berbew | 96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 00:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe
Size

96KB
MD5

bae846d7d4414832dd070f4a16b6c9da
SHA1

fd86cc0eee5d2d8542458e40c3e042d78b7b6eec
SHA256

96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed
SHA512

db29cc5ed7d3c9226ab43beeb74301d335d9863c31b8b2a8bad1e837f006ee9d26b86e4ce2e144d09dbfaf6f918309e2e7f2bce9a903c72272dd4273001b97af
SSDEEP

1536:TFW6C85FsVPRuMlGeaWHx12LvsBMu/HCmiDcg3MZRP3cEW3AE:TFXC85F6PRuMlG20va6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3728	Migjoaaf.exe
4552	Mlefklpj.exe
2444	Mdmnlj32.exe
2340	Menjdbgj.exe
3132	Npcoakfp.exe
2964	Ngmgne32.exe
4716	Nilcjp32.exe
4296	Ndaggimg.exe
2016	Ngpccdlj.exe
1108	Njnpppkn.exe
2044	Nphhmj32.exe
1948	Ngbpidjh.exe
2020	Nnlhfn32.exe
1420	Npjebj32.exe
3096	Ncianepl.exe
4036	Njciko32.exe
4652	Nlaegk32.exe
1916	Nckndeni.exe
1692	Nggjdc32.exe
4500	Njefqo32.exe
1592	Olcbmj32.exe
4920	Odkjng32.exe
3624	Ocpgod32.exe
4008	Ofnckp32.exe
5088	Odocigqg.exe
2304	Ojllan32.exe
3488	Odapnf32.exe
768	Onjegled.exe
3092	Ogbipa32.exe
1244	Pnlaml32.exe
4068	Pdfjifjo.exe
612	Pnonbk32.exe
1492	Pclgkb32.exe
4760	Pqpgdfnp.exe
4368	Pflplnlg.exe
5068	Pqbdjfln.exe
3460	Pgllfp32.exe
3440	Pmidog32.exe
3588	Pcbmka32.exe
1864	Pgnilpah.exe
1272	Qnhahj32.exe
1412	Qqfmde32.exe
3164	Qfcfml32.exe
3024	Qnjnnj32.exe
4316	Qddfkd32.exe
1140	Qgcbgo32.exe
2284	Anmjcieo.exe
3296	Adgbpc32.exe
5076	Ageolo32.exe
1400	Anogiicl.exe
4796	Aeiofcji.exe
1200	Afjlnk32.exe
1048	Anadoi32.exe
2256	Acnlgp32.exe
3372	Andqdh32.exe
1968	Aabmqd32.exe
4808	Aglemn32.exe
2568	Anfmjhmd.exe
4940	Aminee32.exe
4248	Agoabn32.exe
872	Bnhjohkb.exe
2916	Bmkjkd32.exe
1808	Bcebhoii.exe
4204	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5136	4936	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3728	1912	96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe	82
PID 1912 wrote to memory of 3728	1912	96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe	82
PID 1912 wrote to memory of 3728	1912	96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe	82
PID 3728 wrote to memory of 4552	3728	Migjoaaf.exe	83
PID 3728 wrote to memory of 4552	3728	Migjoaaf.exe	83
PID 3728 wrote to memory of 4552	3728	Migjoaaf.exe	83
PID 4552 wrote to memory of 2444	4552	Mlefklpj.exe	84
PID 4552 wrote to memory of 2444	4552	Mlefklpj.exe	84
PID 4552 wrote to memory of 2444	4552	Mlefklpj.exe	84
PID 2444 wrote to memory of 2340	2444	Mdmnlj32.exe	85
PID 2444 wrote to memory of 2340	2444	Mdmnlj32.exe	85
PID 2444 wrote to memory of 2340	2444	Mdmnlj32.exe	85
PID 2340 wrote to memory of 3132	2340	Menjdbgj.exe	86
PID 2340 wrote to memory of 3132	2340	Menjdbgj.exe	86
PID 2340 wrote to memory of 3132	2340	Menjdbgj.exe	86
PID 3132 wrote to memory of 2964	3132	Npcoakfp.exe	87
PID 3132 wrote to memory of 2964	3132	Npcoakfp.exe	87
PID 3132 wrote to memory of 2964	3132	Npcoakfp.exe	87
PID 2964 wrote to memory of 4716	2964	Ngmgne32.exe	88
PID 2964 wrote to memory of 4716	2964	Ngmgne32.exe	88
PID 2964 wrote to memory of 4716	2964	Ngmgne32.exe	88
PID 4716 wrote to memory of 4296	4716	Nilcjp32.exe	89
PID 4716 wrote to memory of 4296	4716	Nilcjp32.exe	89
PID 4716 wrote to memory of 4296	4716	Nilcjp32.exe	89
PID 4296 wrote to memory of 2016	4296	Ndaggimg.exe	90
PID 4296 wrote to memory of 2016	4296	Ndaggimg.exe	90
PID 4296 wrote to memory of 2016	4296	Ndaggimg.exe	90
PID 2016 wrote to memory of 1108	2016	Ngpccdlj.exe	91
PID 2016 wrote to memory of 1108	2016	Ngpccdlj.exe	91
PID 2016 wrote to memory of 1108	2016	Ngpccdlj.exe	91
PID 1108 wrote to memory of 2044	1108	Njnpppkn.exe	92
PID 1108 wrote to memory of 2044	1108	Njnpppkn.exe	92
PID 1108 wrote to memory of 2044	1108	Njnpppkn.exe	92
PID 2044 wrote to memory of 1948	2044	Nphhmj32.exe	93
PID 2044 wrote to memory of 1948	2044	Nphhmj32.exe	93
PID 2044 wrote to memory of 1948	2044	Nphhmj32.exe	93
PID 1948 wrote to memory of 2020	1948	Ngbpidjh.exe	94
PID 1948 wrote to memory of 2020	1948	Ngbpidjh.exe	94
PID 1948 wrote to memory of 2020	1948	Ngbpidjh.exe	94
PID 2020 wrote to memory of 1420	2020	Nnlhfn32.exe	95
PID 2020 wrote to memory of 1420	2020	Nnlhfn32.exe	95
PID 2020 wrote to memory of 1420	2020	Nnlhfn32.exe	95
PID 1420 wrote to memory of 3096	1420	Npjebj32.exe	96
PID 1420 wrote to memory of 3096	1420	Npjebj32.exe	96
PID 1420 wrote to memory of 3096	1420	Npjebj32.exe	96
PID 3096 wrote to memory of 4036	3096	Ncianepl.exe	97
PID 3096 wrote to memory of 4036	3096	Ncianepl.exe	97
PID 3096 wrote to memory of 4036	3096	Ncianepl.exe	97
PID 4036 wrote to memory of 4652	4036	Njciko32.exe	98
PID 4036 wrote to memory of 4652	4036	Njciko32.exe	98
PID 4036 wrote to memory of 4652	4036	Njciko32.exe	98
PID 4652 wrote to memory of 1916	4652	Nlaegk32.exe	99
PID 4652 wrote to memory of 1916	4652	Nlaegk32.exe	99
PID 4652 wrote to memory of 1916	4652	Nlaegk32.exe	99
PID 1916 wrote to memory of 1692	1916	Nckndeni.exe	100
PID 1916 wrote to memory of 1692	1916	Nckndeni.exe	100
PID 1916 wrote to memory of 1692	1916	Nckndeni.exe	100
PID 1692 wrote to memory of 4500	1692	Nggjdc32.exe	101
PID 1692 wrote to memory of 4500	1692	Nggjdc32.exe	101
PID 1692 wrote to memory of 4500	1692	Nggjdc32.exe	101
PID 4500 wrote to memory of 1592	4500	Njefqo32.exe	102
PID 4500 wrote to memory of 1592	4500	Njefqo32.exe	102
PID 4500 wrote to memory of 1592	4500	Njefqo32.exe	102
PID 1592 wrote to memory of 4920	1592	Olcbmj32.exe	103

C:\Users\Admin\AppData\Local\Temp\96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe
"C:\Users\Admin\AppData\Local\Temp\96b6f57f7303c3f24f64c698edbc77c9905cf9f0c5391b40607bfc0f2a4fdeed.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\Migjoaaf.exe
  C:\Windows\system32\Migjoaaf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\Mlefklpj.exe
    C:\Windows\system32\Mlefklpj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\Mdmnlj32.exe
      C:\Windows\system32\Mdmnlj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        27⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        58⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3264
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        75⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        87⤵
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        88⤵
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        93⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        95⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        99⤵
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 396
        107⤵
        Program crash
        
        PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4936 -ip 4936
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
698db679bcdae4e85f67e52b50e485b5

SHA1
7ae096e92d2dfa2a90a1fed2bcd288f817ff0c7e

SHA256
78fa72d75852016f7710bdfc1fbcb59af34013d69e919912ca89fd56737febaa

SHA512
1224ec3c6f16e536f44961a9ce214a81ed61bbddec7cfcc30cc9afdfc434d28f7075ea0622e5853eca862cd61ed561ce0c67f8fe2d2f13022d2e71c1c229ebb9

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
474aa9db2b0853226a227649c02be6d6

SHA1
f6a44057ad96f9cc2f9af0b4d3ad82585436dcb3

SHA256
225aa00156bea50aee8226baed06f58efff4d3894ff6651150a8f32f74d3889b

SHA512
c498969ceb5300617a144a6938311042a4fecbe759142effffc5ce9cb53d47c3a0ed27d023e5b5531cc0d74a2123e14886351805137eb22d1cecce719ea5d1df

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
ac441fbd8bf223cec83db16900b29487

SHA1
536a6a7543d4ffe2c3329a3ce8f035443c4348cf

SHA256
8305134650f38820858873c0f02a6516e4542854a6e17eb58e70c4d29fac6d4c

SHA512
e860407a5b17dbd2d7d21ed1d32022afc1efdfe65a044878ce11d706793c794aec9d12bc41471eab459655d7876449180c7f1e04c431606963266de6d2a12b94

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
f26d0e397debdc6c2e104968f426cf4a

SHA1
40a4e8d865887eb8012c1cfdef7495b0f4c7cbc5

SHA256
bde90d84aa943024729fa5443e7bc6851e77280d7ef968a611bc1e2a6add0f09

SHA512
51c9df086973db6b17e667ea04474884be7927e58d4e422e7f18c8d89040e640e485adb3ac235fb04034842e09b3bf3bbe49f7f8145b7bb611f6319022c2bfaa

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
cf0af4b2ffcbca4c401f1c0ddf6edd3a

SHA1
27770969da258cc6e7be3072699eb83bba6a5317

SHA256
514d89f224548410d7ae6fd41374de3f16ceba6a49a20f387bee753f8a04f784

SHA512
b4b95fb02f47adb7c8c2c2a247a5582913459a9df37f5697f02be78d460c09d4127e3249bb057c3c7ef410623c2c3b3c87a2f8751d85cf1ae5c9ed203b194ded

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
84fed4009d4afa05e32e0c4bfcbe4ea4

SHA1
c88cdae59c4ff5c4e412cbc4e276dc62c0cac0f3

SHA256
5679f8ca1474cbc14b2fbec45c4531ec0ec808ce05ec1ee7cf6e5066dd09402a

SHA512
056dcfbfcf9f87df40b226ca6fad61e51446f99fd8736b3970307e4b501a7112e970ab74f7cae0e29c84880988a7790bc01cfa7e2a133120bc12fbc59dcd0d41

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
96KB

MD5
9db3842a9f49455f392ff0f96152bbfc

SHA1
db856b70cdbb2dd4da048a42d74963a534df72f4

SHA256
a812b5994a899ec87d05df6574d76a1a2d7d5726fb1bda6ac789f7ecb5b7f228

SHA512
4bd5c1b50fb076586a9c83b70e755103ba9864e3f35e1607ca1f113d93f8c9bea68da8dc46dd48c92e67a6c163c1074d54fdd814e75819d071a78f462ea2d61a

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
1e2d3450daead6bcb947f33642d1ae0b

SHA1
188b946364177d07c80eca3fba831e7f799a331d

SHA256
e74f0591b7c22e438b72ac9a5ff4b33f92761c83961099fd9b636737e8ae0b37

SHA512
2c330fc7987150c10dd5a7cd279bca7424c8af95a1b057e8a0ef96ef4210ee48b6f62d7efab494801ce7c045b8ba7fcc85ca4262978588b463b8ebfa36cff871

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
87c4fed209b468bfb2f69225b409e6cb

SHA1
4110af7977307c12ebc219e2fe39998c8dca1dbf

SHA256
16fa13d62ec471cd518b6680f0238c73b838649125ea4f665e909c7b2e18b249

SHA512
c00497952e92e03bae09825985e7dd9e24ab4efbeb8bdd393f5daf777b66bbbf09e55b3eb0a6f6709cce54d955dd12f2d456cbab257251d2bd871162e1987fc1

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
47a154e271d4132f331509f05be94ad4

SHA1
0ba6648b63b6bc4815a2d6bb33e995d35302f3aa

SHA256
64d8892e3ea007908dfcb9f12a22bcb1c4b0df509689eaa0ae20077b6ee1946c

SHA512
ae293dffbc38737b774b74c978ea3ce91a7e7bcc7ebd6b395e2b38be5a619518293d8c3f742e4bfcc0223b14b5fef56b7427191bb108d638474e878f5fdaf3c7

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
c50f7910264747f9b98491e612919fe8

SHA1
0ba8ef16f1d4b59a688850203282f53fbc5f18d0

SHA256
91ac37a825f53055886ea96f7e5839fea36cc6aa865719871e701f9db01343c6

SHA512
63994e8d9541d0675b8e91f93640f7ca18e5f52e518f0c54d1af64ab94946e7a804b0c071c1dd219ba76f1bc497b07d0110dcf6ab18a074c4ca8ab712561bec3

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
7086960c274ccd871150559f1a7d97f6

SHA1
bbee0fad818e95bfd557bb6b3fba171ed904d286

SHA256
5dc6cd764869b1f2c1270a8cb39762e485da78d5e6b8d0521f715207baa44f49

SHA512
e5faf8ce936e8d6d0702ca46b9b530581fc3c46c85ddf5f58d2e528c97a1c0684541743658b905a3038a052199005356eb6e8a46dd42f091395a3461f59080f7

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
180feb23f738d6a50343981fe1f93aa9

SHA1
c3d392faa6e4452085406adc344b6f64d23ac15b

SHA256
3cca69533ff993f647971ba3dafe417c1d1401b03a670285d1d7d703fd2ed7ba

SHA512
9d14707747ca170340c70dc41dc662973fa9602d0bc076c3563d06fd3217ad6da6c57f53225c2ea9af6511ff71d17a66c98a03c1c7110cc92d1a56290c8cfe9a

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
45162b17c4946215027652150a7287a6

SHA1
40bc12179c4717f045b6b4218e22463aab733b06

SHA256
f3ff753deb459fa97a8778263daf8aa66b9b4799e6de8d5107685ee0ba3f51cd

SHA512
2c7d17709f764a2a3ed84ea5f374aa93068cb96ca073db16c174e3e3230e4d2368e8738a666194f1cc162e86d6bc9bd56d5f46f744170931f440fd6521b4f355

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
3807a3b4f2b738651609eaa4927f6bf3

SHA1
dfb1757e8f2c3b94bef929eaf97a01a456f980ac

SHA256
841940a038cf3f428b604aa48a014961468a088aa8649ff184d4eff13e308c5a

SHA512
d7211f59dc1d78aa177b82a6498f1bb87af8d42ddfddb5d447bcc1ce41272970c749b76e26beb84d8535ee1e79f40804c5a4c7d9fe4d145cab9087c1b5722cdc

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
2f6ea6a3a158cee6c8cab0103cbd628f

SHA1
900f8b4ece7f3f89443b61f51f23fc195944518f

SHA256
7f615275456e88e56d24b53df25d6888ec0259d626ed1ca078bc26129616932e

SHA512
7e7406e4ef6cfd3b5686e5415a147da25872953be6a8d7c1b73f84a297f65c9e6b4733d3ee6b8106cbb22542ba88c37dde9421dcd0674112701908c5b27e6ee3

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
fd78d15ce6926330aa9f189d33ca1a07

SHA1
e79afbb7cf2df44c5dcee08132c356cedb821321

SHA256
6839b60b4af18be3f2db1ffa4de82f35e77676f90f8f9fc92cc927e09e55c248

SHA512
9ae413fcc41821a3d39327c759198d5ae9c5a07729eb2d2205528a44bbb6155ace19734f17814ce3bc90988f92f62baa9007f6fe67d76338e70d1a895a9819ea

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
e7fa78451e685d30c3da3d81f7b92235

SHA1
9088a8e9f4552c2027938cc4bf7044f6b743c347

SHA256
320d4fd0c3b9fdf1d4c882720f7fa4ce3ebf4d6d329493872e40ef074b643a14

SHA512
cb88cb7934a855b7e9e3a44e3456ae0eace4ed2650ba9d124c16d6764c1c2620db3787d7c1905177f87e51c8a008563cbd734d70a5612108fe7e3fa5cab6a15f

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
eca1be88922a87eb456c66a971ae8799

SHA1
729a75fbaf7d1de61179ae593bbb379db3f5a577

SHA256
3c58b151992d79f642131b69a020a58581380906c72e4dd069afa5ca72288400

SHA512
8fd018912201ffcfcd42b28df96f481c500ed613df36654dcbefb7f1cc26b00d04bb89984070ad02cd1eb998befb0444a957a27989ca3ae8809a4a104607bfd0

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
598461bbcc971b6749514cba1402c558

SHA1
f58fea40448e0fb5fd9cb80a62cf61999eb70c64

SHA256
461f35e3e0083f4a130386fd95c889863a5b82d6467b11aa1a5d68a4fa0c3e84

SHA512
2ea1fff2c8535d7c18b67b211288427fa6f7a16a7e795bfb876881f845c210acb239fb1124eeb9e18658f83e36ff2740abd24c19af5119292853f8eee2c85793

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
b09d81976d3b92335acb89c622b80ee5

SHA1
d1cbb912adb855c739ac72434d24918eca80127a

SHA256
ce9f004705f68c258c10d2aee50e8f8a5d138fccaa352175002d07123094a768

SHA512
839e8ef7e8d6fa7953a1308150309707ed20c9ff026f6f0269e6a98c99a7fd88f102e7256bad455667d912be688ca167da13526a4df58ea98d52a54ed589c9e2

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
5bea6bdcc48c536c9c35e848c876bcf6

SHA1
8c7faa81cca191f3e4df9b861b1e54a9577dcf48

SHA256
c70e402122c4243c5ec63b0b2e4c05b15db14a41a27fb35dad448536aa3badee

SHA512
cc9e00c09bb73f849d75f9045e17baeccc7cf628d98fb8810f43b147a69977301a1a729036d756b6bbcaff6391e93689274a4c588b4933fb1ed234c1180df86b

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
bc42e9beef661251b2cfe2943ad27dbe

SHA1
e957b326819c196e975eb561294bb3e305f63688

SHA256
f4eea6b1a7531cd017692061c993a3b485bd3361a2bf132075951efd3fc4599a

SHA512
74ea36ba17d027241b97061a35375823adc95f5d94dad69da2f9c79b8b476ec87c84e24bcbf2b9fdd138086870634e54551681cd1a68affc4c5fddd766dd2809

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
3c2f332587e6387283a2e1af3b5fa744

SHA1
238ddc0a6ccfa7b5c4e0be74ec20c7e33ccec92c

SHA256
b8db2c0174897ba115a2009f47132a93e8721902c0dbe3b402aa62cb2610e397

SHA512
cf75b3f278ba3d666a64055ea3e80c371b60e48af4601ee60388391f8ea87667cb14b39679262b98a283873d4a6a650a154a5cfc4681b337e2115f715673635d

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
488d3ed617cbd9a4000ab2ef0b8385b9

SHA1
b16b57f0af21ec794d51ffdac01315bec7a6f691

SHA256
6af9ff09c0c2acad5c9cc905ae2394e21f660e36efb4a04d06fc762c7b78f4f9

SHA512
4239c6f23b03ae4631ec2c3ef5fd844c44a89fa4dac1df34273078ac0b6be2289a4bcb5e73fa1ed05b32bb0570df35761d1324baa2dcff1fcce1d36f72a34c8b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
806670c8a1e506b70fcf16af3dd95212

SHA1
97cb5cb7c18856cd3d81cf7ebb0c7e1343c869f3

SHA256
a5c6d89b5d19a0170cd3a29bb304d650897cdb43ec98ff7644b3ec6f72277136

SHA512
dc4cf183e542fb11928b8d44d34cd3f9d3e3be7bbbea9e5bc4f15969ebc9c0c5a82a2485ff616ce8ecb8a0b67424eccfa7b4e2e3ff96d2dc3cc85e8b200a9533

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
5c5078f3ec9c181ab817fd2761c65f54

SHA1
31c3e69d88df5665e8c681b0494f1b102a0dd37d

SHA256
53599bf28492499695ca6dac91834b6dc9c62230828b976bc79aed3abb96d093

SHA512
61ff0e14c14f9c58f58ee21a0176ed185e9e37bed9ccbf9c07e4478e273fc78f1fea0020d811fea601c58226f89eee3ba83e7f14da2ab7554cafae97356fc687

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
57695498006895904416af10d897d296

SHA1
ab4560a338d98c45f9204f184c81a915a343a677

SHA256
f3a665450dabb5bd46c9471458a3b70bc1bd53a3f7b3647b214942be9a918e87

SHA512
ae2f69b2c4068ae40e29e60ee4c24f4f6f7a56c91b8df739ee1691dab323fcbe365e766e17474c3c1abb917516118eef88dbcc587087774d1beecf0590d1517d

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
781bef4e506fa433503489462ac89297

SHA1
27ddfd35f970eb89880c9ce4ed3513921bbc0f4a

SHA256
054d354742e374e9d768d6fee1872017830940976ab0df3689db01f06c9df534

SHA512
fdcb2305d552b718b8ae48bfd52e3c2ddacf53c6bb837e3d28fd7453c180f4cc251f0585bc49117e17ae429e904fd6c51dae5862efaff31c2423cbedab528ed0

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
442b2baf04eac9c18eb6507a4cd52e15

SHA1
d6cc332bec56f739e05cf125370577e7a9421d77

SHA256
a383c2dd1f41dcf64705886a1845eb324362d9f416ce64af2f3fab177f2cf1ef

SHA512
ad83142eca4be7523b310947a898979b6c338fecb4a3ada5f7877219eb9d649584071b55401516a883bff0305d0e53d3ce8e2a5871a1c6794abf6337dc0fa873

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
96KB

MD5
c970d459a6039c89fb389fc622fef736

SHA1
03f68722acaf58a77ad51db9fcc8c1565272f0db

SHA256
1b66887cb8359a5ff31c2cffb6c7d47b82d66d14c3113c40d806dbfaa7d195e7

SHA512
45bbcf027853e5238c88181d3f2cb6157a7b8b34255e42289dc22b0c517fc02b5fc9c73ed4aef8f2745a566363cfe718b98553fb9f55701ae40732a41866a629

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
746c57bac16e28e79751ab7eb919f296

SHA1
c84968cfa2f95f967e226dad98639598e6c5144f

SHA256
479a0587eff74de9dccca44cb3cfe983d321b0f6f4e31f79d906a0e8cfc81380

SHA512
9aac74b70a0ff225bbdaeef0aee1913d76fdfb94c6a7ace0db1ad8f4e863b8e257d66f314f1776815889c9d8d728e82fb0a09df791734e1c9f6c49a600c6e805

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
32cdcd58a9b1cdc55a9d6c2b0869a26e

SHA1
8e4ad2ea9c1ae8ae404c8cc1d4c43f1f76072246

SHA256
2f19e1a86bc67be13c009742391d0afe331edc8f840078159bc8c292d063327b

SHA512
ad8ea48ca2a876059de695ae5b36f1416c3aa41d9a85fd14efd686361c25938dbe35ff0e92fd580097dff623ee228eb7ac4447fe89dc609850c50408d77e91f1

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
b145622db59d56ded06b7ec6e46d3161

SHA1
9509561bd9ac5b97f2541d459c3ecd38b8410b45

SHA256
1f4765f1d9f9b0e52ed33ba7930438f3c6499eca5577457579f7252a03083ae7

SHA512
7f477f3a4ecb656835dc4edb34e0277b649667912d799456e96f2019f7198febc8b884105fe8ae5af473a6f15d7d052be58f226590093e361b7631b28ea93d61

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
5893fe6991135d9998ad7d1015696b24

SHA1
c4350702bdd941811bbbe6029e86e224a19f497d

SHA256
0cf782935a0f751717559962da4b7ca630bbd70f72e1e6dad5fd2ccea5a13fbc

SHA512
0e0f927bbf306aa2cbd78db6b3ad6f609dd74624de688ba0a0589a4b42f41f282a7e694a1cc6cb1d80cdc7216f8c135df05b8e305aeae0932008f9e63c5edd8c

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
f5146978c5432780bbaf64c169897291

SHA1
4c5a76002718839498be06614959c6749ce6359a

SHA256
3400f429d50d0b72b914ca086d0c630077d2146d4d7dcb83e59f60105c45c066

SHA512
8595d70b3b6f5630de1d8c6b142bbe4dde81b2fca4104e2b06472f4a7102567fc58f75e2a14a61a86a38ae2ddafd67917c40693147c3733f776f7bb6d6bdfbe0

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
7c1de46a4506ec831d4c974545f2ccb2

SHA1
543c8efabc79fd9f0bbbcb78855681c1d2d73ce7

SHA256
01a09e9c7379e915a16c507d8340d30b286a5512eb2d6ef2d38e34497a839bc8

SHA512
8e993860472775e63d976f1124bbc9165af68023e8f6b8d6a10904f0c3752084857979062575521211f6cb9f600299e0b6a4ff5e77345128bf34e40fa70e7e91

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
79f4e7839574c07566eeb76a28836751

SHA1
5f98efde0de0d74d1d8b1e9bab003fa1e51cb1df

SHA256
ff339b6fc8f2391e1327986f9f7ac60a269736b322ad0ef59175baf54bc7b7c9

SHA512
93b476b5cfcd64b257cbd8d630fd97da7170447af90891ef324afb36629b917b5988b1a6761b2e06b8bb55c7ab8ce99ac383842fdedbfd532e010691f0f2e527

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
af1132fd31eeac78d30b9f6618b509fc

SHA1
96f4d6a33b75c6600321b51d3491319965412102

SHA256
3223414783e9cfeb42379fc44a83a284b08005b27f3b6ff56e2ed8d254e22e2e

SHA512
6e7049894b50df5e04548b5bb48e015ac15d18dc95b6e3c109483cb0660cf08d26bf24b0961ff9db960546c1a9aed704c24458b4b371569910c2d0f5193328f6

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
869e6c81b02a1ea3417d3564c6c9ef04

SHA1
446293b5f0358c8270e48490eed326f88b46bc8e

SHA256
2d83f1abf597fddd2f5e08ccb3f2ac499a8d5659792a70a11133993fe552c8bc

SHA512
6bf2d954c97c0c31f192ee38364da57681096e0bd506f38a63ddb8ec0e7cf695efcfc61d59709263b89dbb65680bafe407d25eccd3c69647f7e19227e75ac692

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
2bbda33161f0a3f1a94d56155fd511fe

SHA1
d87dfbe51e29b8c59faaacf5a33b8879c306413c

SHA256
16b61d54dc8124f6bcaabdd319330bca88db31576b636e81fea762d50a45b60b

SHA512
cf2cf92a52e6600d3e212038c53b2508592593db456522cc4aff013b15a508dd4c8139c433c6d0817897e1783111d924282785ba510bfbfcee292d1916254405

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
baaa93a6caeade59b459dab0fbb634a3

SHA1
d04aa292ee105dda27d8b484f9d7138fafc79055

SHA256
8d4d9506e2685b10820b48cb51cc47ae239ea97e73767016e4ca0266b78eb3c1

SHA512
d60a76ffa509e4668dae9e33bab3aea6d7a924e592a08bf5ef398531b0665c4d16ddb4799481e1977f3e0b44df3ea27f460505f593ce618a9e2b5d90eac3f3b7

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
adfb4af4efe69113e0b3cccb46eeef26

SHA1
33023f62f2d1af2f5d7ee35f33419a37d2c2397f

SHA256
8ab27a0c5daf51c3a6f79ea5a3444970a4fe79aa0a79a0fe4151fff539fa09ed

SHA512
38c48ca75ea186273a6fc3ec8cb3207593a169fa9cb5d9af0979e03b4c9d238470da71a7687e9d3db9cbc71702533b8dd170df53ea2c786125d1df65d92f83c8

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
f374766f10d4eeae98633c313aa58645

SHA1
fa529b0b36e9ddd7189424cae90ba3df9f0eee77

SHA256
0c1f28b1c388d67ce531661ab2bbe277784c0efde66e4dcfa71394f9f6afb0f6

SHA512
c94a7e2be449581fbd6a2d65f3c2109997df9de5511bfcd0a9daa8235abce16ad421a2f3403934206c54265724496c3f768ae7b4261229c8e2c7ed17b0772382

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
8fb8f1d602d28ccc22793407e3c76855

SHA1
92daf82ac482ed6faa890b3f562acf2356692059

SHA256
dfc11f9cba94aa46c72f71cf228b2d81ee9eed38ac0e5ac21b682328b6355609

SHA512
c55bcff2964cf39d853e0bde7074aba18311d9d9f8995a0d80554a95ca2805e5fa20d40d70889d512b34c31a24e088784dbd281564fe707ccb2366606c44f4a6

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
d46b6b1da47f78158a117c45d2a3d2c5

SHA1
c7c8183083d09449b2836b47c370794f1186d317

SHA256
d0058200faac814ccea8c88bf33d009768bbb2b9cc0eb1aa795bfddf601c0c53

SHA512
e5b6bdc29562b8623fcff483e96517ff9b7f0c461c0dd701e42529a19ddf518f9ffbc9260a35f440229ad2bca5fca5f19fa1fe843668f96b12fd46e343683657

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
894948e09325a675c3a93277c24f3f0f

SHA1
877d18518038bfac207dd12f41f29e05f65f8376

SHA256
65fe06b66649fb192529e1a277cf580290a4842216c70973120f26b34f17b45e

SHA512
60f177265cefcaf599d4601fca5307d1ae116a358fd2dde9c7ccb86788ec73f121deeb22280c692fc801a592265408e36b23d40efcb1ae106a3cc79d662882b3

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
17fea03982242b2a7e1dd1c9486faab6

SHA1
23e4488c70108f37fb3d3ff74ccd18be9ec374d8

SHA256
60519376566a31201a06b977bd237e7ec981a039c196dd33a68e8abc874b9067

SHA512
e149e61dac16775b393500deb508050778dcb5037b728ee73f7ff70f22d5fbc7efdc66c4efd1440770287d8b8e7eb16e1fde03857de73af43c404bae7328da0f

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
86c491809d24c52cd417c097f008940f

SHA1
2c7e96a4987f8849949b9b90c63ff549c661ebd6

SHA256
f8d92c666c5d18f826d7470b2c9e9621e76baa23219023ed9196191b88ac7b50

SHA512
7be33c6b08597c802397b32280bbcda23557f1aeb27f686c266ab62ea30a0392d6004cc76b3a5b9f4a005683374fc4cbd9be321c9ab635bc0bbaec5efeef84ea

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
8212bf28a7537a22211c3cf2f885fd7a

SHA1
78e047af6f07aea50fcefe02d24aa1f0f700fa22

SHA256
77556e1a6d5018b7be7b183669941a9f54d06fd009cedb6abc6c95376921cae3

SHA512
228634eae0ceefc357f47285d19136750b53a1c6fbf22d572f9b545edbf7d1c786a0a002fe2aa45462701ef7adf984ddd1e21df3213314ac5377b8e150180cb9

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
bcd9a471aabdde2d372aa09b5a4f7e66

SHA1
eafaa9f13d8cc41a0f127cebffe8e3f0b66a813c

SHA256
2ff95bcd4c7f1c3a60d06e03ff0f3a7b51768ec03498e1ed3fa837853246da5d

SHA512
f5bc741c96bbd88c86d6d9188874327603abe66f3e767398180068b21f4efc6f2ae4c7fa1bb8cc271291eeefbe7bacb6c9a3338780d08fc035e8595c19253067

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
41c07932ab57f584fa321c19e57142b8

SHA1
4da47a11969d1fd376f293774c0a47dd975d520b

SHA256
dda59e7e9eccdda4e280f7fba7c70e5efc638733fa3ae0bf260d35eda36420b4

SHA512
342d1250f6396186838c3b4aa87bb4318ee7dac1a152454b4cde5b5de02a89bc1e27cc6ac83d4242145073a490ca4768dd9480ad5f3b951fe9a90ad26506c50f

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
92b681d16228af3f78b6f45f8eadde56

SHA1
152e532b8ba163c000d741b3187985ba217282fa

SHA256
773f253d95467b3922d0252c5c0daf4cada7f6178783307fa221d4b74eb22148

SHA512
87391466d47978e831275deefe7a911dbe4c06d577bfbf8e194e1bedc656aa946a0e0306c5424455147c216d6904b05c170b0859e9510edea7eaf89dc9e4a993

Download Submit
memory/612-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1916-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-735-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-757-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads