berbew | d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe
Size

163KB
MD5

8e65c4b11e9a0fa078359dc3a2b962be
SHA1

c7c4d0292b16c28c1684a9cf6fdc985ad21fdc33
SHA256

d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c
SHA512

3ddf1de0dd006906df11bf92dae8531fd03d89687c160c553dca22e94e637297712b2c9a3a2e12a73e0ab4d5ea33bfc102b1ebda538a6535287125a8932e172b
SSDEEP

1536:P46vLbvktdHZVYeq+3ypZ9wMwbf9lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:g+vktdHZVYyyr9wMC9ltOrWKDBr+yJb

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ce8-805.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
1652	Nnneknob.exe
348	Npmagine.exe
2692	Ndhmhh32.exe
2508	Nfjjppmm.exe
4016	Olcbmj32.exe
2776	Odkjng32.exe
3672	Ogifjcdp.exe
3132	Ojgbfocc.exe
3404	Olfobjbg.exe
3460	Opakbi32.exe
1968	Ocpgod32.exe
1304	Ofnckp32.exe
3492	Oneklm32.exe
4664	Odocigqg.exe
1712	Ofqpqo32.exe
3016	Onhhamgg.exe
5092	Olkhmi32.exe
1072	Odapnf32.exe
2884	Ogpmjb32.exe
852	Ojoign32.exe
2996	Onjegled.exe
1976	Oqhacgdh.exe
432	Oddmdf32.exe
396	Ofeilobp.exe
3788	Pqknig32.exe
3804	Pdfjifjo.exe
4140	Pgefeajb.exe
4376	Pjcbbmif.exe
3924	Pmannhhj.exe
456	Pclgkb32.exe
988	Pggbkagp.exe
4432	Pfjcgn32.exe
648	Pmdkch32.exe
3244	Pgioqq32.exe
1700	Pjhlml32.exe
552	Pmfhig32.exe
1584	Pqbdjfln.exe
2328	Pcppfaka.exe
3456	Pgllfp32.exe
4332	Pmidog32.exe
2404	Pqdqof32.exe
4056	Pcbmka32.exe
748	Pgnilpah.exe
1472	Pjmehkqk.exe
2324	Qmkadgpo.exe
2732	Qfcfml32.exe
5004	Qnjnnj32.exe
824	Qddfkd32.exe
4580	Qcgffqei.exe
3748	Qffbbldm.exe
856	Anmjcieo.exe
1540	Aqkgpedc.exe
3176	Acjclpcf.exe
4456	Afhohlbj.exe
1916	Ambgef32.exe
1076	Aqncedbp.exe
4388	Aclpap32.exe
4752	Afjlnk32.exe
4900	Ajfhnjhq.exe
4940	Amddjegd.exe
4104	Aeklkchg.exe
4628	Agjhgngj.exe
3360	Ajhddjfn.exe
4680	Aeniabfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5844	5556	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Ndhmhh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1652	976	d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe	84
PID 976 wrote to memory of 1652	976	d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe	84
PID 976 wrote to memory of 1652	976	d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe	84
PID 1652 wrote to memory of 348	1652	Nnneknob.exe	85
PID 1652 wrote to memory of 348	1652	Nnneknob.exe	85
PID 1652 wrote to memory of 348	1652	Nnneknob.exe	85
PID 348 wrote to memory of 2692	348	Npmagine.exe	86
PID 348 wrote to memory of 2692	348	Npmagine.exe	86
PID 348 wrote to memory of 2692	348	Npmagine.exe	86
PID 2692 wrote to memory of 2508	2692	Ndhmhh32.exe	87
PID 2692 wrote to memory of 2508	2692	Ndhmhh32.exe	87
PID 2692 wrote to memory of 2508	2692	Ndhmhh32.exe	87
PID 2508 wrote to memory of 4016	2508	Nfjjppmm.exe	88
PID 2508 wrote to memory of 4016	2508	Nfjjppmm.exe	88
PID 2508 wrote to memory of 4016	2508	Nfjjppmm.exe	88
PID 4016 wrote to memory of 2776	4016	Olcbmj32.exe	89
PID 4016 wrote to memory of 2776	4016	Olcbmj32.exe	89
PID 4016 wrote to memory of 2776	4016	Olcbmj32.exe	89
PID 2776 wrote to memory of 3672	2776	Odkjng32.exe	90
PID 2776 wrote to memory of 3672	2776	Odkjng32.exe	90
PID 2776 wrote to memory of 3672	2776	Odkjng32.exe	90
PID 3672 wrote to memory of 3132	3672	Ogifjcdp.exe	92
PID 3672 wrote to memory of 3132	3672	Ogifjcdp.exe	92
PID 3672 wrote to memory of 3132	3672	Ogifjcdp.exe	92
PID 3132 wrote to memory of 3404	3132	Ojgbfocc.exe	93
PID 3132 wrote to memory of 3404	3132	Ojgbfocc.exe	93
PID 3132 wrote to memory of 3404	3132	Ojgbfocc.exe	93
PID 3404 wrote to memory of 3460	3404	Olfobjbg.exe	94
PID 3404 wrote to memory of 3460	3404	Olfobjbg.exe	94
PID 3404 wrote to memory of 3460	3404	Olfobjbg.exe	94
PID 3460 wrote to memory of 1968	3460	Opakbi32.exe	96
PID 3460 wrote to memory of 1968	3460	Opakbi32.exe	96
PID 3460 wrote to memory of 1968	3460	Opakbi32.exe	96
PID 1968 wrote to memory of 1304	1968	Ocpgod32.exe	97
PID 1968 wrote to memory of 1304	1968	Ocpgod32.exe	97
PID 1968 wrote to memory of 1304	1968	Ocpgod32.exe	97
PID 1304 wrote to memory of 3492	1304	Ofnckp32.exe	98
PID 1304 wrote to memory of 3492	1304	Ofnckp32.exe	98
PID 1304 wrote to memory of 3492	1304	Ofnckp32.exe	98
PID 3492 wrote to memory of 4664	3492	Oneklm32.exe	100
PID 3492 wrote to memory of 4664	3492	Oneklm32.exe	100
PID 3492 wrote to memory of 4664	3492	Oneklm32.exe	100
PID 4664 wrote to memory of 1712	4664	Odocigqg.exe	101
PID 4664 wrote to memory of 1712	4664	Odocigqg.exe	101
PID 4664 wrote to memory of 1712	4664	Odocigqg.exe	101
PID 1712 wrote to memory of 3016	1712	Ofqpqo32.exe	102
PID 1712 wrote to memory of 3016	1712	Ofqpqo32.exe	102
PID 1712 wrote to memory of 3016	1712	Ofqpqo32.exe	102
PID 3016 wrote to memory of 5092	3016	Onhhamgg.exe	103
PID 3016 wrote to memory of 5092	3016	Onhhamgg.exe	103
PID 3016 wrote to memory of 5092	3016	Onhhamgg.exe	103
PID 5092 wrote to memory of 1072	5092	Olkhmi32.exe	104
PID 5092 wrote to memory of 1072	5092	Olkhmi32.exe	104
PID 5092 wrote to memory of 1072	5092	Olkhmi32.exe	104
PID 1072 wrote to memory of 2884	1072	Odapnf32.exe	105
PID 1072 wrote to memory of 2884	1072	Odapnf32.exe	105
PID 1072 wrote to memory of 2884	1072	Odapnf32.exe	105
PID 2884 wrote to memory of 852	2884	Ogpmjb32.exe	106
PID 2884 wrote to memory of 852	2884	Ogpmjb32.exe	106
PID 2884 wrote to memory of 852	2884	Ogpmjb32.exe	106
PID 852 wrote to memory of 2996	852	Ojoign32.exe	107
PID 852 wrote to memory of 2996	852	Ojoign32.exe	107
PID 852 wrote to memory of 2996	852	Ojoign32.exe	107
PID 2996 wrote to memory of 1976	2996	Onjegled.exe	108

C:\Users\Admin\AppData\Local\Temp\d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe
"C:\Users\Admin\AppData\Local\Temp\d88afd55a93abf45e9c5a42c306bc5da30a541286a26651165d99524bd76c33c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\Nnneknob.exe
  C:\Windows\system32\Nnneknob.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\Ndhmhh32.exe
      C:\Windows\system32\Ndhmhh32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        23⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        26⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:552
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        47⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        55⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        58⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        65⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        72⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        77⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        79⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        81⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        87⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        99⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        107⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        109⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        118⤵
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        119⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        125⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        131⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 404
        136⤵
        Program crash
        
        PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5556 -ip 5556
1⤵
PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
2f73a948ecce386eabae7c2e482ffce8

SHA1
0b42ba3e5d80a5774ac5ad1dc59804ebb51d7241

SHA256
30b5400eedefd571b81ab78bfdbe2a71b5765529e27c073a12c743bc909b8142

SHA512
bac0ad885c86887bbe783a5e9806fec377404de78ee1c116d60a1aaa2d5efbfe9a4ce0755912676cf44e54731e4650efa339072c18a902b3d60d0d8f362e524a

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
163KB

MD5
c67b12fc4628c931be66e71bf68e65c0

SHA1
35942bd7882c8850628deb6b3800ba22a9d35e16

SHA256
bc2734593cd16bd68556a144f4a0f5c603bca6c95eea36da01d2afde19041c28

SHA512
2c273769f2eb71867ec2fc49b280de94a5125084b1df09c95d0949015e0a8fdf8d725a9d7eb13e1df68022d5cb97904b09778ca6a1f88ee6e8f871246afaf50d

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
719f9a3559016d5a007f9cc93994e472

SHA1
1e70d872561eb6b1db2217c563c44ccb3109efda

SHA256
65cb060c8b82bf4be827f0a5e29502ffe6b506d63daf36814809e139587275d0

SHA512
d468cd9de90943f956c2d191ae3a5a150f97845320b92eb5a9aed7ded57b5797c9f6f5c7409ba86ce967847a11f3a77631902765401859219d86e22cd099eb8a

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
163KB

MD5
da3ae4961658fcbf4c77076f300bcc5a

SHA1
8362ac3eae36b7f23914a40c04c111523acd2ceb

SHA256
c679e17400345803d3262553997ac05b04a44e5d9b3ba8b0e7aa4c0ea630f483

SHA512
e8defcf7266575a2bc16c7a4dafe2025f3412dc137236782f69b92b5514fdf2a64e53a299ae188c8e54f4dec747ad3209947389d470f8213ca5ec2a4c21683e9

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
163KB

MD5
d71537a0446ba8d687eeb082f728334d

SHA1
2405d1ca2aea64fd9ebd24c2417c6345f6587d65

SHA256
5907f261452f35c8ef3987fcff2c74d1762cd12d58a1bc06024df30fb1bdfc8b

SHA512
744dd290bfd6c4b61df468eb09ea9331006d97e3ad3278a4c1eba711fa4c9adb50c1825cd74793fce0b55d4545291854a6cff166fa7116abbe6a7905a1b004f8

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
d56e02bbaaa4af093315f982ceeed690

SHA1
f929e401ae1d871cfcdd74c5bffe4b414841ba17

SHA256
7d83a682562b86b3f9a7595131d37f21e680fd35f98b4f5e57c88b1c69860d39

SHA512
38c231b5c149499d139dd5a1c2f7a1150996f24af6ebda83705ceaf205ba32b11de988873d63904a4d023ead1086f0d70ed748e48390bc846a0a6cd79d00fe78

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
163KB

MD5
9ac177ce7ff2544151df633e56b8e520

SHA1
58a157aec8b4370dc90288b1aabc5ee8df6f00a9

SHA256
5cba2c3bae7ef5f796bfde18284d0f49e03eb0e02d70573671353dcefa690f87

SHA512
d40e1f90ea58c4e33e8b16009ed1d30078195f13c06944c2f6c2050b2a491ee0a83cb8064133f6340ec65a4571558d18e98bdc7798295c999340312062472294

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
163KB

MD5
979a95cde9aad7d198b9e823f63b451b

SHA1
73297d2a5bc6a1e301e1872a6b4b5e372e0af1c6

SHA256
8e164415c9ce5cf11cdace3dfe2ab48587707e59dd35d4f47e1b110d6435dfed

SHA512
a0e0e7e25761468c998cc86c3f10fe5a584e94e79060b76c9c75b06af05555513968d6a741090df76226ad993fbb96ac5fba781cab5c3adc2c239c10b7a8b92e

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
163KB

MD5
00ac16a7901e2c209e8167414642a8aa

SHA1
a47ab9d9df7e85893ded425abbc8e49393e5625d

SHA256
5f2d950b25ab30eb61a501084dd8c797152b97cc3734b571c136fbd11b1fae19

SHA512
c74b8072455fecf4fbc40c6dca37aa78530beeada5f18e3df136f287d97ee4ba2a137818d50321f09b408bb95cbace3a7e94808b429165d125369d219353b874

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
163KB

MD5
06f9333cfe7c073e8a11bc47d376ecf3

SHA1
9a73412eb0dfc012d6f5a65c7f459e272d2a5dbb

SHA256
48ea2f8a6f4832a879d4cfd2d9d7f54b59ac90088123efc02a383ab565610a56

SHA512
8fc987afe37f03fa4c5d5564931b72a267d364e9058c832d8eaf8b88175d65501a378fba1826a79c78ef66fedff7ec7a6084f2238f15e0d5752d3d9c2b8a1e43

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
163KB

MD5
d3cb455a370982fd3a5c3be97607817e

SHA1
7267fce644f4ff7ec2d81880ced86d22f33a9ed8

SHA256
ef69ece69b2d5defecb8139ad469703e570507d5467113c8b21e2eab13873dbf

SHA512
651819482620aa73788c02868347a5292f155fac0b171836b018d28ff1c24de977436baa1f9f2ce2d552df13446892c40e65af7124a6f36a71fb391e6ad38df9

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
8555d6cc8e98078c48c9b38ad5e75b0d

SHA1
47c1f4835869578f5ca4dcefddf63869ab8c12f5

SHA256
d1b95e7403614e4c19eeafa1219c14b0a8b37933b94c872a268546f5987e6afb

SHA512
7c830510be56e116b23773546abfa705230789ce8ab31c033a0e9a1c73f5e0cd9da7407d2f0259328981eaf69e588e59962cf1b8ff0f96c3d66caf8551b07eb6

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
163KB

MD5
5eb79b8273f69df350714df8a92a29e4

SHA1
44eb89d6802ff8ee17923c381088795a761bcc71

SHA256
dcaca0149f3e5e614a705e87fbb539ae3eebf9495feb4a0cd04a7468fec22f18

SHA512
cabbf5106d1969b1104b59322cc9090dcc8774b51b56e7f7a5f0f3c3426dba05eef3c31c2a45a15e6bea29cf65af7fb354514feda981be2022e889fae9961149

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
163KB

MD5
f84fd5834c4c79c0b726be22addb5260

SHA1
b7c80e37219efaf216f85b94916e0fabc0341443

SHA256
8917e036abd34594e8c80e482c845ed42870bbebd2fea3882a047dd3acae05ce

SHA512
a898a496d4055dfe4981d24c57105331311d3b60e4c09f2488b0e0c949d0b4832c529e7cd079bfd8c18cf9d6207d69f79bcb8d99fc249ad3ba10ce07dd8b96db

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
163KB

MD5
7508d09474946e5ff99cfc000d24f845

SHA1
d9f63703af45dda9fc2bf0e9a4ee19694fb5b164

SHA256
c202be3a8c854540a8297505a4d811ba977705f1cd495fb6b98bfb5cc6dc6cfd

SHA512
dc6d9aed2711489ddafe6a192f2ca433401421efabd7a6af6149718035d1388cb4665dbc2007afec1e5ced76cca34743ba8b16a6d73f1164ced9c36b24de980a

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
163KB

MD5
4eec1cec03a3527e11a38adbcbd47dbe

SHA1
1db05186a8a264334567bf15df93c73fb1995b48

SHA256
5e6c3e53b2a1a5ddd69119b762869c322cf0a14d2d3129d428cf4856280e3885

SHA512
51f05af4c262c1d9d78a302d019bd1849fc6443fb45aa6733a7e902dac20ebaa2d5a2afea33a9a972a2b9b717c063aa9e84111ee52bce58d298407e972de46d9

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
163KB

MD5
ad20eebe41f0aae149b6cb7834b4ff11

SHA1
dfe6bf77fd038a86b241608246b6c4c93bf2298f

SHA256
2f7d77eb2f8e3b7f203aed8483c56ce77740a6a3edae19ccb500dc4064441acf

SHA512
80c6de853626be04821699e5f16e31aaafdc264881d81fbf0c69a4b5994f68075a3ba814fffd8857210626749b4e99129853842c8ddcfe363ced625b15d6f621

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
163KB

MD5
a76b7790840fc8a24d6ef192ca3a1f15

SHA1
f3c3d2bd244bf115e5ab4611f63e4e3c0463a7c2

SHA256
e2b9436a5133385dad311c485ae9ae6ecf25ca2a4ecf817f0bf4779e517e38e6

SHA512
b730941c31481f24f3454c429274e3e68d931d717e8a551994e1da107aeebcb5cd2a84ff4137f2f210f927ebe4c30b73673295a7e53e0d83f982b8523965a3f1

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
163KB

MD5
565c0ba11afb3bb280bb4df582af4aa9

SHA1
dae61c72656f1a35214975b07cc144ae8a69061d

SHA256
1a511301c5a37afcb258681168a3424fb7b8aac2612e50d7a495b483f737ef7f

SHA512
c9c7d2e758b90e1e5cb4b0a13bece6f1eb52ffffa6a5a057953eff3ad998c67892535b3e69e0f486083c426b955bf34ddbd5ddd119f55443bd8bf8e55f5f2124

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
163KB

MD5
59936c130f5bec48d9e1800d18c81c4f

SHA1
30983b441ce74ce167304bebafee27b921d88dd3

SHA256
6bf4dd2c45c3532075fedf55afcec808e0826d55c977e3db5fad33b2c8442704

SHA512
3d93e96b29d7290349db98de4a82d19625260d2e8b727f1cf05c204ae99718ca1cb5507d1be24e077665dd9bb7694fb55793dd394513ae9e68b602180be6329b

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
163KB

MD5
de5a2bec12e3d8dc41168fc326cad19f

SHA1
8edfc6df76762ef6778b8103720ade0adb96f42c

SHA256
47b372d2db60cee0b541ac022d07dce38e073a18d61b9612972a81be5ffe68e9

SHA512
221c12d291bc3030990c8c29d7bf365480dceb77ab72f27e2bc57ecde8d6200967d1928f64b4a9a132606c53f2864cf49a6a5778fde14eb3279a6c35a64ca584

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
163KB

MD5
cb72e96b34b57e62089ffe3a4d9c4e59

SHA1
645e7b60c17614340abd5b0e4ed8f53369716e0e

SHA256
2e4fe2322b33f02fa9bf9005e7877c57eed98c7be0dce0fd7183ad3b421ab766

SHA512
40a8111cdd4b3e552c1acfee545fe157a5826d4ad720e20c893f3aa55566f06ce4df9bb83f0384609cef994d1300167450918ed105ddc870b1775fcc866cb9ac

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
163KB

MD5
9dfd8393dbeb5fe410e90a3dac6632cf

SHA1
d7f3a0708bf48cd9ec91ed1f6fe0af17ab86343c

SHA256
3209af6f02c59223df8886daba23f3b84071d3d8b0d23489cacdf10157ad360a

SHA512
dd6e41bd161f78aca7e5656b2982b8adc8a785dd84d02e857a89e6608f5bc68b99e78d6ba6239c4cadbf7bf8c859c8609b546588648be02bc9eaf51f2c732ed9

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
163KB

MD5
e1b7c256077cd9190075698cba98d7f9

SHA1
7e44a9190058d1f2e7e99c9278764ecce1cf3fde

SHA256
5368d5fd80ffa59bad20ade6a234fa03b1519eaeb35a6b3ab35a03c8bde51882

SHA512
ee313060fb5c5b9655db3e0d99692b90e1fbd490cd88b79feb92fcc4618b00591a1fe3775fe7577426350efc599651503bcd4cdcbd3c9f647f2a2f6f9166a1a5

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
163KB

MD5
b82291e80b2cda47af092f914c9e0e31

SHA1
bc5984cf3b58d19d7e6b262921d7945eb81907a2

SHA256
28df38c4ab224976ad0466bc2dcd2b9ff9ed1214ceaffec4982dc39060015a79

SHA512
34dcc0ad72d42180d4f9d4c572a50fa7fa5957f425db2f8454ee4851d882a3ba10c101b6c96211479ee14800cf25c0543e5fddb27f1df59fd77629baca7db399

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
163KB

MD5
539db785517851da70d0b7e855cc963f

SHA1
65e4ae8c0ae350cab562fe3cde875bf17d868c6d

SHA256
bba4bad6ca084d459fcf1572badc412069d5423dc6aad18530e1fa2d216d16d6

SHA512
84f663813686bea5f0b23c0088e9c1e7db1fcdf170536bb72aed645789492a12bf73641eb5dc37c6d45b8e88aa4672cc701937a2e3cd79b0b5d0e645ca5642ef

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
163KB

MD5
7c3b166c79beb6716e83bba8ba1ecc78

SHA1
6574ebf5109bc41b77920191e6757c1add828a5f

SHA256
924e2bed6b5ddaa560da2af8425b0a8c847dc79930e8510fff4fcea0a964c5e2

SHA512
d72eb55081a641a9234ec7ff53a84bc55b4fd8d5421522033a5afbd7a12a9846b71aca10915ed3131a3ec06239048516d100b614679c4f7583907b1cf221a87e

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
163KB

MD5
a0938e9b112b1868e0c5ae05aa1136ba

SHA1
506238f3013d4c08212cf7ca2cdb6850b33d3be4

SHA256
f71dd354ed946b8753c3cc12b0f4995b2f787ea09e8762fe552c7ac90b5fcd3e

SHA512
6d7f1a076973644a25f6d62404ea8b896ec5aafd3c58633e3666257fbd9bc317f8b65e58f6b809dd6495f558b5873b5934e0f484c4c9dcbaee3dfddca2098fc4

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
163KB

MD5
41d7a1f66b15ce9280cd59695cd2adc2

SHA1
2a5f4eb95546872d237eca580ea964af7a96daac

SHA256
973827f97cd4a90aad7200e475e860c798a4fc7456701f28577019f3cd428ef4

SHA512
5775a0388638427fc72304b9c8603e2411af13f03c782f0826405b195ada591841428f93a2048923dd9d8d1e30cae3be73b2ec6b0b8c32fe8c436970a964a80d

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
163KB

MD5
53a9730724381e358543402bf28899b4

SHA1
3d2965da6acc63f7c23ca5f77635905c660c2e8b

SHA256
600eec4009079a1bf2bd74f89b3742a6cc2cc51d15ff2ad89aa53e0401429474

SHA512
435e59610ac621e0447ad9c63a068a1b79c71cdbb3863ea05e0e5636b6fc7754d41c4f63213318f195289af0bbbbdf5cb819be1669bf7ba1bc15638bf26f9c04

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
163KB

MD5
0569a00e95ce834fe5f6fbfdb505f3d5

SHA1
c768e0ae6fe5937b4c3a263527ca393d9d65b20d

SHA256
26ba60ee37c635bf0cb8c2ee81e400fbc73ee1e8cd19ff21993f7c854aab9466

SHA512
63ea2ba3ea682673b43ab4b98bb55b454d8792b868a22fd975a43e466ca7d7145518affc0fcc8f6003c6401012f4330be9369b763d6d7665e91d2c5b55df8238

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
163KB

MD5
2fa7dbaa5c632c46fa33cad821f74739

SHA1
02c14dde2c0b1a327751ddca8be56438e44abcfd

SHA256
73ce3bb3d08c1709213ccc952e2112e84932dd2f2b2d07f10aeb1ed50fbe11a4

SHA512
cdc01faf401e5ee2ce313f384e0e9ca7486f4b8694ed54552392ece1669cce8989d1f70efa17b737847be1f2e69b09861ff11cabe9308261c32b208abafc6e05

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
163KB

MD5
8e87c135427ab736964283c7a4cc908c

SHA1
99bdf2bad2217d6f432c2260ba47fbfd47533328

SHA256
8a2c02a9b9d9a7dca8ba68e40c633471c7be38339e2904e748298b28fcedcb18

SHA512
1517d47974f3de986627abcf1b0e016e099381d24baa4644555c764ad0bcabc819c05e6a9310efad9123b33d589365a501aa0d87fe5da504494108d9c9233c26

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
163KB

MD5
2db80f1f5e5a772d816225e8725053d7

SHA1
d682c9aa89dbc1d068dd65b20d52680353d3ee97

SHA256
eaaaabc20b8ba44236ed42fc721183c836b6238b4f19f3766c8485f3548ef995

SHA512
94cdf9b9d6524f6947ae2155a81bd22b65928c1233642133701f151c24f7fd92ceac41fa8f22495bdf9f54af2081fbdbfd27d610672eefbd059a31220fd51091

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
163KB

MD5
e6db49865dbb111d69f566534baef0aa

SHA1
3c7fe7cb1ee5ca89f01dbc84abaa4e580503d46a

SHA256
6dde0b74794bb4e18e22d07b059ef9ea722cefc67e07151c83bf711a806d5b3b

SHA512
37e35a1fba0a66dbb09a1a3658c2010ce872df8f4937b23e5021be5df7181eac036b8ef2e3e2740e31a6a0397a5f890c85f3a8f82754780fb822072d08cc40bf

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
163KB

MD5
268cec44fc720d51a5fcbb2d69fa9a54

SHA1
5ffbdda7988289fd1d988a8586efea628a1001bc

SHA256
f52c5a9291f10fe7e57a5211065afd3e6e76e80c19360c63582559664c113faf

SHA512
108e89689a5467448b5783255dd5870ad2a5f894f3b8e03bb61f805a215f4be0e331656cb0edde1eee57bc4656663530b8c2aa4e730ca43d8e5d8aeccb82ed04

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
163KB

MD5
0a679073502429d3561c6f1ec60fc1df

SHA1
b2745eb45978286a2092c075e50adc0b71e29fe8

SHA256
5e135735f20b12abc73f97c00cb9e6bbd2c38d99012ea525afb9544be37f96c7

SHA512
4980fc47d54c67417fad130baba23310f95eced09eee2d2676da8f105e017a3266412ae0695938917525881626c5cb8e10dafc64c7791e10a0c2772b64586c81

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
163KB

MD5
b0a52f624dfd3851e5328217cf9cec13

SHA1
d4485e74de7195005b0733370bdd741eea7b9c29

SHA256
30f0d2bcf9851b123b200bdbbc137c216250aee903848e666089f368f2bb9e2e

SHA512
c55f991e426bb4ab0a9fb27c38246d83e2a11a8ae76318c091e62465fb6018c37c1d7d8f80ab39e87affa008ccacf4a4ed29f9c7925844f66810cd501c5c8401

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
163KB

MD5
4b433ffcb90d5af8a2be33774db08990

SHA1
0954760ddc380e673f01c2bbd88abce159dbfadc

SHA256
35b2db17a7ee39eb4e95e1633985d30fb6d76b19ab77bd9c0ba862a4f1111ad4

SHA512
62771d26037f07275eb8baf7a2449186a7d1d990c71322740e3a474b8a28694c58e4decb25d6f0560fde676957f6b07a47c99f5c868a2c2be340facd8f6e743f

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
163KB

MD5
0c13d98e5740dd3fa7eb5ece275aba7f

SHA1
dc0317f6691674105ca663163494c37d30bc8b35

SHA256
10c3bd90181bc831f22cf07926f87cd7cc01df555fc13a29ca2201b54b1fb18f

SHA512
9a723a19e0c13eeb9a80b919a094b849da2b3e0508cfda274abe6f0f6c9ad644382b0f9326da7d115e36ab1b1b955c67757a6d71ec2844b091875c7d997e7f7e

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
163KB

MD5
84e5edba4f81b54a25f6b125af017ee3

SHA1
fd82c6f5762ecbd34ff48d2e46007b5ea55f0814

SHA256
4f96cc4a6cedb42600583ce61c624e84b0c076d4d578076b21cb3e2e34d4d092

SHA512
b6e5b415a1defe5404d3a9e5f66de9f5453437102586256dc625cd448864b8242d57b9dfbad6f33641e3900b9b8c213c53890c142f60d8acb48dc68bebb873ba

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
163KB

MD5
5e4657f3307bf656e6483dc7bafa7c5d

SHA1
fa1c816017e065d3527d70bac47769f0739585d1

SHA256
b1ebc5281d791cb30ee7c9efcc511172490a84e81e6e8153c3f482d84d447f97

SHA512
a7d9b925d156e58de25b87651251b19fc435544e1b8ea6f9f3a9bcc599bafe4e244be05bfae3ca578335e6b37657107c244bce25a5dc7b3b7c3bdddb0ca32697

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
163KB

MD5
b4f2fae8d7da50bad1091290b5805c14

SHA1
2f08f2e1465feddf86024df6f78e9f242aa6a958

SHA256
90aaab6b3e011ac59cc9291654e61277f2ecd5899f8f397555c664af2fa68793

SHA512
1b71aa253b7f44e4f1f60f2f918868afd7040055f1e4b7908591b5dd55655ffccd5834211f9457d20d0e6265d89004b2f5769935d0f43523334dc782752ae374

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
163KB

MD5
a469985c8f2ed704a9734ca6f4eb7756

SHA1
ece490413ad5284152e44fa9d27ee59e9bae90e4

SHA256
93e05b9559c4cf07b0d358ec7f522d60e73a851011c7bfd21dba71b20fa047c2

SHA512
f06f2a6b4251748db4e8d4d88db37335082177f519482ebf108c3e35b0b9514a506ed47a3179a263035386305e955504240f7ec61d3e519c37e143062a1f43ef

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
163KB

MD5
347e3b01ac65d64c2eedef622d5d701c

SHA1
ca043472b7a0735624f85511ac4a269b2ffb94cb

SHA256
024620b3e38533521236b974347d5deba665e487fee86236df759f695e199091

SHA512
95e4627247f879a77abf24d43c8bc88d3edac205d9492b3eecd5c857db2af7246a19db8f0f625ea93661c7a38b52d042676370aa9d3eff624f7f9a55cd5f9ae9

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
163KB

MD5
e442daf56e74b77e868973eea149c2e3

SHA1
81b9d6218f5617a4cc9491ffc8fbbd5f1810570e

SHA256
a16cef34002f35f4158743136f907d188a892b7533cea33a0bd8c5e1b38cc5d1

SHA512
860de3ed4dfc91727b644ad189f7e427b236fef260d9d96dd5049d5cdb36a7ef944f1689fc21ab0c81e550d2ae4c3ef0ea6e090f164c046fe03de4100104813d

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
163KB

MD5
98306f82bca24af0b6c854d2cca4fe3c

SHA1
cc955c6fdfb74feadd31222f6f6c301718b7fc7d

SHA256
58d295296e2f357713f0cd2a198288581744e6c7014c9458376f2eef781aa386

SHA512
d4396b79c1ea9de411077308024a671da67fd19c4a524b1545accf66913188dc4aa82756e8e4609e17b054cd0d1d439065845d152c4747a5a6f295a18e0c0820

Download Submit
memory/348-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/348-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/396-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/432-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-245-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/552-285-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/648-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/748-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-1084-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/824-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/852-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/856-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/916-462-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/976-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/976-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/988-249-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1072-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1076-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1152-480-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1304-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1472-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1584-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-492-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1652-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-279-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1712-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1916-396-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1968-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-516-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-504-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2404-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-336-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2732-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2776-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2776-581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-1144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-468-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3132-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3176-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3244-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3360-444-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3404-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3460-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3488-478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-588-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3748-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3788-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4056-321-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-432-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4140-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-1126-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4432-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4456-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4524-510-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4628-438-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4680-450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4752-414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4864-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-420-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-426-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5004-348-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5092-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5108-456-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5160-522-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5200-528-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5240-535-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5288-541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5328-548-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5372-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5416-562-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5496-575-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5540-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5588-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads