berbew | 44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe
Size

81KB
MD5

f87c6ffbe130e4ae8795c3e86ee26020
SHA1

4e9e2a52ba2336dce1045d38b1f472c1356fbf39
SHA256

44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196
SHA512

81c8e0933ac4acc4ccc5117972e6d66c379145deb072c5573abf40dba4229bd7748289d0e5085783a1ec8c2c84bfcfa186cfb41b0b849bf64538d00ff17ab034
SSDEEP

1536:BcOERpH/98s5XtYpE/nZUAy/H1uugjIvayBtXJwBAmDk7m4LO++/+1m6KadhYxUT:Ls5XtnZ7y/H1uugjIBZw6Uk/LrCimBaT

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
880	Mmnldp32.exe
2408	Mckemg32.exe
4836	Miemjaci.exe
3944	Mpoefk32.exe
1924	Mgimcebb.exe
672	Mlefklpj.exe
4348	Mdmnlj32.exe
1708	Menjdbgj.exe
3520	Mlhbal32.exe
3456	Ndokbi32.exe
2100	Ngmgne32.exe
1304	Nilcjp32.exe
2136	Npfkgjdn.exe
2184	Ngpccdlj.exe
2124	Nnjlpo32.exe
3376	Nphhmj32.exe
224	Ncfdie32.exe
3224	Npjebj32.exe
1372	Nfgmjqop.exe
3716	Ndhmhh32.exe
1864	Olcbmj32.exe
4580	Ocnjidkf.exe
1532	Ojgbfocc.exe
4880	Olfobjbg.exe
4596	Odmgcgbi.exe
1400	Ogkcpbam.exe
2900	Ojjolnaq.exe
1748	Opdghh32.exe
2368	Ocbddc32.exe
4576	Ofqpqo32.exe
316	Oqfdnhfk.exe
4176	Ogpmjb32.exe
1236	Ofcmfodb.exe
1832	Ojoign32.exe
2064	Olmeci32.exe
3728	Ogbipa32.exe
716	Pmoahijl.exe
3268	Pcijeb32.exe
5040	Pfhfan32.exe
3196	Pjcbbmif.exe
1812	Pclgkb32.exe
4296	Pqpgdfnp.exe
3008	Pgioqq32.exe
4064	Pjhlml32.exe
3744	Pqbdjfln.exe
5020	Pjjhbl32.exe
3080	Pjmehkqk.exe
5060	Qqfmde32.exe
4404	Qceiaa32.exe
2024	Qjoankoi.exe
1732	Qcgffqei.exe
3252	Ajanck32.exe
4104	Aqkgpedc.exe
4400	Acjclpcf.exe
636	Afhohlbj.exe
2896	Aqncedbp.exe
1644	Aeiofcji.exe
1040	Afjlnk32.exe
4076	Amddjegd.exe
2432	Aeklkchg.exe
4964	Afmhck32.exe
1972	Ajhddjfn.exe
1580	Aeniabfd.exe
4512	Acqimo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mmnldp32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5504	5420	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 880	4376	44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe	82
PID 4376 wrote to memory of 880	4376	44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe	82
PID 4376 wrote to memory of 880	4376	44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe	82
PID 880 wrote to memory of 2408	880	Mmnldp32.exe	83
PID 880 wrote to memory of 2408	880	Mmnldp32.exe	83
PID 880 wrote to memory of 2408	880	Mmnldp32.exe	83
PID 2408 wrote to memory of 4836	2408	Mckemg32.exe	84
PID 2408 wrote to memory of 4836	2408	Mckemg32.exe	84
PID 2408 wrote to memory of 4836	2408	Mckemg32.exe	84
PID 4836 wrote to memory of 3944	4836	Miemjaci.exe	85
PID 4836 wrote to memory of 3944	4836	Miemjaci.exe	85
PID 4836 wrote to memory of 3944	4836	Miemjaci.exe	85
PID 3944 wrote to memory of 1924	3944	Mpoefk32.exe	86
PID 3944 wrote to memory of 1924	3944	Mpoefk32.exe	86
PID 3944 wrote to memory of 1924	3944	Mpoefk32.exe	86
PID 1924 wrote to memory of 672	1924	Mgimcebb.exe	87
PID 1924 wrote to memory of 672	1924	Mgimcebb.exe	87
PID 1924 wrote to memory of 672	1924	Mgimcebb.exe	87
PID 672 wrote to memory of 4348	672	Mlefklpj.exe	88
PID 672 wrote to memory of 4348	672	Mlefklpj.exe	88
PID 672 wrote to memory of 4348	672	Mlefklpj.exe	88
PID 4348 wrote to memory of 1708	4348	Mdmnlj32.exe	89
PID 4348 wrote to memory of 1708	4348	Mdmnlj32.exe	89
PID 4348 wrote to memory of 1708	4348	Mdmnlj32.exe	89
PID 1708 wrote to memory of 3520	1708	Menjdbgj.exe	90
PID 1708 wrote to memory of 3520	1708	Menjdbgj.exe	90
PID 1708 wrote to memory of 3520	1708	Menjdbgj.exe	90
PID 3520 wrote to memory of 3456	3520	Mlhbal32.exe	91
PID 3520 wrote to memory of 3456	3520	Mlhbal32.exe	91
PID 3520 wrote to memory of 3456	3520	Mlhbal32.exe	91
PID 3456 wrote to memory of 2100	3456	Ndokbi32.exe	92
PID 3456 wrote to memory of 2100	3456	Ndokbi32.exe	92
PID 3456 wrote to memory of 2100	3456	Ndokbi32.exe	92
PID 2100 wrote to memory of 1304	2100	Ngmgne32.exe	93
PID 2100 wrote to memory of 1304	2100	Ngmgne32.exe	93
PID 2100 wrote to memory of 1304	2100	Ngmgne32.exe	93
PID 1304 wrote to memory of 2136	1304	Nilcjp32.exe	94
PID 1304 wrote to memory of 2136	1304	Nilcjp32.exe	94
PID 1304 wrote to memory of 2136	1304	Nilcjp32.exe	94
PID 2136 wrote to memory of 2184	2136	Npfkgjdn.exe	95
PID 2136 wrote to memory of 2184	2136	Npfkgjdn.exe	95
PID 2136 wrote to memory of 2184	2136	Npfkgjdn.exe	95
PID 2184 wrote to memory of 2124	2184	Ngpccdlj.exe	96
PID 2184 wrote to memory of 2124	2184	Ngpccdlj.exe	96
PID 2184 wrote to memory of 2124	2184	Ngpccdlj.exe	96
PID 2124 wrote to memory of 3376	2124	Nnjlpo32.exe	97
PID 2124 wrote to memory of 3376	2124	Nnjlpo32.exe	97
PID 2124 wrote to memory of 3376	2124	Nnjlpo32.exe	97
PID 3376 wrote to memory of 224	3376	Nphhmj32.exe	98
PID 3376 wrote to memory of 224	3376	Nphhmj32.exe	98
PID 3376 wrote to memory of 224	3376	Nphhmj32.exe	98
PID 224 wrote to memory of 3224	224	Ncfdie32.exe	99
PID 224 wrote to memory of 3224	224	Ncfdie32.exe	99
PID 224 wrote to memory of 3224	224	Ncfdie32.exe	99
PID 3224 wrote to memory of 1372	3224	Npjebj32.exe	100
PID 3224 wrote to memory of 1372	3224	Npjebj32.exe	100
PID 3224 wrote to memory of 1372	3224	Npjebj32.exe	100
PID 1372 wrote to memory of 3716	1372	Nfgmjqop.exe	101
PID 1372 wrote to memory of 3716	1372	Nfgmjqop.exe	101
PID 1372 wrote to memory of 3716	1372	Nfgmjqop.exe	101
PID 3716 wrote to memory of 1864	3716	Ndhmhh32.exe	102
PID 3716 wrote to memory of 1864	3716	Ndhmhh32.exe	102
PID 3716 wrote to memory of 1864	3716	Ndhmhh32.exe	102
PID 1864 wrote to memory of 4580	1864	Olcbmj32.exe	103

C:\Users\Admin\AppData\Local\Temp\44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe
"C:\Users\Admin\AppData\Local\Temp\44b09ed3d811038655568f40a60ba88c3ab5136a4483d59a188f14d510fce196N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\Mmnldp32.exe
  C:\Windows\system32\Mmnldp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\Miemjaci.exe
      C:\Windows\system32\Miemjaci.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        25⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        41⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        64⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        67⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        70⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        75⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        85⤵
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        86⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3644
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        102⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        112⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        113⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        114⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5420 -s 404
        115⤵
        Program crash
        
        PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5420 -ip 5420
1⤵
PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
81KB

MD5
18b5803e6cc20b0c903f4ecd266c7bcd

SHA1
8260b7080ee7fe8dc245bf995d68762c29f69d4b

SHA256
bb76e42d01444489bd8be57ba85e54f37086d2a0e05397958e6944da70b4d7bc

SHA512
caa35a52d9bbcc3429f751101993c7375fc58235bff9ab9cc84231ee88f732c3b4ce80d1697cfde586f086a1c8e27a94e302f75661de7e084b59c134a6ca2ad3

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
81KB

MD5
605c6d2b5aa894dc11d8cb996c4471a3

SHA1
5ca53fa584a7759c0d861f0b711792b69121d1ff

SHA256
3422d625953a7b76b21979ff63c517d97e427a4090c2ea479beef72812082c04

SHA512
2b3bc273eeccd856513a333bebb628e80a72ae67b8c1f804b8259edd00cf38bf7bb7c182d39930e5f623eaa4c97ec5aa3473bd5e5d78599c0607a7f750264369

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
81KB

MD5
bbf889d0507a017f794e5d6dc4294e52

SHA1
e12ede1171a9b9f207f276b590750b6d2eed61fc

SHA256
4e3ffd16fac37917b2d5678f18d35d0d6a9199de273311da23af0c2eb6ffdf6b

SHA512
32fe460b6abb6f660310ab5d3bdfdcc1dcf09064cd23d185cddea66e8ab8245285bed1ac9115faffe30af3bc9a07b76b0dc125e2e2a4363ad11dc4a7c0d5f654

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
81KB

MD5
561b578796ee235545bb509af227e5ab

SHA1
ede6bd5ac100b51fe350fc989fa1bd26a7141ffd

SHA256
3b4cad143bc268edd563edac95ee63ba4f3472932467c03801b55070e7bf73d8

SHA512
a7f60ffc115b85b53b8de2abed65e7ac1e89fbb53512f9f2de29141a23d4a9ab97be03802277015431baf036d42fc5081f7bf3a02c797164b6cbfca7d1d02a8d

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
81KB

MD5
c0d60bf30b52ffb3286f7ed2cf362f3a

SHA1
f1c3297d9607b8cb5a7dc0729a56b7e9194de509

SHA256
e2011df7b02a40afc07dd371780c0042ea481f04a549a764974545ec17018b13

SHA512
78c2c1d8eb09b38c53388510cb3c18f1ddd19320e23121f97d0e5867819cc93cfd452d9d6607a0fcc042dc1e1f8328ee9e02ff1b0a8c72ebc8b4f77043927019

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
81KB

MD5
179db7d2cdb2b4dd2f328ae975c201d8

SHA1
9e930e62bfa604dfb5a6aeb1e5c1c8db407ae661

SHA256
c1e46ff0cd990fa8dd8068602fd5f3bdb90f836238df60b455dfff8f5c626cc3

SHA512
839ab2518da5c3cdd8fec70992f49c256453cbaed18f47602c79eca290c6153016ab0e0f4a205a8e6d4eb96bd3089c43ad640a1c29da32db35cee0ff544d2386

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
81KB

MD5
60a68bcc8ca047460f140df95d3dedf3

SHA1
a9b5cf6114703478e42e261c9e4265e47e13336e

SHA256
4b32ee7ad005ae6c88d7553d004823ba8585923af24244912f7f58e3c81e3e94

SHA512
ff394bb10f522f6ff2f13d0638b4f5615e86d660d588e03943f3ab26fd83c34745d7fb0ea1443a9cdeffb0f86b31ebad8d2101d57d89f525c5e93d3da9aa78f5

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
81KB

MD5
20ec5a45304cd92b6d884f37f9daef14

SHA1
ceed3a868b3b1932753556e969d520770befe948

SHA256
e44801cd4fa4ccc25ec0b28d80cd5315e0e8c6bf4196b76d39ca7537c66b3365

SHA512
25c0fa6addaa21a425f8d45837acf3c836030907d3a6b7290f484f56eb06ea8a26b1e01635f58f3b37b4d39a6d7a026692ef412b5785098451765626da77571b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
81KB

MD5
5aa9ffd6d84549a125380ecfd5cf6adb

SHA1
52cbb499ffb6a8f426041c2653b51fef6c6cfcfd

SHA256
c5ee19f5c648217315e42d309f05b1771011254ef036585fd35a55a5b5656a30

SHA512
ed81a32854eb66db6aae79f7320c4e3c6f03c65f5097bdc7a389cc2d1870a7124d37ce5ff58035885cf075a76ea774e1079cea5b06dce2f353582f947cd8bfc7

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
81KB

MD5
f1749a41cf83782de2e3e7f366c0c417

SHA1
dac3af6cd9ce248e5fd0477264d7006cdcae1128

SHA256
47ad8704dea6552aa71d3861ecdd949f5cd38b7a3e6b970c3852832cc258ebbe

SHA512
44b7afaf6cf71c170b962b2cca6e6a1d5316d379d7b3d2673a91506afa17cd74c883b41ff41014bea9e441382bf22395667a29f1931608cc3cccfcdbe0bef336

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
81KB

MD5
3c69d5651b6d208cdc4622c0d6e5afda

SHA1
c0f857a652d765913f061631975a4dbc1d1a4d97

SHA256
92f18f43806161491b84a69ecac4bfb67ed03e8cee67d5aafdddb2384e19d100

SHA512
8ce97220869667bf185b6f4677051045b060ceee31c1f598a471e3c79cbb1d6b86f1f75bc8720bd1320eddded611180d9f966a98d45919904b1811c20478a417

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
81KB

MD5
b2f66f1882f70b7307023f6b9c5169a3

SHA1
5e93033754e6a2adad233856724f809a3e3f8662

SHA256
e1462e781f28234b100eea8a996541b1c0033ebff34defd69e4c6858b4bfdcff

SHA512
458128c9d7a2c0f8b6c2da52b4bbd41e40e1e5156f13f4768ea859f41baa4a960583555ed064a7f1d69caff8c556955da50cb2a0d0713de2b9747462a6765d81

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
81KB

MD5
7216af4ee8fc15ab8716c0ca03625e33

SHA1
e71dda3d5e133f75a9e809423aa25b380301f5dc

SHA256
7e792e18ec9e3790b7c6abc4731e50b9687dc34ee3b533ad589ca76e0372ff7e

SHA512
0a482a5fb8c5ebca698db5743f9e3334e9e866eaf3955c273f380836b49114f0702a3247ff1b506c7aa55d55a8bfe2c6fad8af8458a8e26699c58254b548aa4a

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
81KB

MD5
1b2e717744d49c1195e9e2aef97d6232

SHA1
9cbc7f63c1c1f893c5898c3d53fc6ea2d20fffcb

SHA256
49b808c8afe80025d79e5171c00da59e83e8ecb1783b306320f9cdc12045201c

SHA512
6b4a168ca2b0a6bc363c932bcdc10e1be925855517f32d4c7982352012c96a68507e48a66e0690f11ea86e0b97891a87a3885d31de3ee2beac55fd46f262f96d

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
81KB

MD5
d3070c3c81b6437fba357d1cceda55ad

SHA1
cee7c516dc292e9686b8800c14ef89f78dd1d63b

SHA256
fee6f27319e93b1050401708d2efa07bdbc0165b0034f1624ac15d83d579d2f6

SHA512
470525b437ac0f791ddd048f0a8bad978833e9c00b280b012d066d46edf641ebfa0771ffbd938335ac359ee64d23a97974eaecb27b061144a8f347c1940b87fa

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
81KB

MD5
485836bb12a06c2d06eb463e4ec8646a

SHA1
8005fed2aed19116eed49dfff1df867b6b2fa699

SHA256
d63fb0c82ee2e3dadb7fba6bdb5d15cc983cd766a6a584685e740668e07de570

SHA512
39a3efca18311e51fbecfe0dba20c8b1add457aa834ac7bbb84da6d4f42c5c6e06ff24de406985be7f03b4c4ee0646e94dcb0c771bc799db2f71bb723e991389

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
81KB

MD5
c43094b7cad415db18fd7e0406d5be12

SHA1
d0fff0db9d9d3054465f01e81098b1365ab0a060

SHA256
0afffa8a4e9f9e743c7b6d814e13745b950bcd9f38e4e03e682f3a3899b1e77e

SHA512
ffafe522c00d9a0e16ffb428737ac33ed4f300483d5ad2abb3d11c2aa4b0aef059cbbb8f8fac6b065a6cd4414241392064b20f1e7fa249c8246d0edf0589497d

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
81KB

MD5
b796ba5dbca8c4f2883de6a9eb30d666

SHA1
78fcc91ab87d2b5b11e390f0a71c5efbe2a1d95e

SHA256
a1a6cc965d20434baa049861c16d33134ed3d7f82a73c3f6386545846ab47b0f

SHA512
c3edb810aae5581836ee2d40ece076b9ce68234699b0cddab29dd233f64ed7cc852e83ee7fde0f195a1569f69524bc65dde5b60fdff3346341773085b9676395

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
81KB

MD5
9b91c43870e17c4c516eb4c1c046eab5

SHA1
436c49a0e6a373b0d936b9a60b006b59bbf081c6

SHA256
c4a36344ee87cfc8a39bf1f55bebdec82ecce1642859f723402d5b308efe257c

SHA512
72846f90c3642c073d743c59139b71fc806bdbef11674be361a237391b9114bf2eca7008b9f41fec4bf64a5c799aa46dc22d28d0dcd7fac4f0c08136d384a294

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
81KB

MD5
9fcafa89d8fc00040c8fb48ece71e653

SHA1
b2ffd6e55c507e2d7397945ed6d261f03f24e03d

SHA256
71ef4c591ba657df05f256d9a2bd11a763398a096fcaccbf79c92e23671f3127

SHA512
02d2409e07bd21ac2f642b548759987370c60f99574fbcb49f0e29f0f496d20aa540fea028aca6a5cc61747ccbf2068ecc114380af5c5a18a0eec9c13c6b5bca

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
81KB

MD5
0245d17349423c2650fb6a3df69a35c5

SHA1
84f8f552ff93fd44f2f0311ed9368558d9df418f

SHA256
a1af208e0db1745e7a5e491ccfac019a9a0b45c38ab543bb6a09c7bc258ab8f1

SHA512
5ff8fdf9d7a490fc83023ccf9a12fbaadea7419b0717f81f26c9effd73640a7d4948dc351365e101f49b571e3c08715a159dd132dd469e2293e015c879124abd

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
81KB

MD5
17c7ef9ce68d1c2e5d8ccacda6eda37f

SHA1
e17185a4674bb81006e667f110e327b88184334b

SHA256
e6bebf32b07dc8f32ca4f7f6714b72922e107f5b9aaa635f85db7cc098a5f4c4

SHA512
b5d5bfeb1e91df83002626095eece130d59e831d55cb0e420f3ddce20bc9aceef2771f3c14d32536971d183280a0013548283919ba80eb76f53a3d971de241a2

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
81KB

MD5
2de408e553437fe1f3ea16ba890bb2f5

SHA1
4eeeaf261ed917babead56b46f8405801ce32a1b

SHA256
6c768f4e0b19cbd7eafb8c1d33483c7e5d65cb66d5218a16b71a2d3edee59cff

SHA512
736d426b27e2844595648cbf738dd6539b179b015cd74f9af9f9be2ca1282742165de65427e47b850f48a9f5a97833787b7d434c84fc781415cb5a11f5c06fe1

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
81KB

MD5
4b348dd48df7cd2d62a41ec9c7b1e04e

SHA1
80d25b1206cfad6a16ba90d0541a160aa30be6dd

SHA256
0a34596dcf60c3977ae532f1cf56ed574ab3e59a15ef16ea88dd770ad5dc6ff4

SHA512
a9a85add57a362d02c8e5a3c4ba1d24e6d492f2c95c7773f4544758086052de81640d1c77ccb9cafa46e9e2154a9a6deaf839bb9c30e8abe91d4db3c58995df1

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
81KB

MD5
e34b433ce941b47a86659a82deecfaad

SHA1
a40d984c80dd95032b9b5f4e69278571d2fa8603

SHA256
f0d05c8099199dd8c139b11f800f2814852545fa94b98c613e62baafc25d24f9

SHA512
23f5febcabe5e7e5a55382e3b2f5f6e1cbeade613b59e854dcc40a49424c8bcf4bccbae67e3f81d5bafaab650b76a42fa99ec0635c081539cb26d2431a481997

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
81KB

MD5
f1fe635c189c0e16ee6b98c33e803187

SHA1
3e5aab5352084aa38e155c0fd3f6cffdee600619

SHA256
0bec71eff633c514067b41d5b2c526cbe530a9907efcfd807b8c426388fe2a9c

SHA512
ba115b7d86f0a6dd8b069bef265425786feefb5d2f7a7153d6bbff02a6b7a3f9ff7c21c7926e3769a75cf292125c3077e0f5391bd33e366077c0bd2e9526e447

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
81KB

MD5
4ff671dc92597da090ee872f8edd4bc7

SHA1
72773952afe6f5a9b32e617ee34a662ca48dc436

SHA256
93a5c29643256b663552cabc28f1573cc48c7200f470de0d6820dbac65b98730

SHA512
31c2cda6ceef6cb843f5b1c66a8cbcad516dd8d425895508ca1d6e2024c45533289aeb5972a11d36c7b4f0532371c7eb00743b9cf6dea4d147c9fe6e9b569a53

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
81KB

MD5
db69af37826e01f96b8afd5ff913f09c

SHA1
2310f2232acaf1c749b56c0aa6143c4099241baa

SHA256
7dc70a3332763e689b2c73249dc675995d2f44d3074861cc8f5f57663cf6cde2

SHA512
c98a74f160a9572212ebc0b2c67da8a6011f6bd50bfb03b2c570d7e9cfe12e4e0149bf2d55e22764c14138f17f9762ddd20322e4bc568a91d747545740aa8800

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
81KB

MD5
7a8909ce9c10492991fe288c57a2d042

SHA1
6bf23313bbfda0f090d31f05dc7a35532421f63c

SHA256
f242f71a6a746fabc5f1ddbf5d633a51bf1cef704969cde018a816fa35687e24

SHA512
16c4cf32950b5db54d1c0c7dc959f4c18173219979267a8a27dcd83cbeb9233f65f343e41b75507993856853b4996c8610c42b54d0635490a908c925b02446c9

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
81KB

MD5
6677e9142dc084e497d523dfc8db251e

SHA1
0a155a5bc8ca76374e2abb85fac4f0b62aa6c783

SHA256
8ee424d10fe3a7e6b372f09fc194d30f269f5fa338f5633fd9a561a25bae6262

SHA512
78951d1acfbd73f91b81d4e739c478a03cc78df66d6b4cb2901efd129eb4e04bddbaa3b6556c5caedfe7565064948613d124f0ac3a5c827ce6020cf67b839f9a

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
81KB

MD5
0cb3d0b9a46600898915f3866a14dc2f

SHA1
d8b1e78c98a6ad36c44ce5ddd21347e2f646b29a

SHA256
71810208bf125a5e59607d50ad1ac1ad76e42f4256d35d302f2606c71893efe9

SHA512
dc406083797477cb0979c0527b9a9792ae586c607a3a12f6614439e454dd3e6051b6037969280d8dc64a8ee14f2198025fc543ccbaef3f288d41058a998268e7

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
81KB

MD5
868e984eee90a3480c7da622d9377059

SHA1
836f516bfde3e64aa5fff19ee94dc9386851978b

SHA256
e00060da2537003d6e7263b754dfa59195df33f37068ced96fbca12df3fddd10

SHA512
5209ba804412d6d99379c851d1fc22717b941eecc8f13ac47aa15446b82894793afbca2c39b6b1fe95df450fe22a26035a9b8c7eb2216313ed8cafc9b21c195d

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
81KB

MD5
929ba03aeb6da00e3806ddbd031e6cad

SHA1
67f055349ab9dcf8179a882e297b0462fc470ce1

SHA256
8fbe4fda7e8705bcc66408c3fc0a1ddd4f1f0e615dab49aa3b310ac490d5940c

SHA512
f6e833217e2a165b181f9a1d0fd923ffc836a2343d35378f4fab8da5b435bc45e5507cf7e65ed9404110ca0a48a27b27fe507679a60d134bd52104e3703d169b

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
81KB

MD5
4ec4fa50ef5763e2f0f593117f45906d

SHA1
0acfc36f1aec2b9b10ea924613979363472ab90f

SHA256
1b41c75bd6b4087dcbf309e952123e832fcdd0cd7fecf8016afd6f9118ac9ce5

SHA512
02379592488e309dad48af58c3c9bdf9ef3da21b20c20f5c4c685625a8872b040a3fd3a0fe055f0440d305d3d9c64f98d56795077a33980ee8bf729f8bd85b53

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
81KB

MD5
68f8bd23c2293546352bd515d0453b42

SHA1
6532ab18958c903074badb3b3652b596c2bd508d

SHA256
0b72e1d3bc617fecc230c8fec637f3b9eaa223452dd97cd778f9e4a4dd796826

SHA512
c95d609acecbc4e505d8363abbf00dc50a473aa50f0f5dc1db0cf4657c67013b84794832e791ad6b5cb4a23dcc7b45b21c975d8e93c7aa78f3e04e22f7c506d2

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
81KB

MD5
e2ff28f69652eddb06685f7e3f5a1399

SHA1
5ebe6ab4ba25a66b710a222b3c84035caf9028d4

SHA256
e450d716be74dae9fa305339e0702071e887efceeee9216da030601173a239df

SHA512
5f211c73de6cba34fb44606cfd090d86276ad29da6f8def47e44cd4711e976624ac16c178dc5e43e0de98961e7863359ccd5013505bb271fcc2a2f9bd92bc7ea

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
81KB

MD5
844ea318726a90080fedcdd0c6878da2

SHA1
6a00429d0e067de3e68cfc1f597a75c7eb682b7d

SHA256
4c2a2091a18fe0b6af91809c58577919adc0743aae6e5cb0318e728ae2fed465

SHA512
0d40b499c04c41ad26ba404ed33300342fa82473dae37f89d4bce72806a4a355914b238797aec0b2441cfd3389b6ddcc1dff457f6decc5722d4274db3d353794

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
81KB

MD5
dcaabdcf74d31cbb4a2f6fb24aca0b44

SHA1
d3ddae51b66c293f1d1fe7363642184e4fa70117

SHA256
cde0804e7ab87352fc09270d3ebab95fc2cdfd8e88e8d59f553fe7959fb002a5

SHA512
72ce4df29080b840d7765dfabd64788f33d819f1f8dd44ffaed1ae1fd3d72c0b60f3c1acfe21412d56a81d85b15c5eb73a5c005cd91df51fadd1bf0aa7c3a63c

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
81KB

MD5
7cd01cef8123f709097e47587ec133a2

SHA1
011f1604ae2f407b860159bdd7f6fd683b448a04

SHA256
69d8247bf419950f51a60267dcbbe44e89b163bf1ce4e5a5792443edf670bc41

SHA512
b89b0aa21bc9ff6b63a5072ed1399fa0274fa71873bcdafb93e17fd266ac022ace5864b4f41f65aa83fab2d2f72bd6f1b09034e0ed42616d8925d167adef8163

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
fd4daa9f5697a4ea6e2a79f402331ddf

SHA1
3a463f5f13bfc1f1716fc11702b23200f9f7e75d

SHA256
4fca76ce1e3c8273ef6457695b0a3d715a736dc530ded75b6ef3f16f04cadb3b

SHA512
271e45a3284df16988f82766f1efd708e32525582913c287ab536f6b3bbd15fbfa09b36dfc255930bf4bd79914bad02d835e3b5ff29410d33220cc51350ebd14

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
81KB

MD5
c56f49b21d1fb79d3eca613d6ed63f01

SHA1
17d11530b08d91ae62bb969a964cbb5728432bdb

SHA256
47cd9442467bd518072c2a2608e8db1621475a1c871f933cd5796a402c92b39d

SHA512
53092bb820859355f89ef78a548436cd39a7916193495afebc1a2267408202d3b9a3ed7bd5cbe2c680754065ed1935f2eeda65e90b4911224ee9aec22400565f

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
81KB

MD5
52a985631e4ffad0f946d7092bd32f65

SHA1
2c98cbdf4658908f6df9e8fd8e76b6a55954bf39

SHA256
e40835be4fa98ad69065c1b396ac8fa389316adac7858413188f15243212d58f

SHA512
ecaaf53b1343c0ca84bb7c9267f4d1432f5ee8d2f843816b456e769537f75c2314a31fb4809fd93899af6a9b3bc3ff61c8688730cc077172c5a9ccc8269988c9

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
81KB

MD5
4123ae2c59301036e8e9b18e109d7d5c

SHA1
aba1e9a43246e384645b2939fea5140db9fd074d

SHA256
0886682a518de49788a2e1d6b5e519e12936807231f56c073bc50251d5137545

SHA512
916cab29f81597cf21ecce295ef751a4b43c10f7ddb92c3396989bf40ba9784fbd52003ad46b5050086c26a66da0da1addb52ea549fee3daba7daff2ddaef0b3

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
81KB

MD5
0fe34ea6a7071f15d1f4763e528440d4

SHA1
39b6408aff93084c47a060c7a1182e8c0d90a9b6

SHA256
4946866003f70fb72a8901307bb0e755c03e5a2fb3bb4c686638a8ee31ac1f3f

SHA512
3bde29bda09579ec20ad56b40a847575a6aef52dfebeeb3995232fd07ac8e23cb77c505b972fd0c1427ceaaaea0a6b4dbeac453bf134209ff8a8f14512c20dc2

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
81KB

MD5
856319d49b8b02345f9aa623c0a4ec81

SHA1
8bef8c4d1c860682c9f38ccbddd7d5713c55e599

SHA256
23bc5824dc19fead0eb901b8d7086f506410cdc028d9f78442bb9f45d15a9c37

SHA512
6eede92f71ac0454f68b865752b06fc9a4de4ed04546ae8efa167aacfab23afca52e64084e978a40d3295633a3b48c3d2e89fef8dcaf2ba016b5ecad4a06828e

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
81KB

MD5
0109479b27c27b33830882a0cc9f4559

SHA1
4acd610521103675548448a7fb41d290989386ad

SHA256
de66428230c07d2fc8954f8c8edea2422026fd54c5fc72f1f4a3b779a52ee507

SHA512
c212140cc18919e08b1005bc6a320fb79bbedd90c2fbd552f11fb305ab032b68b2605c849935ffa86d238772a41904884a1f16114e76ad3198100d9c67e2fb34

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
81KB

MD5
88c316f0371896ac4d144f3acb9c8c73

SHA1
238fc08e33286d39ecbd472abc40e1a6001e0cef

SHA256
bd3acba87ccb167ea3f98c0c27a87713fdc71c9230d3ef57135d61885dc8dea0

SHA512
4d8d6e534d8c5d827a809dc5ce995db664b90c23e7d1504a04973a0615ee7fd1d9cb5adac6dba2c1462d4d1700dfd9da7f2db8abdcf62f29d8a2064856a02532

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
81KB

MD5
82d40193387eed5f475bfa1ded07bb7b

SHA1
b2b241c13077c048f0194dd4a762445d3149fe75

SHA256
5bc4584b0d9e9c8dff68f41efbbfdab788d3067e4e461d57fd2035fdae729819

SHA512
cbf897d2c9a244c063560ef6e44637ca286e69e8b1daef73f5e63544282d8e7ba62c5aee94ed131f7fdeb99ffb4ff34f3ed6b61fa94c3b270a1ef42a1ea4e7d6

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
81KB

MD5
c27db4d0a3eaeb119971a08e543ba9dd

SHA1
c983a4bcc30e867e0f234cbaff262be7b4087715

SHA256
80bf1938ff1b0c16f8dc76c17f0b2cca4d674651293a9ffebbb603d2a0393dce

SHA512
3ce75c5561c9b3b72c119b8ef8e5323403864e5dde82c9592a377d8be042b905f87c5c6640b11e25eb4b89c22671d67a12c975acb89f3a07e30b4ec9536f735a

Download Submit
memory/224-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/316-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/672-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/672-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-787-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1372-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3520-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4296-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4400-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-860-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4964-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads