berbew | 3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3

Analysis

max time kernel
30s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe
Size

176KB
MD5

60356f6869d902651a4c732144df4730
SHA1

cd6a99e6dfb2382e75f21a1651697365d1403b05
SHA256

3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3
SHA512

98ddea8c8feaffe910b8d1ddc8aac0d3dc78e45a6832807111c484511bff630868e4114b92cc91d16a29cb6427ea822433eff1f8f0ab9e68ba50875b3e1c3047
SSDEEP

3072:KElec1t03j6+JB8M6m9jqLsFmsdYXmLlcJVIZen+Vcv2JBwwRBkBnReP2+x7zqgP:ZZt03j6MB8MhjwszeXmr8Sj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2872	Mnebeogl.exe
1104	Ndokbi32.exe
3616	Nilcjp32.exe
4448	Nljofl32.exe
2436	Ncdgcf32.exe
3384	Nnjlpo32.exe
3760	Nphhmj32.exe
2456	Neeqea32.exe
4892	Nloiakho.exe
4260	Ndfqbhia.exe
1688	Njciko32.exe
3944	Npmagine.exe
208	Nckndeni.exe
4356	Njefqo32.exe
4552	Oponmilc.exe
4028	Ocnjidkf.exe
4316	Ojgbfocc.exe
2064	Olfobjbg.exe
2092	Ogkcpbam.exe
4128	Ojjolnaq.exe
3416	Olhlhjpd.exe
1288	Opdghh32.exe
4320	Ocbddc32.exe
3156	Ognpebpj.exe
4888	Ofqpqo32.exe
264	Oqfdnhfk.exe
4872	Ofcmfodb.exe
2704	Ojoign32.exe
2172	Olmeci32.exe
4804	Ocgmpccl.exe
2108	Pnlaml32.exe
4232	Pgefeajb.exe
2248	Pmannhhj.exe
4820	Pdifoehl.exe
3200	Pfjcgn32.exe
4636	Pmdkch32.exe
5060	Pcncpbmd.exe
2944	Pflplnlg.exe
2016	Pdmpje32.exe
1128	Pjjhbl32.exe
2496	Pmidog32.exe
1880	Pcbmka32.exe
5112	Qmkadgpo.exe
3772	Qceiaa32.exe
1064	Qgqeappe.exe
3648	Qnjnnj32.exe
1056	Qqijje32.exe
3868	Qcgffqei.exe
2720	Anmjcieo.exe
5040	Adgbpc32.exe
4116	Anogiicl.exe
428	Aqncedbp.exe
4784	Aclpap32.exe
4528	Afjlnk32.exe
3664	Agjhgngj.exe
464	Amgapeea.exe
5116	Acqimo32.exe
3172	Aglemn32.exe
780	Anfmjhmd.exe
3876	Aadifclh.exe
3604	Accfbokl.exe
2288	Bnhjohkb.exe
1364	Bmkjkd32.exe
3680	Bganhm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5576	5448	WerFault.exe	195

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2872	3596	3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe	83
PID 3596 wrote to memory of 2872	3596	3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe	83
PID 3596 wrote to memory of 2872	3596	3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe	83
PID 2872 wrote to memory of 1104	2872	Mnebeogl.exe	84
PID 2872 wrote to memory of 1104	2872	Mnebeogl.exe	84
PID 2872 wrote to memory of 1104	2872	Mnebeogl.exe	84
PID 1104 wrote to memory of 3616	1104	Ndokbi32.exe	85
PID 1104 wrote to memory of 3616	1104	Ndokbi32.exe	85
PID 1104 wrote to memory of 3616	1104	Ndokbi32.exe	85
PID 3616 wrote to memory of 4448	3616	Nilcjp32.exe	87
PID 3616 wrote to memory of 4448	3616	Nilcjp32.exe	87
PID 3616 wrote to memory of 4448	3616	Nilcjp32.exe	87
PID 4448 wrote to memory of 2436	4448	Nljofl32.exe	88
PID 4448 wrote to memory of 2436	4448	Nljofl32.exe	88
PID 4448 wrote to memory of 2436	4448	Nljofl32.exe	88
PID 2436 wrote to memory of 3384	2436	Ncdgcf32.exe	89
PID 2436 wrote to memory of 3384	2436	Ncdgcf32.exe	89
PID 2436 wrote to memory of 3384	2436	Ncdgcf32.exe	89
PID 3384 wrote to memory of 3760	3384	Nnjlpo32.exe	90
PID 3384 wrote to memory of 3760	3384	Nnjlpo32.exe	90
PID 3384 wrote to memory of 3760	3384	Nnjlpo32.exe	90
PID 3760 wrote to memory of 2456	3760	Nphhmj32.exe	92
PID 3760 wrote to memory of 2456	3760	Nphhmj32.exe	92
PID 3760 wrote to memory of 2456	3760	Nphhmj32.exe	92
PID 2456 wrote to memory of 4892	2456	Neeqea32.exe	93
PID 2456 wrote to memory of 4892	2456	Neeqea32.exe	93
PID 2456 wrote to memory of 4892	2456	Neeqea32.exe	93
PID 4892 wrote to memory of 4260	4892	Nloiakho.exe	94
PID 4892 wrote to memory of 4260	4892	Nloiakho.exe	94
PID 4892 wrote to memory of 4260	4892	Nloiakho.exe	94
PID 4260 wrote to memory of 1688	4260	Ndfqbhia.exe	95
PID 4260 wrote to memory of 1688	4260	Ndfqbhia.exe	95
PID 4260 wrote to memory of 1688	4260	Ndfqbhia.exe	95
PID 1688 wrote to memory of 3944	1688	Njciko32.exe	96
PID 1688 wrote to memory of 3944	1688	Njciko32.exe	96
PID 1688 wrote to memory of 3944	1688	Njciko32.exe	96
PID 3944 wrote to memory of 208	3944	Npmagine.exe	97
PID 3944 wrote to memory of 208	3944	Npmagine.exe	97
PID 3944 wrote to memory of 208	3944	Npmagine.exe	97
PID 208 wrote to memory of 4356	208	Nckndeni.exe	98
PID 208 wrote to memory of 4356	208	Nckndeni.exe	98
PID 208 wrote to memory of 4356	208	Nckndeni.exe	98
PID 4356 wrote to memory of 4552	4356	Njefqo32.exe	99
PID 4356 wrote to memory of 4552	4356	Njefqo32.exe	99
PID 4356 wrote to memory of 4552	4356	Njefqo32.exe	99
PID 4552 wrote to memory of 4028	4552	Oponmilc.exe	100
PID 4552 wrote to memory of 4028	4552	Oponmilc.exe	100
PID 4552 wrote to memory of 4028	4552	Oponmilc.exe	100
PID 4028 wrote to memory of 4316	4028	Ocnjidkf.exe	101
PID 4028 wrote to memory of 4316	4028	Ocnjidkf.exe	101
PID 4028 wrote to memory of 4316	4028	Ocnjidkf.exe	101
PID 4316 wrote to memory of 2064	4316	Ojgbfocc.exe	102
PID 4316 wrote to memory of 2064	4316	Ojgbfocc.exe	102
PID 4316 wrote to memory of 2064	4316	Ojgbfocc.exe	102
PID 2064 wrote to memory of 2092	2064	Olfobjbg.exe	103
PID 2064 wrote to memory of 2092	2064	Olfobjbg.exe	103
PID 2064 wrote to memory of 2092	2064	Olfobjbg.exe	103
PID 2092 wrote to memory of 4128	2092	Ogkcpbam.exe	104
PID 2092 wrote to memory of 4128	2092	Ogkcpbam.exe	104
PID 2092 wrote to memory of 4128	2092	Ogkcpbam.exe	104
PID 4128 wrote to memory of 3416	4128	Ojjolnaq.exe	105
PID 4128 wrote to memory of 3416	4128	Ojjolnaq.exe	105
PID 4128 wrote to memory of 3416	4128	Ojjolnaq.exe	105
PID 3416 wrote to memory of 1288	3416	Olhlhjpd.exe	106

C:\Users\Admin\AppData\Local\Temp\3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe
"C:\Users\Admin\AppData\Local\Temp\3794e34fa2c89bd9f92a58701194f3a0caa842cda22ce804fa7227e98ac777e3N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\Ndokbi32.exe
    C:\Windows\system32\Ndokbi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        34⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        71⤵
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1196
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        84⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        86⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        94⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        101⤵
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        103⤵
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3668
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        108⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 192
        113⤵
        Program crash
        
        PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5448 -ip 5448
1⤵
PID:5516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
176KB

MD5
c09a47770912417cc4d9f338699b4402

SHA1
e829f777b6972ab07c06e66908467b805e1bc83c

SHA256
6577f6cb8b46a12ec89afdc8e15b5aff7e500de50515275114630b2285f7b292

SHA512
8d1fa24ceff415cbb7839081f35d6e04d44d21a459f7ec3ca1a02f540e7e111049812c24036d55dcafc246d79800180f44129ecb2e703fe2b6a2d8fa033a7a55

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
176KB

MD5
d9485ff30fe457cb0e7bb79c6a37434e

SHA1
79ff351bb2fc79d7aef4e61a474c1f72ee0b5b58

SHA256
656fa2bbb6a4b5acd6b94be622c1bb61aeb4472f3660d939063bcd8c3896fc4d

SHA512
03b019953b87d340f73a7429b74cbf32bb4f60b00e6177c3785fa40c7a80b31f8aefded13c76554b76c4829c5133fd6712a4b1a9a32511bfba3da3a308e047d8

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
176KB

MD5
f60b4d4062b807706f96326d5794527b

SHA1
83a4f416332bb07721b8b408baf610df50fe3f0a

SHA256
cbd856e157d654650df7f39277fb1590edb63bf58aa24168e4db3e56c061c7e3

SHA512
20dfe53a2e79dba93f3fd9ed226844893c4b8f0da60f3c91e02f133ca63549bfeef4aaf703b2676228eb5fb4059d75a47701e671058c0068bef4a716703c9cf1

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
176KB

MD5
a0c7d8353b599ffd1fe407a7c45b46f1

SHA1
f0947534d4ec45065176dbf1d92cc2e0e60f34dc

SHA256
768e04fb6d91688b9698ea4cad4cea03617e2f9ce9107b090ac65faf500935e8

SHA512
c61a39f1eaff8e66235d29d5a6e6b8c19aeb7b8720a9651c92ec632a1fa034e4d9d4328563c8297f3dbbe99c8c0c5d67e9bb7f94b64473cb55b9646358d347c3

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
176KB

MD5
6e69d12e495e3be26e5c70b5970babec

SHA1
44d2b5a439d4069e96a96b68cb196fe14b2f5f48

SHA256
d9bc633356fd77fe28988f4786951eaf6eb088a29110a9b4016307f4bbd491b5

SHA512
f5b1146b72f770a010234f76f6337c434e2eba72a17b8fbe62dcb1de2b6c52c8b74e2ea88f4eacd8c048aa7bdeb54ac9c456583093d89de8ff06ccd0a69ca457

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
176KB

MD5
706ee53bbc6fe22500ef41de2ab24b9d

SHA1
d141d22e72bc104a97c09cecfb4fda1bef1e0097

SHA256
fbdb00c589b1778e8fce758bfc596864f9dd3dd29ee677bcd5bbfb31798a5624

SHA512
91999073f57519bf7345c749e8de56d5c04924839810525a11ff2133289f78f621cf93b0d0c7e7b88223dcc92b0ae5fb9035c90c02f3f51062b9bab720f182c9

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
176KB

MD5
65a745e7a167180a48da09bf639c75f9

SHA1
5c4cbf14cef7c4031cba0add0df409b77e5f83f4

SHA256
7c0a37bdbec76f3f6202e061f7501f8285569bf8b256e6cd3f3e7fd8a199896a

SHA512
c729ba937f23c99224c2588e57903c19b91680c0dd2aca04ceb9b699cdb7bf86550ae07588e825a9d7d0ae9723fc74fb7bf4e1fc4ab291a098160ab4fb3e0ee4

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
176KB

MD5
a2e669d9b63e494f3145d0922bb6d175

SHA1
f8be68fa48ba9680079ce348b07e28f3939baad0

SHA256
30854852aa09a6e7470d22c45e71c8bd8cc8c4a61ffc576acb31f28bf5af0704

SHA512
b7b01708f31d69486cfc3b1dee4ccbd03f0c65ec1be1859b5ec399e7e4cd34858b82070debd3b98ac5873a934261c018230ef41f5aa68701bcc3a980bb539e2c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
176KB

MD5
a2fb6317da4a5a919ec2635ee74ca21e

SHA1
a9aef0244630dd189ce49c16b9b92f48e226542c

SHA256
5284d672969e7368c33a64afc3cdedc86b61f34930d0abd80aec81078a81c021

SHA512
8cb09451f578c03767df657de58c23df80a12574eba5cf8dc7a96707181d258cffa2464185fbd3729fef79bfef1a59c4b98bf9f2ae436422583f971dc27feb1a

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
176KB

MD5
b728e08ebe137fc61f9dbdd0b48005fb

SHA1
445e8d6abb646b842fdee2e3e6788dc5eab1c020

SHA256
a083c72e219c3a0bf59a7336e1909746e94cc9b50c3cab35b40ebc1ef02d77c8

SHA512
22d9d3da579c84a2cf3ad0d39572575af983035907d799d7eeacbdce75d1f65831f4969596ced32ba15ae26b6aeb2f352ac0b2e33b1ea431438996c869181145

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
176KB

MD5
5e42aa581a5ab004f113e7c9d499c38e

SHA1
661c68281daf69bf11e6c18be146d3d33e808ede

SHA256
16ceab64e1a02cfbfc33c9b95ef8908d8644ba644ea6858c3382477a67192de5

SHA512
cded4fa2db8ba7881b5e621031d37e40f6ae78fff9baafe61692c45d0a819f7f4ceaaf8ac9609a55824e21c218fb9730df30a44ebd7a322cb6b218012f180463

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
176KB

MD5
86378dc371b93d4c52879213cf76363d

SHA1
a6b6dabb930ecf66d92aac75eed46532ba101fe1

SHA256
fd7c10d68905eeeef0d5f1b0f36fa3c40398138e7cef4a7b493b25137ec1f2ca

SHA512
22587057d4d858f65104a8781b40e69bf7e22f624a047c77f58fddbaa02e8e034ce61104683546cb3f3cc9f924feb90f462ea5af68781873446dfcbac9fa32c3

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
176KB

MD5
dea6f29a00e96e550873dcba92003863

SHA1
898364825394d29d1b49ac12dcc806402a10b06f

SHA256
1f7d10f1b1693aceac79580454dbd11fc0dcd09b1de2608391d94594667a6131

SHA512
a0b0c8adbb140590d38e26c321869c17d3e34d91f4fee1ad1dad4103c99155dcebf69715d29ae995a4a04e670087991e7fd8ff9b5bea957a4c30e230b4af6727

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
176KB

MD5
478bd45685f9b58de620b3559c874d14

SHA1
9839a428deb624935966537eb40bff7938525d4d

SHA256
359a29f762559edfb6e3f6dd1924fcde8d317c9b8f9d3a719bb3481eb2c0acde

SHA512
4a2df58dd64e924faea00bdbb96da42700747b5a6068bbcde2b263aa94b44e0fc4c8a559ae7b3adb1865fe6a9c52f4efe547fe31e45375cd764e4fee5b94db32

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
176KB

MD5
a626b21d20efc6bb8a5b404e2d711629

SHA1
2be496d5001e8ef991923887aa78124e00612822

SHA256
dbd74a49968d2b33889ef7ffc983d6703f99ba3a3fdb7c46289053e4699aef71

SHA512
4c2e744fe045903e2d56c96f7695a484531d71eec9da834e9a055816cf3672b13123df46457f37fadc5e1fce0b93624c0c6516005b08aaee1f84d3fc5eb986c1

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
176KB

MD5
de9630412c33ef977c469f2f0b9c0358

SHA1
6253b384c9865cfd3fe3500d5210569690bc0380

SHA256
7b1cbd3bff9658826f05ecc0bf72d4e73b4822ad7fed76a74e7933fa0093e419

SHA512
b140f4109756ab3ee172c1c6897eab7177296dab9b3d35368cf753e18f1bb936ea02da0c73fbdc95a29ee371e03682d4f07c0d42260d79bce4821212d217400b

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
176KB

MD5
3873a41312a78f03c0ebaa96be1c16e6

SHA1
c5519f70fc9f79b8dd76b521d39d173c60b38b18

SHA256
8eecf070866fcf02fbfe85791e4346e891c7d92dd411cfc999dc533bcea13d6f

SHA512
5bb7a925397a1ce6fea68811a6ce66c54f31e0d23e935b1068a635b1bda2075ead6721013f3fbfc666f0fb086c7f33e7588ab6384a8d79ee463dee336788db70

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
176KB

MD5
937e6023be703cff0e8ff2ff896e55f3

SHA1
1b09241ed5ce170d3ae4be80215cee7f335c492e

SHA256
aed3ba5d2a5e204e2a14ca22872c21bf8c55130aea15d1bdd92193aa7bfde7e8

SHA512
1ecc0822adb58d610ff4ca7e5e19fc8e5109a8a08fdb7ca682646ddec3b5d021ba47f2281304c8e3d6cc3d7893d42589521ce2361dd588b5e56c37e854773f4d

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
176KB

MD5
cddac9c734d8e1a67adeeb6b8eaad6e9

SHA1
25c83cef0f6c1e028e07d646f2dc5558f59116a2

SHA256
4f43d9770bb97e137fa5e8ce4b32d35e3719a42fdc1a199c94945303889a53aa

SHA512
b2893632f6bce4806b9d3fe62d6f7f004aef452fefdc4bf9ae217da8cd614b6c5cfbcc8ba9c34c23b11e8d033ab7e993ed7a0e62d57617dab6f4f65ffda811d5

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
176KB

MD5
84ad48bb1cf14fbd8f1546bbf78d1ae9

SHA1
b70399b9bd28bcd2f83c74496c16aabc73f85ac2

SHA256
e22327434003674c23b2a026b9af109f29fa4f160b8bffc7504666412d46bbf7

SHA512
92d8513267f53b7f71a56b994eb58cae474a0585bfcf629ddd2d479d5f9d39f43a622191dc6687ed20c378184f1f5ba796b546ce9b8578ccf08ea4586f80bd8c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
176KB

MD5
c5a1eb79a2729c20a532d88fdf711872

SHA1
b1e03292c57b8e7e819f9fa689b2b008663acfdd

SHA256
7b9791288b5a35c5f7c9d81fc25d4f660b74c61cd8adeab298599f37e3819d78

SHA512
5f3454c9b968dcf59ee4017ecad8851379824c6e19171e3ef02daa6e17649f5013b5861f462060bc5280f9814a057ef6e30dfccbe009c863222f695d358da550

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
176KB

MD5
02dd86dd3d131eed40517e7f051d8791

SHA1
bcbf3e27063d325e9fb8e82366b291f0394d9ef2

SHA256
b7590cacffa34779a7565510f44d9414ec67ae30f3159e6748d469d8482413f3

SHA512
ff596666b821ebf324ca96d5909bde37bc2ea4cf3fbfe8e4b44ea6badc1b003a7b864c82d3a2afade7feef5067f54c09e57b5acdd74000a13e7ae075f06c1a94

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
176KB

MD5
3296f71fcf876274503bd8413dbb44ca

SHA1
cc4b17b35f17a3f57508d8d6a54b986cca24b6f3

SHA256
514e1fe06dfffacb1d29fb28bb25bd41156ccca134e436bbf71842221b9de771

SHA512
729d731a4e86ab7959172ba742e61791548ac6e60095f0345102ee2d5f4c50ebf50c8513692079a64fbc83dd2766d05826197356891b1951c22ab7c05d024b8c

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
176KB

MD5
ed710202f6e94df26855d3e06439954b

SHA1
3bbd60d30dd5500e2bb5d21d94201f1f2cbdb56a

SHA256
44cfe11493e9628f1b7ee7d0e738c6f681a849e75977d643135ac06b7803fb7a

SHA512
66bc8cb9cfe587c318d19ce03ce4fcefaf14cf00bd613eac1a3e03d5079dd0b0e7bcf9387109c9b1b2129f163831a7dcd9ba3f1fd3d79eb2380c8e59e4fa725c

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
176KB

MD5
c60fea34507182b34c77a97a6221b17e

SHA1
9df43ad19dae00e21e4ed6285354d4b2b9b3c7de

SHA256
d874d64e0c9d25b5e425e803fdec0e035a2fa838113a101585189cfd4a6d4452

SHA512
83044cd86ce2eca9615a43b9d1eece4fdd5722be14eb34588536f6e590210230888aa32790a82f09344e206342ad92a8bc0d2cd74cbae31ebca6317fce73ee32

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
176KB

MD5
69b49268f1cd1a1331db0e62c3f7984d

SHA1
de8222b4d4aa587bb17d73ad2663b6b774ae4604

SHA256
4b0c9a4d6e0db8edacc2b5859a9d9569d5d99f97d01a6e86cf95e4c18d14d6f3

SHA512
35a0b79718da7c613231443012b983dda9d7f7f90b087946f72657c60d8e9c9f552defdb6a1b919abe0d5b8b2e65c2af850ff73df2b53df037d1ab721c2d0dd4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
176KB

MD5
3e5656973467c2d13c71053b19d74642

SHA1
13b1e7fe7a3110245be9f74fdad7569e7a0a15d0

SHA256
c7248f9bfd28c377f3eaf6f26f6eb3ba7b64bc23e9e4568b89269b40d143e5c4

SHA512
951bff81d7d8c6361321bec611356cc05bf3c6963c2989001c8600b2b97c2e95b8659f7665fa7a0bcffcc4be40369c312fc8e876b39372de7bd143ae78b394a5

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
176KB

MD5
d15ceea2c6efb7f10e8a6c2265ca786c

SHA1
483292c04780e17f66bf716aa6d10fe222bd2456

SHA256
9cbcf0efe21bf8ff840f775b688de3a70a4602d91fab12405bf20006a061d546

SHA512
12c2e348f79c66c5a48636f5e8428100150cd4554500d229bbd2a8897ecf06ff2d8488ac4e6a53abe5260ce6714a32c5b30ad35672765d67d38ffa684193966f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
176KB

MD5
d5959c5a2a31921a7d53c1fbf517613e

SHA1
2653568d26ac0f8d1413dd6110164a9bbaf8ba7c

SHA256
0eac03b4e91494ddf95c8ee27bb75cfb3b6269663eb49f6a6607ee1a07175e1a

SHA512
8049ef6b2a1d8afb4a1ebbe42fdfd22a13f5a14bd3d9800fe69d6d1579d2da6299686ff4d49947a9731f589e65a82494d047ce46c1b1094e3e4a243261acc0a1

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
176KB

MD5
56e702cb0aecc45e58b43b40fbcaabf1

SHA1
173fbee4977a5b5a521b82d4183daba388467114

SHA256
3d996a56c8755ee66d0e9bb3672517117c6d79bd0106fd170fb404050db55902

SHA512
88503885d416ec1276ce840685d6490ec6ee47d2fd1bf89a320091a8b9ed21609ce903fd96e6e47ed766862a91c298827e37523154ce3f820bbbb5a7dda24a95

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
176KB

MD5
50db16b63bb0f09f5a298cd89848a4ef

SHA1
bc94bd80f53c134d0185259a2a7af0d2853fe751

SHA256
192e57b061b395e9c1ad3a6be6b8eabe5254666cddfb21958e13898d3e3bad10

SHA512
784fb2381bc713eadcc12b256e03e33ef2e655b70ce4d386fc4eea693374a3872ff37d5b59463e059299f450492b8adcbc7db73cd42a63ea3ec77a3b90851449

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
176KB

MD5
0eb4b5a5057ca317b68d3d966b240ee5

SHA1
6990fe311a075c902df81038d50ab0518577ac24

SHA256
4e4c2458c19fb7d359c26a1a96cab4827cc531ab93b38a3bdbfd652e493fd77c

SHA512
44c749dfd693fe70f0761810e20d09d81f353812e40c5b95ff436a44d7a6a7c86d03a19413bd757522c5b269e0c144627e90f666a8c0552ef95570eac8f977ea

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
176KB

MD5
5e69482d597383420458800563eaeddc

SHA1
cd74bfe84f81de39031301fee2379ee28dd3fba6

SHA256
083e37972c71b62e2f4aaa60e3916f6253c90b1a0af652ad18acd91970059659

SHA512
870e5fd2ab9df6006eca763618ca49a74dc90b3bb1336551f514e9092c9cf532d0cab2082b1e961589d7fb57459bab01751370ea3a23d3446bc4d2949497f2f5

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
176KB

MD5
002ce5eff7c376b2f2d16f9f069bffac

SHA1
10e2a1f2a64414f43a59a033d6003bb30fe002b1

SHA256
8a55e81f8406562ba286ee94e104c73b840abab9b5cb944b69c6307efe9d7875

SHA512
8bf604f95b8cd193372a18cd62a437a18265f0063cb1d482d7500575dd3a447bd57a7d8d3b7bb8304159030b0b8215a3a5adf505c0080bc7b87b930296ef9ded

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
176KB

MD5
d6a19d48e82eb56bfa2da55babf34644

SHA1
a46271545551daa0f478fbeba9d4e9b26ac58325

SHA256
ea9096cbe1181b325c39cad5c1aea28185638857c71824357c836d1d487ffcd0

SHA512
fe8ebddf1bcada10ef34c726660206438b24fba025d8856543db228c77581fa2d49a85c455e59a6cca99334e288b7bf1b4b3a8cfb86ce838eee25e74c28cb9ab

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
176KB

MD5
d2e0f4e53a2a67741b0be51db8e641f8

SHA1
78bed32995baa8e31c8a19402a85465de4cc8cf8

SHA256
35fe7e4f6ea5bb0bf525e4953b9cd1d308abdf9a5417e3d239cf8a6b7778c0cd

SHA512
4c48790f0ddbc6aec6b9db3a616e3aaa2fb60290761993f32c0e70bd58663926d2dcaa5769c1dbac94a5426cf8315f93af4edcf845234ff7dfe7847d51bc5525

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
176KB

MD5
875bc121535056bf707a753ddc697c73

SHA1
5990029d7c6465751e5a161340e789c6d2a6cc56

SHA256
b4911c33a04d6eea20b84433251a7a5fd5da207768dc790ad4b5d92811eaf067

SHA512
3e919b845fcf6be3f1eb6b06553dadb0fe27e9b1709804fcecf50f5ae9b007525a4907efd0fe95049b4fdf2bf18de10d6280d149a23f8def2c52cf0e451ff5ae

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
176KB

MD5
7b05943ec6e0853c1c9463578f78187d

SHA1
312f5bd013c911f1ff0e3b77765cefa0934702c9

SHA256
fb2d3f0f15043a65a298f11892d53d4e5cf89120fedc1a0f7e29ef7665d1df2f

SHA512
d6c56eab580a384ae351564ef12784948f9d6a9d03bd954d8fef566bf07ce03c29b8bbc2984992ad9522f5a4b088077c67d323440b59a0c8a9c8cafa610bceb4

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
176KB

MD5
990485706cc4f1704c2dbae2ea93c973

SHA1
8be13f64ce636e85e4feb30b2a98d20a61b26e0c

SHA256
3bdeccb4b1f7d3224aad7a3c6ea3f7d64b3dd5adc3dd06c357b66f8d177a752d

SHA512
579da92ba71ec2dcaefcc6fc12c02f789c40236c8b6ee79b98f80b334b918eb83986e71a7fd1cd6687a18d8d32923299509e7669e2407a3db63e68d93af92bd2

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
176KB

MD5
27532087ce8504ef4c7b93e708091a73

SHA1
7829a08c1d8207e16594ef771ef3d36ac16bf6c3

SHA256
30642e4c448255b44a359443c3b31b07c94e58541c53735215219f38a3a5a29f

SHA512
ac0c0024906fc853240fb713deeb3d2ffa1d7c92fe0110efe063b41bdb9222b59d92918e3c6b5ef68d48b9858d8ad062e2aba2ee289d1bb493ce06c3ce556ece

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
176KB

MD5
2c1f73b58cdbdbc2e71a38e53744b9e1

SHA1
adc16e7d9a8a2a293b12b816729f357f5e23685c

SHA256
503cf4ffe7a46f05fe8e6265fe3e422ce91046e8d0f4f331ccb04b9988892fa3

SHA512
867f356579dbed8a65559fa229ab438e0250359b112a0e112c5b89cf7442682c6a6f9e4e5f93bd4c7955cbc8b95fdccc44a64f3846b96db87424d70227c5517e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
176KB

MD5
c4d638598abb996b509eb0aa13560ef6

SHA1
79ebca283533bcbd02a80027f958a98b05ce740d

SHA256
e2521d5092783db4ffd29e5d545a2cff77d96cde2f32ce9ff193b4933688b46c

SHA512
e58c80da5077ce9a61723bbae83486fee4022e0c482da3e1f82db180e69ac1a366724acf5a39429a5ef69b9735cd297f55280c7f46e08e212954a29ae81e49e8

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
176KB

MD5
27aaf5c881610abc9f764a3bcd3f6066

SHA1
e0a12e937e36fc974a47fe88d79e51226908e190

SHA256
ff87c28eff74500a818a8c4ad253fa13efb5cf146edf201709b854b8c395475f

SHA512
0bc8ac9b0b2868eda230b69659b69ee6cd05089e747a89844bfcfdee474b38cdec0e1f9b6ec6e1d0496f561ce28809855e31b1b7fb4a3a04bb94d626e563a277

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
176KB

MD5
2a9197dd681c0e8c9a3115f30b67a316

SHA1
5425da1da9d80c7bddeed9daaac1fce737e8cfa0

SHA256
577b6c24c5f218226eefab3adddccd370a3520c5497e3e9db2e850bd8a76108d

SHA512
cb75ae2ed458a4ce26be1d0cb60a574d65f219f229750c14d3a5d18f1b8970850b48be1d6aeda349d48d35dc2634f7eeff1947efa9d5d92ce1a8185ea4f0700b

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
176KB

MD5
050eafd312c6d6b28a0ca28399047528

SHA1
240c8c8d31d1886988e199a2956301a5785f2c32

SHA256
95befcd0706b7ccd7fe0340108b0961af7d3e1054bac5627325df910abd31c0f

SHA512
cf0a898b56a8a416908abe6c61184e17bea4267f41599b8e584b0b33f42ae4096495bbb21b6efb3a1de8f70958a71d9f1ccb6b651e69f8612d4c974cb7926b3d

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
176KB

MD5
aa0115a3a013f02f5f5c56b0f3acb0bf

SHA1
1badb4423cd491899d1968ee6260bb615582c1d8

SHA256
ba291007576b38378695920206ab2bec1556484d0608ea37bbe6c22163c10509

SHA512
790b7a8ccd1bf14343c88d10100ae00ce6109843a6b6b3c7c98918fa2f64870edfff3d06d1fce77dd4ab5cc2f1e3172fcb9f4afd5bcc6930e1260837648d9b5b

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
176KB

MD5
984811d4b03198ca7603d43456f8c6ac

SHA1
dd1d4256895f94ed844a9523b4873579b1be7532

SHA256
9de1a9592651fd03b4ca66a8c92cc5bfdd5c3a0622996b76d3a50f06137d4c4d

SHA512
17a3ddfceb66afb34ea5e4c31019c42dfc6ba1d282c1a7efc4a894b77a3cefe436f4fe416c0b17516e994c7e8898dd82e8cefa1a452d1bf293391cbe18497c72

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
176KB

MD5
639aaa9b34420ea5afade279221d7036

SHA1
fc1bfb4f21306fd1047b41be7c13d1179e12183b

SHA256
42da70bc041820ec2cae4608e8f3511f0aec722d6e0db8c284895f13e20477b3

SHA512
a595feb34171793571916eebce5007f57634346f5b0892301bd5fc35955bdfd3645bad9114f78a944911aeffcc01d197867c93831d50407f9d3d988c5c5da10b

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
176KB

MD5
d7eb8c86cd88981ce95d6d2b34211602

SHA1
0ab082eef272286cb27bbc35c278ff227851de1b

SHA256
7df4c2b66e9ef1b5612ffcb0e93704a0347e7dd1ca5e47e92fa45ad0d3830d18

SHA512
e39dc04cdf8ebabf6957506e567855fef846b1d0775e405a4bdc439aa6d5afb309f212f5a12018fd2595ee513ea3b1a33b6223e53a69cc5c7f89cbe1182618a0

Download Submit
memory/208-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/264-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/428-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-528-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-554-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1196-535-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1404-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1524-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1540-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1772-515-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1840-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1880-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2172-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2248-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2288-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2720-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-547-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3156-197-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3172-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3200-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3384-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3412-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3416-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3428-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3604-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3760-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3760-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4044-516-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4128-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4144-461-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4260-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4320-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4480-541-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4708-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4784-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4820-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-201-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-77-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-522-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5060-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads