berbew | 85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe
Size

512KB
MD5

73f6659760ea8ce5ad67c8f2831a6c68
SHA1

4550cd469d2039360227cdbf890c441f64520005
SHA256

85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72
SHA512

056f8d40ff5a1545168256e322cb9bab41b7e71269a151aa3440effa9951717a287ea066225ff17a332f130ed87cbd50b3c671ae13340f906b55965ca568a700
SSDEEP

6144:CGosfMkLKR2G853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:DosfjKRXQBpnchWcZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
116	Npcoakfp.exe
3852	Ncbknfed.exe
4612	Ngmgne32.exe
4864	Nilcjp32.exe
2872	Nngokoej.exe
2380	Npfkgjdn.exe
2060	Ndaggimg.exe
1456	Ncdgcf32.exe
452	Nebdoa32.exe
4868	Njnpppkn.exe
2340	Nnjlpo32.exe
2700	Nphhmj32.exe
3660	Ndcdmikd.exe
3184	Ncfdie32.exe
3980	Ngbpidjh.exe
2992	Njqmepik.exe
5084	Nnlhfn32.exe
4792	Npjebj32.exe
4724	Ndfqbhia.exe
4360	Ncianepl.exe
5000	Nfgmjqop.exe
2768	Njciko32.exe
1720	Nnneknob.exe
3360	Nlaegk32.exe
5056	Npmagine.exe
3488	Nckndeni.exe
1448	Nggjdc32.exe
3356	Nfjjppmm.exe
2132	Njefqo32.exe
2924	Nnqbanmo.exe
3276	Oponmilc.exe
2928	Odkjng32.exe
4448	Ocnjidkf.exe
1692	Oflgep32.exe
2324	Ojgbfocc.exe
5028	Oncofm32.exe
4532	Opakbi32.exe
852	Odmgcgbi.exe
4796	Ojjolnaq.exe
5024	Olhlhjpd.exe
816	Opdghh32.exe
3400	Ocbddc32.exe
4576	Ognpebpj.exe
4560	Ofqpqo32.exe
4428	Onhhamgg.exe
1480	Olkhmi32.exe
1656	Oqfdnhfk.exe
4748	Ocdqjceo.exe
4420	Ogpmjb32.exe
224	Ojoign32.exe
4604	Onjegled.exe
1084	Oqhacgdh.exe
2224	Oddmdf32.exe
2400	Ogbipa32.exe
3152	Ojaelm32.exe
5156	Pmoahijl.exe
5196	Pqknig32.exe
5228	Pdfjifjo.exe
5276	Pgefeajb.exe
5312	Pfhfan32.exe
5356	Pnonbk32.exe
5388	Pmannhhj.exe
5436	Pqmjog32.exe
5476	Pclgkb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3160	2472	WerFault.exe	261

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 116	4828	85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe	84
PID 4828 wrote to memory of 116	4828	85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe	84
PID 4828 wrote to memory of 116	4828	85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe	84
PID 116 wrote to memory of 3852	116	Npcoakfp.exe	85
PID 116 wrote to memory of 3852	116	Npcoakfp.exe	85
PID 116 wrote to memory of 3852	116	Npcoakfp.exe	85
PID 3852 wrote to memory of 4612	3852	Ncbknfed.exe	86
PID 3852 wrote to memory of 4612	3852	Ncbknfed.exe	86
PID 3852 wrote to memory of 4612	3852	Ncbknfed.exe	86
PID 4612 wrote to memory of 4864	4612	Ngmgne32.exe	87
PID 4612 wrote to memory of 4864	4612	Ngmgne32.exe	87
PID 4612 wrote to memory of 4864	4612	Ngmgne32.exe	87
PID 4864 wrote to memory of 2872	4864	Nilcjp32.exe	88
PID 4864 wrote to memory of 2872	4864	Nilcjp32.exe	88
PID 4864 wrote to memory of 2872	4864	Nilcjp32.exe	88
PID 2872 wrote to memory of 2380	2872	Nngokoej.exe	89
PID 2872 wrote to memory of 2380	2872	Nngokoej.exe	89
PID 2872 wrote to memory of 2380	2872	Nngokoej.exe	89
PID 2380 wrote to memory of 2060	2380	Npfkgjdn.exe	90
PID 2380 wrote to memory of 2060	2380	Npfkgjdn.exe	90
PID 2380 wrote to memory of 2060	2380	Npfkgjdn.exe	90
PID 2060 wrote to memory of 1456	2060	Ndaggimg.exe	91
PID 2060 wrote to memory of 1456	2060	Ndaggimg.exe	91
PID 2060 wrote to memory of 1456	2060	Ndaggimg.exe	91
PID 1456 wrote to memory of 452	1456	Ncdgcf32.exe	92
PID 1456 wrote to memory of 452	1456	Ncdgcf32.exe	92
PID 1456 wrote to memory of 452	1456	Ncdgcf32.exe	92
PID 452 wrote to memory of 4868	452	Nebdoa32.exe	93
PID 452 wrote to memory of 4868	452	Nebdoa32.exe	93
PID 452 wrote to memory of 4868	452	Nebdoa32.exe	93
PID 4868 wrote to memory of 2340	4868	Njnpppkn.exe	94
PID 4868 wrote to memory of 2340	4868	Njnpppkn.exe	94
PID 4868 wrote to memory of 2340	4868	Njnpppkn.exe	94
PID 2340 wrote to memory of 2700	2340	Nnjlpo32.exe	95
PID 2340 wrote to memory of 2700	2340	Nnjlpo32.exe	95
PID 2340 wrote to memory of 2700	2340	Nnjlpo32.exe	95
PID 2700 wrote to memory of 3660	2700	Nphhmj32.exe	96
PID 2700 wrote to memory of 3660	2700	Nphhmj32.exe	96
PID 2700 wrote to memory of 3660	2700	Nphhmj32.exe	96
PID 3660 wrote to memory of 3184	3660	Ndcdmikd.exe	97
PID 3660 wrote to memory of 3184	3660	Ndcdmikd.exe	97
PID 3660 wrote to memory of 3184	3660	Ndcdmikd.exe	97
PID 3184 wrote to memory of 3980	3184	Ncfdie32.exe	98
PID 3184 wrote to memory of 3980	3184	Ncfdie32.exe	98
PID 3184 wrote to memory of 3980	3184	Ncfdie32.exe	98
PID 3980 wrote to memory of 2992	3980	Ngbpidjh.exe	99
PID 3980 wrote to memory of 2992	3980	Ngbpidjh.exe	99
PID 3980 wrote to memory of 2992	3980	Ngbpidjh.exe	99
PID 2992 wrote to memory of 5084	2992	Njqmepik.exe	100
PID 2992 wrote to memory of 5084	2992	Njqmepik.exe	100
PID 2992 wrote to memory of 5084	2992	Njqmepik.exe	100
PID 5084 wrote to memory of 4792	5084	Nnlhfn32.exe	101
PID 5084 wrote to memory of 4792	5084	Nnlhfn32.exe	101
PID 5084 wrote to memory of 4792	5084	Nnlhfn32.exe	101
PID 4792 wrote to memory of 4724	4792	Npjebj32.exe	102
PID 4792 wrote to memory of 4724	4792	Npjebj32.exe	102
PID 4792 wrote to memory of 4724	4792	Npjebj32.exe	102
PID 4724 wrote to memory of 4360	4724	Ndfqbhia.exe	103
PID 4724 wrote to memory of 4360	4724	Ndfqbhia.exe	103
PID 4724 wrote to memory of 4360	4724	Ndfqbhia.exe	103
PID 4360 wrote to memory of 5000	4360	Ncianepl.exe	104
PID 4360 wrote to memory of 5000	4360	Ncianepl.exe	104
PID 4360 wrote to memory of 5000	4360	Ncianepl.exe	104
PID 5000 wrote to memory of 2768	5000	Nfgmjqop.exe	105

C:\Users\Admin\AppData\Local\Temp\85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe
"C:\Users\Admin\AppData\Local\Temp\85cf01f6316fe261fb5ae61c799e34b97cddd2a2c5ab1afb73b38d97c9b88e72.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\Ngmgne32.exe
      C:\Windows\system32\Ngmgne32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        25⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        26⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        35⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        37⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        41⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        42⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        45⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        47⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        48⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        49⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        54⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        56⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        58⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        61⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        64⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5476
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        68⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        71⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        74⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        75⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        76⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        77⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        81⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        84⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        85⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        90⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        92⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        101⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        109⤵
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        111⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        112⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        122⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        123⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        127⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        128⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        130⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        131⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        134⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        135⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        138⤵
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        142⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        144⤵
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        145⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        146⤵
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6192
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        158⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        159⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        162⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        164⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        166⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        168⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        170⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        171⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        172⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        174⤵
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        175⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        177⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 396
        178⤵
        Program crash
        
        PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2472 -ip 2472
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
512KB

MD5
acab5e3708af455cf00adc88909e4453

SHA1
46d7acf3f52e1fa8556486c7c67373fd42bb6f59

SHA256
2c491e7874b29e4ea07b161f86af3a0d301c4616ddaa9d2a7d52e22345f70ed9

SHA512
5df6f54b58361586dc1ca978bb74e1373fe7c3087a063e228e01bbbe61742f286ea0b807c0c09b0d82847e6b80928fd7d2453edb1a75ea69e11e6899338b982c

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
512KB

MD5
d27931b1d191275d49181adf9c3ef323

SHA1
cb9d838201c64709ba7e6f0985d6e6e586f43ae8

SHA256
3d0ca7a01a63147a7a645da857f458aacc1f5335c0a62d3fac5501d5af45ff9b

SHA512
da1b34cb9db91d3c9e0d63ecdbef910af161a1bdc1197d0bd53dbaa7dd044b5eba0360e23050d5ed2975e4f4c211b085a85fa61ae01e53dd2f652090e1362fe5

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
512KB

MD5
c862027285713030e1d99b0d1cddfa33

SHA1
fcc44cea49a9a71c357c3f7d8bbbb93ea539045a

SHA256
5b2a799dbb38735d9fa4e88525c6353862ce1afea9e0c74812a8864cb58eb558

SHA512
7c81f7e6def87e7e962c0250e03e419d9f2ef49923bd6d64bd30489d28d87d88dcc9694d33b270511018a59d55bd8912fb15d92351a67f7196477189e4b05fa9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
512KB

MD5
b24763ebafe4c0fb0f4bd5d9150d95d8

SHA1
ca8d76a210d504818bcfcbdfe782a166e5c00333

SHA256
3e02b836aca33650d3f6325b936b7d0e02166ec05730e44ca3e67d753f5419fe

SHA512
3ae913e5db1ef635e893b41b7cadc2557410a24918504c4a12136648c2d8e80d3d62688040994f1fc77de2225f8ee11a8aa88c14de77ccbd814ecfea72b064b8

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
512KB

MD5
ca0c7f1d6e765e5d2b522ea3df996881

SHA1
ccd60bbdbfe4be6fad1378e66a321c81e3cb4b3f

SHA256
0a7bbd27da782e9417bb9348cfa4bf4c6f10a9fb59de1817a48d9bd2eb4fe941

SHA512
c244b09773a3495758c5e9dc467b1dd0f1e5ffa2c4c1d35961db2aea6872a1f412b29b4fa023cdb3b029d99d0f5b1eb11476c5fa1ac47a83df9eb7ad8fe926ac

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
512KB

MD5
8b05648cfa68d1ff282d9ad7c86c964d

SHA1
1f1fef80be267b21e559ca2cfeba30dad3183302

SHA256
cc9eb76a2067e75bbfe0b9e8ec32205a7f3d34504b4700ae0bcb800ea1c2de2a

SHA512
63ec17d8ceb4782a378838a60c752cf1bb86a7cf46efcd0e53b21f88fb9a07549989c8f74718383fed97f3bad944f067e34521bad7c61a54cddc96335d204505

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
512KB

MD5
45a16d4b6392c6ad4a0373431951a534

SHA1
a5b7e043d99c35d90a1e13d585efb3f52c444747

SHA256
0fef49cacb1f968b256baec1642063605eae77cf3e4f530013f8b48deeffe741

SHA512
3e0b2affb7b50cec4e1f6558015a0e823a8ca627e746bf58079f4ea0dc28a3c8ac95c5e611ec3c749924bab625d8bbc5f51880c11c822e9f9283d89c8e7665d7

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
512KB

MD5
e8b1f9265c2abfeb50028bf178339a72

SHA1
98a13639b95b43649bc7f5827c07c957e861e083

SHA256
9ff3270b43ef3fb5f89a62107b3225ee5bda1966b008d7abf96a661435594854

SHA512
b4908592c6d63ef3d2e1a1a277b7622763646ba56b2f841c27484cca45ab6999f1d963a25ac6a72b9c2639d288044fbdd7923690e86ea0e44594be83a3900013

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
512KB

MD5
1386629aa0c5db944905bce2dacf64bf

SHA1
3f108a3b4e80d907d7a9c5e83e2eee2ac2d8e617

SHA256
e4590372541c6915d4a96382b01b70851bd6d18813b4f034600ca06a23499850

SHA512
f1514e9cd7117d5712413ea8d44ea53e610fe739a33059e2916f9f6c049a451e9258ab27c57deb1f750382b2fa6e0488400c2edc82398a83ec2ee921e8b34c1a

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
512KB

MD5
dc1bbf64972148090b5665db4bc50b56

SHA1
0e62b4c70c6e7af02c132ac9a28cdaa283d1d671

SHA256
318b873715e2a102c7d0f8eb8a3decccac2cbed54b81013aa4d0ed1ce84e7a61

SHA512
2b7494ad298e2499b2bf65de70e4e249a1286778779241c69fa1f4f262e4bf8ada66dcc2908b4ba81ad141858749824ee760d0dbbb9d7c9aaa6e423105f8d519

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
512KB

MD5
3e54de1173cb4bc20aec2748b9703241

SHA1
4062051b482987808ce66a27190d746b1a1f5de3

SHA256
9bf43fb893ca684c501e14c54027dd1e77b68d1579336af6d246a22c4165347c

SHA512
e91d981df9b7e8c54a011c749cc53214ed40a1dea661f5cba3f7de8f5f19eced269bbda2c33c00ee15c933612b2f899dc83b1030614f87c4f7581eb0b5863664

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
512KB

MD5
c02d3ca3db801dd360ad214269de5175

SHA1
5d76048471314d98133003d0eab2682aa21a07fa

SHA256
cc09691ca23e0527431c17698a46e62f3c9ebf5a55b3e82aa3e29c5a62dc1c32

SHA512
bfa198c1bef52b59d69d6e1760e175f49df23bb461dcbb8e336bad7c5ddb557af4b2a70ce28a85f979f59deed9b2ef6d8580e700d74abe5a6060f772ec72b5dd

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
512KB

MD5
6f59b215534be88795337dc3e3abbe74

SHA1
37447b0ad6e4b9e5d42520caad9dae90c8b1c38e

SHA256
cde3134a2442acb6fbc1375baa93d2d504f751da281f03a72d30306d71f24836

SHA512
f7e6f6f69f085edee1afdabaad0235b3239af269679ce5fdbc83aef7a0d545f773b3031a91fc540c0704b69f3b00d2c221a04d4f4c4098e496c3e7ad27ba20b2

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
512KB

MD5
a51b69aef36e1a82d6a42063949b310a

SHA1
44f12c2197f7b260179df2e6254ddfdc27302ae0

SHA256
8d1f65248d2c46fdde9847c78a948d8e7ac99fdf27ccd1bef9e9db7b086497b1

SHA512
288092cc067fc26be83b237dd332bd7b3070eb8abf6a61162dbc34b2a6e48fa117d75e02ad16dce9e952f8c008c3824795e6dec35a3226cb9aaac36e8ec0093c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
512KB

MD5
1637c37f8833a1078b8dc02009dc441a

SHA1
b7d2d90ce7f985373263e171e5bcdfb2843e24e4

SHA256
cde30351f06b4cc98e23311eee2aa1c216f9f15d89a20bea1729921e575c865e

SHA512
17643b94f072e19d0a87da5ef41a785945fc0c0d6bb806b821a9bbf81dcbaebed912ec01393d8543255dd332b96eb821c8d5f37d4a869f0e138e75a8fed55e24

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
512KB

MD5
caa13a528982f108d5bd466f81bc814c

SHA1
83870d67689841b5377e3027646f5a808af9c593

SHA256
807fa11f506405ec508c59fdc317e4ad35d37dd9c7a34878cde1db5913f8103f

SHA512
63fb557086f1394b6d0d4e51f4c3b9a537ff754bf15d3f74d002cb003c28bad7e1658e2c941a7e7e4494df65554dbe79a2452153cfc35e865984b794b6343a0e

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
512KB

MD5
6318536f61c2eadd7852c6f34525efb3

SHA1
b765bc3ee27bc49e03f18b825bd80c335a75bcc7

SHA256
8eb6e5ab2347b3ff34516b21980bf7563f07b52f62933063792f1796a3132c6f

SHA512
1169d029b75ee0a36f03355f8741db13e32fce4d8a9960ba09c43a67fc36f2523d66677a49697ced11b3bbf4c42fbeb10c801461975a795a91308de6e5bf51db

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
512KB

MD5
cb778dfbd195bb4613702c6c268bd7e3

SHA1
3a6b5eff6b0a68e6b7e24492641fa97190771598

SHA256
bc82fb5e9067bc094df32f15719280b79ef0249d2011fb947deaa8bfb1f04fd0

SHA512
bb82900c6a62e2acc19b0267ba9d331b01948af7cb6e8d388019885b367bba665b9dc9fb30ab2baf284774e4fdb45e2085c2c7bea31e278216dc052a02a66235

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
512KB

MD5
f63f0247566406805aad26b64f247c94

SHA1
dced89b88ba4e3a506d5cd50835d74eb398d9c91

SHA256
dbdfff6878847a22cd2db758481bf6c6767ea9185c2de334ec09cc4da5933335

SHA512
b9d450fd811d00fb62d764661aac774dfedca85d4bf2b3c48524052b26d5de2088a51df4cc5d08e13373a72f08ccd917244464db0eded99e5895ab5be4b771e1

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
512KB

MD5
13a762e7f059dccd1dbc874361a9d070

SHA1
8b9fea207ecb22316414762561fa48e5d45f45ad

SHA256
e8379d8ecd140606ddb3ba1c3192c742230fbf2883f7dfa63664ef8bc186d50f

SHA512
6db32beeab7191698b9b45bb2a62f7b515dafbcdb1282ca465dae7239b1c5edbe645395f457de0650f422ac1f9fb472bdac2743ba4e6356b42da8ea8a4df5f8f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
512KB

MD5
7a3196b532bc1bbd63adad923a3b383a

SHA1
b59731860f13414c7e43f9e00b78f14d6a55caf2

SHA256
3a41ce9c6ad39e89e62afa53f1842b7d6edeb5653c4196929df164b3d96462b1

SHA512
990b933fcdd28a6410175383f588096fa013bee9fa1f230ea5f706958111ad7ba7ff2c8034ace3ba2e61f7f2e9bdbf70259bd4a98ccad7dda0b62563b20f8659

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
512KB

MD5
eb5286b9d5e766ec41276d821a70d8d8

SHA1
1b4284b684cab10b30b89cc96b8930b7d4429e9e

SHA256
572fe25b3417dffdbd9f4378035e811639d3a7802111fcc0d5a55200d20de535

SHA512
72e21934a8cbbd108886b5c7500f9e56e6c60139d2f32bf3f8b260375a7022b20c8340ad780fad484277d488704ce37db552ecfe4f3b8348078cd4e6d39952c7

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
512KB

MD5
55220aca4b36388295926203e47147fb

SHA1
ade69a5488dd41690a9c5db8a4fecbddfe418b12

SHA256
2bb182448d12d14b7ade38ffd5fe07da8df7b961355ad7798b24dc1c575d836d

SHA512
25459a3f141b15ae6eb557996d6320d8d76ac08f72b9120fa80202078b598816a702ba55a54877e127b185291fa80fb1a05d964f3d1ed700c6f6ce35a37a03fa

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
512KB

MD5
3317b63db812bf9f67446d837aed3268

SHA1
a5b6beb1a656f3ace7547a6cd81b9689ad39c13f

SHA256
f1090497af6a87467ce652390035872b685c7025ad508ca4e3999b215e542ce3

SHA512
a2c8d119cf817d0e8084ece95ff47f7b045fe396b37df38ab4cec96866876244f5c25d8d774a128a68c3acbed8a652564d3909979ae2b81001ff7cc1702b0a1a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
512KB

MD5
c9415ee8b7da3f62c91ce4483d803d88

SHA1
2d2a605c2e7ccd51c728b1960cef21e93c5aa648

SHA256
64a9d8c38018fe924421c0cd9d9fc7398c7969326973b485211ca50a9d3d3406

SHA512
f0fb5aaf7142c4bbf95c3ba1ee90acb54576289e04f60100575c5109bc14940d7501bb696d1f3bea1d02e80b4cf83f19c8fba38855f094de2b9adfafdb15405f

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
512KB

MD5
ba9a615815293a6b4a67b3e124baad0d

SHA1
a308c39d0e036509a76a0f9e601ba0b87f810f48

SHA256
3e63b9578ad10e9cd703cf41ba1283d75d0e89f3f62e54fd22a7fe04566bb772

SHA512
560920889de1b595c1aa4a0567d30d41dceb5efd6ff62abec320485339a8e5ecc8e02e0c28792646bac8c7ca66dd70a5df033b9d3ef4987c67828e88bec4f43c

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
512KB

MD5
03f72f786cf9f5d421d047d90e05f654

SHA1
7614aa37363f1d545952912e5dbf43b7a2355e20

SHA256
199ab41d219e0732cc107adc7d5b25a89d8ef2d4265f9145e464a4dc07d9b35a

SHA512
ce262347fda2bf24634fef84db859edc3d26f544ae030cb2e61b30cb62a875354579365443d29d30e674e97eeb744fa0056fefe57a8db257e4f4e95e8722ae3b

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
512KB

MD5
323b801d4cfc0e9213ac7ec1e3211186

SHA1
3a4b43b761f0c38e76bb268390519abb15ce7d45

SHA256
e810dbb32989fea8f705d0d0ba37576d0cdeb512fcf6b3e4ef1b2fdc2f65006b

SHA512
255a8232c9d6983e6496f25e60896a136689a089adba4875b5c48a7eefac4ccfbf31fc79fde2937902befc54ba9ae2636aa4f16a0075a56a7327ab7e88a87114

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
512KB

MD5
5c074085d4dce76cfbefb652e1d8bd90

SHA1
0a36d7f4e7461711146cdbc3a05538bf03aad896

SHA256
420402de19f658b4309fe7dd8290af4536307500a75c980e33e02331e348de75

SHA512
2d6cca46c621b12cc026a605209392f6ee2b9d25e78fa4cf00173fb1a09123a8a4671434a32b00c9c90588541cc1f7f03fe3f52a08580325653e777aea5fbf3c

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
512KB

MD5
0b1d5a69fd5f053f14b2e880a8735d3d

SHA1
1b6a5d350d81e213453c15b1b0611a53e066d829

SHA256
fd9899f16cc04739359a24e509693feab600bba31dd5d83979895a6bcaa6a890

SHA512
b0b7468d719002f729fb2bba32dc3b0faf1aa6ea0ec5a2acf857f648efc7353ac78895842f9cf21d6ce4786445866b5a1afbaad1b8edb3d5ad12693b53446caa

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
512KB

MD5
56b41defba400de249679c339859792c

SHA1
53ad5f9a12acbcdcf841bed7dcd7a16547131250

SHA256
535483483fbe47b4324e29cf0dc94b171cbedb22dbb826c7a2d708fa24b38aa6

SHA512
bfff452093b7879975ffe08b3e596aecee771796778a3929cf918238d39a4a2d263a1476c42703a412dfe734417df91b933a8eee3d851888af7cef5bd6cc37ec

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
512KB

MD5
4af81aa3c70b40220e6351c74fd2423f

SHA1
3838d360f8b1c431e154a7cf872b88b5315cbe0e

SHA256
94b58548977ba6b3941a5606c27d895363699cc451871255d42d4bcfbf979a33

SHA512
5ca8c974a83e7b6d6466ff723b49686cd27ef22b18be35a3a2bb39fd90e6bd2bba77a8981bbabc3af1732947b63529d2d9ec60f410f5f81b7830ec894cda0a0a

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
512KB

MD5
3810dd93cdb0999dea4c57efb860889e

SHA1
9cf0d89206c3677a6c313b7fe1b9bcdad51d7959

SHA256
cfbe50a4c06f955843083b8256518ff60deae2a2710b35936f4333c99aba81dc

SHA512
d46abbbc3596a472c46caa62ea07ca593bfc3c85156153609e164ecfa852b6be532c582debc9bd455af749300dd939c7c66abb12e69df303711e7c101251c5e2

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
512KB

MD5
320aefca6b2535545f58dfeff30ee461

SHA1
fa6069cd37f89a9fa528ccaa308265b5a2ed36f9

SHA256
33d7d02329b34d7b3388ccc3243224546b7a1a521922fa2a43f5952383bc6e64

SHA512
db1d5bfcb5df2ee500ce62b4e3ecc43bcc76a0092215be2d72a9469232b28962aa22fafad2b85274e0b2e3dc67d9e582ae102161cd0cd20b944ade01e04417dc

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
512KB

MD5
e7b680b944c71c3c80cccc7e75b75176

SHA1
0c786e21858582b315b74bc7208ef7b41af692a4

SHA256
f3c316233f32f1c6a6e3ee7247c684d258fc7fae904ddad2c11c52e55b967a4f

SHA512
0940a5d7cf643ef4d3c805193c9d4062ba57f246f34d44c0278a476904c4999e34dc7aa9313fcaee8f84bda2211815d8cb28072d5b6f8fa147d46f5a000796b3

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
512KB

MD5
93a2e645974827ad7bf40a8629480683

SHA1
dce24746ba762c234bac13a832817ae0806fa85b

SHA256
746f3531cc941c97461ef6dda6c2214e18a427258f65b90392f04fa27dae994f

SHA512
8b7556b57f9b366dbb1e46bb6b922007cc9bfe2606317a727ff9bf88e797cc2e3d25010163b9e699e0163c7f9a296fe610e1a7ce9c880d7e91768998909b07e7

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
512KB

MD5
a8fee80560e5bf2b884787b45d301d6e

SHA1
be57326975d66fdf7338864dc1c2b4e065a28cad

SHA256
246e9ac88f94c3187aa5d21667c05d47c03bc7182382391deb71ef22d9d0810d

SHA512
f0f04dc6e886a3bd1c14b3ac8ef8eeeffa6c024266b4aab6888ff9c8845bf1e1d78d2364a40afbe98a983a52a3c69b3af2e5351f97ab6d9c15072b9049eaaa1c

Download Submit
memory/116-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/116-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-605-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3152-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3276-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-623-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3356-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3660-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3852-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4612-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4724-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5156-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5164-611-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5228-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5252-617-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5276-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5312-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5356-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5388-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5436-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5476-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5508-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5556-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5596-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5636-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5668-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5716-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5756-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5788-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5828-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5876-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5916-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5960-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5992-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6040-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6080-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6116-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads