076c82f19475edc47c26d286ab4cbd778a8a6c196990d0bfac9d5f54eacb57dece67cdc0db0f2faa3e5b2dfcf3c927a54cf719280

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
89KB

MD5
a338d870f9f655dbb4b949bdf4e7af7d

SHA1
2111e3a0ea8926aa09c90ef9ee88aed36ca31166

SHA256
6a6360e16955ba0a7e9d3e8102b04173984a56c562a490256ce41f7c54fac278

SHA512
f30c6dbcaaee3ee1b3f26787c2aba915da8de90423374d1491c8b1ce6634c133371e603b327483488c1a8af20cc66fd3dd66c20bf91f12d369aeb39918e4f90a

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
89KB

MD5
08ec80d5a6e991fe26b5e9e3b4e382aa

SHA1
2e60777c2688c9f3e36466564bd38925de7e16f3

SHA256
b061e658ba0ac1adf08c8d5baa9d28d3d142c525194303a25ad328eb6825597a

SHA512
9c5801d922dc99b3cad6c623a11fd1ee5967742ee5f004c5a40bf5d526a5eb74002175fbd4441e955b85a1619659a7c1505eadb365079726e92a6da3e3ba67d1

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
89KB

MD5
8224a7da333eb506d31cc97892075f56

SHA1
c89a961de1f5ad98be7f11f8533c0100ed6db4fa

SHA256
96f7294b449ce37691abb6f24da8f0211c24077016b715f252badcd62ce30088

SHA512
89b01d08dff4e11661955342eec1cf5cb687607e7c87bca28c70188a6062119948bb83de49adb13cd0012192ea507790e2519a8642c475384dd3e0cb2e59f950

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
89KB

MD5
acb210eada5ad9676c119aabf3df2950

SHA1
684878ba31071ee96bfd8b6557a7dcf6ee97320a

SHA256
a10d2b8f32e2eb66fb67d4df3158e0adf9d931c805e591adb1ae1a0ae8f28982

SHA512
8441845d52d0a9840abda568c59f7cb43b872435df15e1357cfd8a1253e1b269030ffff50eb3588dd9d54162b9005ef844b7f8aa04c82b2c6a41b9af2cc0b728

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
89KB

MD5
098da8ff98abf9e2f39b03620522f6e9

SHA1
326e43cabba8c24b081efb727d575c9f323925db

SHA256
53ca477ea97abb263356fe521f3980e9cc52afe624d46bccf3b3ac6848c4751c

SHA512
48f67b86d96bb7b204864df68ad32ec282a4e01dc834254a554af1d6e70d4229cca91203be1784597f587de71124d023190e8fa9292f472b34ccbe279acd1ba7

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
89KB

MD5
8c72abdaa4f97b9792f459dcf99aa8cf

SHA1
7ba18da05c6bb6ad062c86fb34b8a85689c1100a

SHA256
c413fe94d41217f7b38f71365f458652fe24f2617510ee3ca729b53f0e1e92d2

SHA512
86936141fea772d784c37b75f06b565c877985344b96a10b3611dc38409ff62d67ed8e19e618c4a8e82e2952621da2f125d052552ed7d21e339e3aa95643d9f3

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
89KB

MD5
18d3c9d3de6894048f15b74d4f395ee4

SHA1
8cd89d6d73ea73ec64bd50d8bb9b3d2c70f3f9ce

SHA256
52121682baa2b04b03718d4a79279a6e217f505bb05ccfe88d9b63d7eb1fb288

SHA512
a1682ff556f48e57a5de06ef2e6507a5cc06dfd48d8a0e03fc23f638c96977ca37ba0b2bac78e5624cec80a2c62670974b69bd93fa3186d473fab7d48dde8999

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
89KB

MD5
f6803b684093274174e36cd035c5f6d5

SHA1
b1a51f09df0075467897e656a1034b7f12a0a01e

SHA256
3afac99902b1958541117ba77ea5afc7cccc860d2a7f370113b9006dc8fac32b

SHA512
243f268bddc5fe8149fa9a45c121b27c378237b03d6816a72c30bc8b7c227927994a044a83b44882f853d68bd0b5ef2115e7d46f5368b1ad4d6e927b31b993c5

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
89KB

MD5
db69ae7d4d5652041732fba30931c8e0

SHA1
4d1be9a0ea0c77ab297a026955bfc22baed5e934

SHA256
0ad1018b423dbed7ef39ee401ff5d73d9cb970175f6cf5ee928ac58dd745e833

SHA512
0d692f5c213962657ea3cc7366fc074bb85778de854cb7222e80877b845edf691c90d6c3b02370809bf232dec80ff612a17c3942a91762401cd0bc1941c9663d

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
89KB

MD5
e38ed6018a24e6ea6e17150549933858

SHA1
7a0b6e7ae7b0965432aad9970157186ab684fd4a

SHA256
3dd9dba2e06dff5986c97c5f5d575b92440579b5d171a36c0d7271c8ba1837bc

SHA512
14dc49f6f7852032d7c634d1d3800aa6c1d16fbccd0cc1eb681b8b18a4084a19b4c52ad6bce4d65415dc36b5a2766fb02710042086b7f26a9e9118186e99d5c7

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
89KB

MD5
869676560caa622f8495d3cd1a3b054a

SHA1
e45627c9ede61acdd004917cae5c38ac91a7e6c9

SHA256
e8ec750842019eb1f721bc55bba1f13a99de1e7ff2ace3b3432018239e95340d

SHA512
53c8fddab9d1594b0a0a1918133b5e020800ac3744ecdb6d4c35b7e968520c0b9aab25336ba8eb99e2fabfc8f7c34d3e55b06e72769e73626f0953fcb7c1e3cc

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
89KB

MD5
357717bca3149272a00d12126a8f24e8

SHA1
8e2fefe2c3eb416855e4a75d6e25038eb0c61093

SHA256
b41c77ef04a20f67ae7e6ed732477102794bb2b8b6b25fd9ba0ad5d825e5ff3c

SHA512
89d1679f61fa02d0f4400ee4a7c3f5893c2b9fbc7fcd6e2320a03de5633d6ead63c7000f4d1bbd365b21457cb5b847bc27da0f06079b1bec74393844ae7d4b0a

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
89KB

MD5
41b3b9b7940aff970ea444b4f27b162b

SHA1
a2f1bf3ce93cf582de094ec34c931198ef5be5eb

SHA256
1edc5a0d2bad69ee9e18f85c54ca307526be052041cf68e57c9c47a334a6c258

SHA512
aceaa21a9fa182e2a8cad861f7cbc7b416772322513148e23962a2af277191dcc8e9542b08a6b097dcd9f1743a59c8901538cd1918b7d70a49a768b205123e5b

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
89KB

MD5
d18e39572d65883c1fadbf645d4d7ff5

SHA1
0dd8a14e261745ed4739f4ace2a3e3d84466c0c9

SHA256
fe4ce24b373e4e7848f90207ba5bd0cac03ed9518a73b7a63b24581deae04eee

SHA512
f3a1bc370d85feb9421595876162250a9b9579a73d8d1864d0f8853de3a2b8153e1b79127845befac13036945df9960b46958bda9ac6c6fcd7f8ce213c8cc329

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
89KB

MD5
c1b30f5a98e215ecc750fde93f24abb5

SHA1
09b7dd73cb1e7a5e5e8f87254ce5e032921ea59b

SHA256
aa1bf2bc78065118018ebf924a026b41124a63ffd4b37784480e6b7eb8a658c2

SHA512
bc4b44a385eca6caa5fd3b0423d0b0d623e079335dd6646480b186d47e84e4805cea702c7875aae156e12764d3f097dd6a0c0efd70d4c03530c36f417b4bc859

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
89KB

MD5
ecbd76410561289e26109de69f2410e6

SHA1
a7a4855d2637099b1a4a0ee3f38fbfa85cc5409d

SHA256
d30d7c0d76b7a18081d781c2dbac600a3f8c4fbaa568cccb20da39e1cb914a61

SHA512
5a996b3faa0c486cec31c9ae63fe57b496d916078dbf1fe07fc67843dcec87b372b5a3903cdf121770341e248875602e54fd70df8404ce59d2eaaf1963023d70

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
89KB

MD5
0c4ef23953d6c475ac01123cf38927c9

SHA1
c601d50e4a53cf51ed1e006a1007e392864bfdc3

SHA256
6535f3eae0c801ff2a42642f63348b395467b7074757c961c3314ea4f07cd80a

SHA512
8728810e28f4b00b8ac4297cf775b68bc653b8a2ed5acf35d242d9944f1d6b6e5f81c21128874c2df1fdef1f9e812a2b509272525368b52b5721c5215efb5beb

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
89KB

MD5
319af03dd613f600cbe30574446f702a

SHA1
75474abb3e9b085bb0826b990c4e492df77d1ca7

SHA256
54d5a755b861412723b6c7315cc9dbf203d3c2672ccda69b76545af91d67cece

SHA512
02f5bb8dd49680cef81c562d45ef527b0189d6b2749687095c478126fba71db1d9efd092a4e41308f847a063faebd08137aeb8f27cc77a792b1e0d2221941371

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
89KB

MD5
069933ba2a636d8cb16a380eb3307510

SHA1
ac3bdfee37cea0cba90aa4bc34a59ea66330561a

SHA256
e128a7ad70a1820b2cbf99f432408f385a251ec5695b5510311907373e1f0813

SHA512
87957ffe668facb71739b40a3ada85f23c50b23b53800cc20c2308170ba28c0667f1a9d77a2c1a08704db68065785fb501a66ae8832ab81e941814d91cd1669a

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
89KB

MD5
1823af0c9d9b2efac8d42208fa26c6dc

SHA1
0c970f15af73bdb5eda156fb7f1249a208d1f5ee

SHA256
c6c207b5f5d8cd5c4c3fc9d2341a1700bcd0a8aa9d74d1bce5e155a717ceb87b

SHA512
76c3e902223a1fcb07de7397c69be1bfebf626059b6906518fa46e3427da06ef7e88d34491c382ef3648c03353fc6f2da756a81283dfb05c500863d696520d47

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
89KB

MD5
ae4c9383ae8dbe4f9bce027776ef1d3d

SHA1
1668fb60e9c5d1159f23a90ef5be1ffa91722785

SHA256
1b77d8cf9dc508882322ff61cf9bb3974b43fb21ebb9d7bd022d9b07dbca55e5

SHA512
a465a41049e1691be0a905371e3ffd875a48f604d12309d81ce8197b5376d87fc5ecfa7c53f72bd34ec0f8bc79fa965c00d3f79d0c0a0e6fba5198ed0e3194c9

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
89KB

MD5
b4c4ca23664f4664e0f41078f0307f1f

SHA1
2968f644a3b104aae4f96855302edebbae2339fa

SHA256
06fb1d9e95e749e0c9ba504f825ce51202be52c4d61bfc47cbcb6385a46d774b

SHA512
208f6f85376acbb132ff597e87464aae549817d5a66612046b07bac12364a2131d0bd13911b39c5cfc70a68247fbc2108b46846cfa59d5313da0620009125ba6

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
89KB

MD5
cf03bfe8149e7be99cca9ebd3361dc4a

SHA1
b1fe741bf0eb25b6f54e51a0c8b95f1812294bba

SHA256
19027b535ce84cac5bbeb1fd5270d2fe99d4102e1c256db827af3199b5949030

SHA512
0ba7459b39debdfcfab02c87e2edb78a9a24ef86af2e38ef4af0454d99dacab9a3d71348d75bf20c9a1a8b025096dc1544f6ca41ba14fde0febfa051e7aa75cd

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
89KB

MD5
d0f4e908d234ab56b18cfee7b33e0bbd

SHA1
f85f678daf19fd153b20608121df9cfbdf88c512

SHA256
3a0d6b52674ad6a474647dc2bf4338bcde9e8e5f70cdea5d08114fe8c183dea8

SHA512
71c6162bd16f9fcc141c8267fc3b42a7274c51ba969c18700f93f5ab64afafcd17300db71da41c87d8070f21eef81c313f969d5d151d15d09ba69c036c90d833

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
89KB

MD5
ff7091f3659a282be40fc46467c5003c

SHA1
911c88d7685c1a3c507644bb5cf9ef36df45483f

SHA256
1ecb6fd9808cd9cd94166a60b1fbd11c1e2c3f9ace83ea4d0c340cac3204fa1c

SHA512
4c90c11a5f10da87c00a1ed9139c66eede6ac11ad5f72bc8cacbd26ba1e6d5aafcd735d314de00c8ac17402bcf6df8e18e72c4f08ea1ef2f055567e7bf051dc0

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
89KB

MD5
aa43873cad542701d0e7594098f005e0

SHA1
e244e275ee500116b512a3b80870fef02645520e

SHA256
0601bf97671bc48a30ffdf7b704171aec587088ce389a7ad21a548d9468bb547

SHA512
90bf9eb9fc137d246eb3c9c5f642d364a029a539a3dc3fd5b506e8339cfa538aebf388c83ae7ba5744b8bf791b0a36c5ebfff9be372c8f43b9abc2c659149492

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
89KB

MD5
d63542625431d36ff64a67f82519465e

SHA1
5ff52c6b5858c788fe949ce478d0b3f80a816ec4

SHA256
94dbb0dd0aa702ddde4e9d4a377623d0c1092266881ef014cf8964a99d19150b

SHA512
6e54427803d39ed1bf5913dcd80fa70ac4fca1c95013dad3eeb440ed326d453fc3966f22090704089fa6b407593fdec97f761103cc4b99cde68f39bfa3cfcca1

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
89KB

MD5
4b81c92c10ff6fd3a0bcdf82254ad9eb

SHA1
a97206e7e8b87c2492ded7dfa208e285e1fe338f

SHA256
52885dbb2ff2ee66e47d9e945ec02a49323cddafbdbba26c25b12d1c823db2a6

SHA512
2fbe55fcc3c2629038ae503090d147e03312feab063d7644a123b207c38e4fa5f340c7ac7b1ff9395b8e44cf27f82884c13f52e2157b9d98314bb5eac6db90f1

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
89KB

MD5
9fadc9ac4c641a4a521809997bc7473c

SHA1
b7e61588a1ccb42f4197bce7ae0e170cb92eeebb

SHA256
a88fa351c193d5befafe3146812192f293225db5fcf95a5ff534326e2d0f586f

SHA512
fef3d1839d71058121e7a07e8a653dbac7cd6a97ae4be63db812f0c3933c8e99394e9d07c9cb8be02818d1e0086df208e71952e560cf2bc7c737c53034bfbd5e

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
b05c71314fd5c63d261a03bd6a032b16

SHA1
7b23f133a4238d6923a33aa43cc89dd3ab115de1

SHA256
5eef72094a0e78359e085ad08a310ff1e4d1693d644b4d7ae88218a2495907b0

SHA512
71c315d22dbc736371a3184fe48346d827cd0ea587c35a2b2fb1be84c4f78e202fff85b940af310c8ebd335696c4993b874e1c8dc269a056b656284306840803

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
89KB

MD5
0227aa957d52a95cf24788ba98cb316c

SHA1
b4d66548f9fb9dd984aabcb43e5110e93282d682

SHA256
ed01677722c521708d67fe2b2d695503b7c205c4fd0b8b8c13f7ad0e2c026385

SHA512
7b7f2af9248180787d521b9b2436622d699df271c7ac647aa5ab13009890f69a100fed76b6fad9f6cf3911fb8ffe3fcc5109b6cb70727fa6d0b338947ce4da29

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
89KB

MD5
9f5588ed147114afd6087b875db168cd

SHA1
3da09ab28d83c839f3942231a142df99c34721e1

SHA256
6cdd3452b13d27ac28cdcf7a1528fd3649970c341e017743c8e5594f9d119fb2

SHA512
7cb5cda257a70fb9b64471f1b179feda87f766900b8c69e340406d79c2091b9db696cf898cf0cbff9c5f1928c8b69ed49eb32230644bf848a2fa24efb63c59a2

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
89KB

MD5
d366fa171149f32175ce5e5330a31a5d

SHA1
b7cacb4b45098f5891decb832e9b1fb70281801e

SHA256
ad7bfbb3dc39c6792fd70c34a2c1fd6f151c0c34d12ad1aeb82bd13ced337d40

SHA512
559e3d4e531a023ce5240b9f9ca38ff0f0b18caa0fdfc132b103a9626a6bd6a32819e6131cf4e6672137a605b9e56414d8e8d4c8e471123e2ea0b5d1e75e8e38

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
e4e12a00fe1c7ec3339906e7b6d890ab

SHA1
0f3d202b631871de23a6e29689ef62a33f4fa402

SHA256
79a973b5c0afdf76a9310a616506005eccd20162dc0ba226e5910d07c60011e4

SHA512
3b071587d2cad4c3991404b56fa0d9a288fe05f1cb58da1465f2aa4b50f6dc623ef5779ba7f852be5a2f5d292b02e589c187a01cd09e3d8d43895ad8145d4a80

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
89KB

MD5
668b8a37a34185d26ea1d49ccac45c29

SHA1
e829836ecb66802354a6e9c215f5069dba23394e

SHA256
0e51aa9b0bc6b638b092cec9f9e87e75d8d0987ada72d4d60dc216439cd4a8fa

SHA512
47512eaae2b54cd2b7a803deeb9369cd839561a1f9b7dec0ed25017bc0c9d62b39e34db53239a7e39bbc7a94f0f24eb7ef474d6dc1b9bd57979c1e132cfc4f99

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
89KB

MD5
46b57d0803f6a961ad57c357015c4913

SHA1
4c614d1707f09dc2744fc503c2cbcc97f2877ff7

SHA256
e6f54a0964c8009f2f2161e51c94c8d84e1f9c62a2db29ae3868978a7d8e0d93

SHA512
2c3d83e990845f4bdfdec5928b50bb4c703b71fcbaa0ea0e90bec56607a156a7136b55cf4155d2f963e5868e53d80d444a07212036e40ae2806f57b26ff02cf8

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
89KB

MD5
e4fd08babff8ad67eb0a1438afdf395a

SHA1
27dbf75eb84ec4d3d2de29c169ab3af709fb796f

SHA256
f2b04633264e62ef1038e8d7882b06fb4848cace65ed7efb2129c5959082e10e

SHA512
1e02f6a125bba782869cd4b732ffb380b0faebf376f8a937531cfa14fa188f649f9fd8d06e521cba40af1bf48a5587258400eaf6407c3321acef20a41e7d520f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
89KB

MD5
dc516f015300413dcbf4d940e2fbcf38

SHA1
bec88d38741f16919b372a7483f90ff51800d7fa

SHA256
00c7a998e69cbde7b5a7f491130005c30720e8cdb3a46aad5ba593437892a45f

SHA512
4272ab7d625f43366388ee09f800f36328559283fb58a2663baa73ebb34e1f31b586c500cbf6e3f5ecd77bb69bed0d48c07a41652c292df2a4f70cf9afa36703

Download Submit
memory/116-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/208-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/320-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/348-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/380-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/548-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/656-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1068-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1208-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2956-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3424-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3520-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3676-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3676-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3800-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3800-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4172-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4308-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4624-173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4628-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4660-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5008-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5072-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads