berbew | a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96f

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe
Size

72KB
MD5

b666bb23eef30a704fca9bcedf55f120
SHA1

363d1a6511d3c4962180fea81b4ea923e45287a7
SHA256

a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96f
SHA512

563c8d09ab4185964db339c44daaa3341dc76f7502f3e6a72f2bdee8be77e7f8d98d1efc1cb5348d818e7d04adc3304b97beec228e8f59c5d708fa9b746b29ff
SSDEEP

768:Cz4k1kxOlupHMBQjDJN9Zsze30u0iZyA/m33kbucuTBVUgkr2NgGHEWAv8Q5o:CzByYiHMBQJCzeku0jmITBVErHGHEG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3336	Mplhql32.exe
2732	Mgfqmfde.exe
3436	Meiaib32.exe
2544	Mlcifmbl.exe
1208	Mcmabg32.exe
2716	Mmbfpp32.exe
4436	Mlefklpj.exe
4316	Mcpnhfhf.exe
1460	Miifeq32.exe
4200	Mlhbal32.exe
4620	Ngmgne32.exe
3748	Nngokoej.exe
3924	Npfkgjdn.exe
4604	Ngpccdlj.exe
1456	Nnjlpo32.exe
1392	Neeqea32.exe
4780	Nloiakho.exe
3560	Ngdmod32.exe
1468	Nnneknob.exe
836	Ndhmhh32.exe
2972	Njefqo32.exe
1168	Oponmilc.exe
860	Oflgep32.exe
868	Olfobjbg.exe
2180	Odmgcgbi.exe
2592	Ofnckp32.exe
3988	Oneklm32.exe
4920	Olhlhjpd.exe
2136	Ognpebpj.exe
2352	Ojllan32.exe
2720	Olkhmi32.exe
3672	Ocdqjceo.exe
2956	Ojoign32.exe
4676	Oqhacgdh.exe
4512	Ogbipa32.exe
2192	Pmoahijl.exe
3608	Pgefeajb.exe
2364	Pnonbk32.exe
2876	Pfjcgn32.exe
4900	Pqpgdfnp.exe
4884	Pgioqq32.exe
2616	Pjhlml32.exe
2228	Pmfhig32.exe
1276	Pqbdjfln.exe
4048	Pjjhbl32.exe
2628	Pmidog32.exe
3480	Pgnilpah.exe
3340	Qceiaa32.exe
2024	Qnjnnj32.exe
4652	Qcgffqei.exe
3244	Qffbbldm.exe
3328	Anmjcieo.exe
1600	Aqkgpedc.exe
432	Ageolo32.exe
532	Ambgef32.exe
688	Aeiofcji.exe
3308	Anadoi32.exe
2288	Aqppkd32.exe
2580	Acnlgp32.exe
2268	Ajhddjfn.exe
4860	Amgapeea.exe
2248	Aglemn32.exe
3276	Afoeiklb.exe
2448	Anfmjhmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Mgfqmfde.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Mplhql32.exe	a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5508	5424	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3336	1704	a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe	82
PID 1704 wrote to memory of 3336	1704	a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe	82
PID 1704 wrote to memory of 3336	1704	a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe	82
PID 3336 wrote to memory of 2732	3336	Mplhql32.exe	83
PID 3336 wrote to memory of 2732	3336	Mplhql32.exe	83
PID 3336 wrote to memory of 2732	3336	Mplhql32.exe	83
PID 2732 wrote to memory of 3436	2732	Mgfqmfde.exe	84
PID 2732 wrote to memory of 3436	2732	Mgfqmfde.exe	84
PID 2732 wrote to memory of 3436	2732	Mgfqmfde.exe	84
PID 3436 wrote to memory of 2544	3436	Meiaib32.exe	85
PID 3436 wrote to memory of 2544	3436	Meiaib32.exe	85
PID 3436 wrote to memory of 2544	3436	Meiaib32.exe	85
PID 2544 wrote to memory of 1208	2544	Mlcifmbl.exe	86
PID 2544 wrote to memory of 1208	2544	Mlcifmbl.exe	86
PID 2544 wrote to memory of 1208	2544	Mlcifmbl.exe	86
PID 1208 wrote to memory of 2716	1208	Mcmabg32.exe	87
PID 1208 wrote to memory of 2716	1208	Mcmabg32.exe	87
PID 1208 wrote to memory of 2716	1208	Mcmabg32.exe	87
PID 2716 wrote to memory of 4436	2716	Mmbfpp32.exe	88
PID 2716 wrote to memory of 4436	2716	Mmbfpp32.exe	88
PID 2716 wrote to memory of 4436	2716	Mmbfpp32.exe	88
PID 4436 wrote to memory of 4316	4436	Mlefklpj.exe	89
PID 4436 wrote to memory of 4316	4436	Mlefklpj.exe	89
PID 4436 wrote to memory of 4316	4436	Mlefklpj.exe	89
PID 4316 wrote to memory of 1460	4316	Mcpnhfhf.exe	90
PID 4316 wrote to memory of 1460	4316	Mcpnhfhf.exe	90
PID 4316 wrote to memory of 1460	4316	Mcpnhfhf.exe	90
PID 1460 wrote to memory of 4200	1460	Miifeq32.exe	91
PID 1460 wrote to memory of 4200	1460	Miifeq32.exe	91
PID 1460 wrote to memory of 4200	1460	Miifeq32.exe	91
PID 4200 wrote to memory of 4620	4200	Mlhbal32.exe	92
PID 4200 wrote to memory of 4620	4200	Mlhbal32.exe	92
PID 4200 wrote to memory of 4620	4200	Mlhbal32.exe	92
PID 4620 wrote to memory of 3748	4620	Ngmgne32.exe	93
PID 4620 wrote to memory of 3748	4620	Ngmgne32.exe	93
PID 4620 wrote to memory of 3748	4620	Ngmgne32.exe	93
PID 3748 wrote to memory of 3924	3748	Nngokoej.exe	94
PID 3748 wrote to memory of 3924	3748	Nngokoej.exe	94
PID 3748 wrote to memory of 3924	3748	Nngokoej.exe	94
PID 3924 wrote to memory of 4604	3924	Npfkgjdn.exe	95
PID 3924 wrote to memory of 4604	3924	Npfkgjdn.exe	95
PID 3924 wrote to memory of 4604	3924	Npfkgjdn.exe	95
PID 4604 wrote to memory of 1456	4604	Ngpccdlj.exe	96
PID 4604 wrote to memory of 1456	4604	Ngpccdlj.exe	96
PID 4604 wrote to memory of 1456	4604	Ngpccdlj.exe	96
PID 1456 wrote to memory of 1392	1456	Nnjlpo32.exe	97
PID 1456 wrote to memory of 1392	1456	Nnjlpo32.exe	97
PID 1456 wrote to memory of 1392	1456	Nnjlpo32.exe	97
PID 1392 wrote to memory of 4780	1392	Neeqea32.exe	98
PID 1392 wrote to memory of 4780	1392	Neeqea32.exe	98
PID 1392 wrote to memory of 4780	1392	Neeqea32.exe	98
PID 4780 wrote to memory of 3560	4780	Nloiakho.exe	99
PID 4780 wrote to memory of 3560	4780	Nloiakho.exe	99
PID 4780 wrote to memory of 3560	4780	Nloiakho.exe	99
PID 3560 wrote to memory of 1468	3560	Ngdmod32.exe	100
PID 3560 wrote to memory of 1468	3560	Ngdmod32.exe	100
PID 3560 wrote to memory of 1468	3560	Ngdmod32.exe	100
PID 1468 wrote to memory of 836	1468	Nnneknob.exe	101
PID 1468 wrote to memory of 836	1468	Nnneknob.exe	101
PID 1468 wrote to memory of 836	1468	Nnneknob.exe	101
PID 836 wrote to memory of 2972	836	Ndhmhh32.exe	102
PID 836 wrote to memory of 2972	836	Ndhmhh32.exe	102
PID 836 wrote to memory of 2972	836	Ndhmhh32.exe	102
PID 2972 wrote to memory of 1168	2972	Njefqo32.exe	103

C:\Users\Admin\AppData\Local\Temp\a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe
"C:\Users\Admin\AppData\Local\Temp\a9a0cd43c4073d63746f513a9bc7fd2a509df3c3fa350951a6c3c790bfb7e96fN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\Mgfqmfde.exe
    C:\Windows\system32\Mgfqmfde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Meiaib32.exe
      C:\Windows\system32\Meiaib32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        31⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        62⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4128
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        78⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        86⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        87⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4876
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        95⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        98⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        105⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 212
        113⤵
        Program crash
        
        PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5424 -ip 5424
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
72KB

MD5
f857825da2bb55113401a24e6f05ac84

SHA1
2289d4722cb237c780b8b129504d98c248c43cb0

SHA256
a092e3adce930b1a957d7fafce2d2b6ac10c7ee8400694cfe9809af7c773e491

SHA512
d166d6109eff8ab4c150deb2c71788b2646376fc43d896da04c2ee9721e971d180762094a75f12376a20875dddc5982df2698a7345063b808ccc3aaa18896162

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
72KB

MD5
8520bd000b4651124c0b3bb9648a5bba

SHA1
7080dbc45d8a4ba4593bb0739154b1693343c4c5

SHA256
e156612e6d069dc6e9ea87bc5b1889c6fe95ecc90f38a00e983771c7818f585c

SHA512
8a0ac745348d383d77f8843847a45679842794796aaf57eb6b21666114f54b840f21ab6c4b5998c7212ef2fd5ba09baa3e5634fc13340cbda4cdae8a16c12989

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
72KB

MD5
024cd58b67ea54f46e9fe63c8c6b3ab2

SHA1
5b7d75adec2cd825753a129e8225d4d6bbe1dba9

SHA256
8f8f2c4fc6a67ee24de0eab604b3dae54c1ae51c476a00fa8afcfb642da8cd89

SHA512
fe7606861a00f978cd74afbf57964533160e8eea28bfec071b95b5ad665c715e9d7b7a5acfe5daa44cdf0d162202a25b7549f05bf90f07309a5836149be3b5fe

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
72KB

MD5
2c8519347132433d934a8bf3deb60e46

SHA1
a8c3ecc3c36970bed4316d95b539a998486272c4

SHA256
9e111c793ab06af2d0472053fc62b1dcf0acf8c8959d89f166a96c90a41bc518

SHA512
d60159f59141968b63d75f3d9ff4a7ab298386a0421de1f8eff3060fe651a6f202cba920bb4af3cde3b49de99c49fe6a1f33fa1f3ce88d0f9b6a68d25583f98c

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
72KB

MD5
ea61c6ec4bd0249df03a6360e42d02c5

SHA1
8e166eaa457c53f00f6ea4d4bd34a87ca5e7d7f9

SHA256
a8d4414436a39d5281e167b4fafbda112ab64b28ee73cfda0d616accb99b67dc

SHA512
a94295a17c10150ab86db082a0ce7fa0357a7b2ac7043fc592dc7a8e3199af7e495e34feef7cf749c7a510ff5f78c04d89c96bfcbabf643efe7770354e67bd1f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
72KB

MD5
ab811968238f2611894b43f4178d8178

SHA1
7324c43d70a2bd7b37d6425cb7d1a7b5784ee0fe

SHA256
c2f0f8710960705f5b385e5e79a290ad7329c9ca53d37d71f4a2c29c84cd62aa

SHA512
265ea1bd36105ba5fdba83042a9848abf19222a9e935c7e399f2ce4681e9aee8278ef96efa334ae38e6c45469bd01f1d2f8930527d055943d3ee66aa655a6fa4

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
72KB

MD5
9baaf0405b2f9dca5c9362ea3a42848d

SHA1
8d61327103731054d8ed65718658be272890a33b

SHA256
8b26dcb0327467b0e91546db9630777f70bc32136e3c901594b59c7a03e71f9d

SHA512
22c59dc5f0ba944b689c6c2455999e104f90cdeec5db3ee0ffdde1d03e41d9d5267d340fa795501ae17017b7b6ffd52c9ef73170d72d83b4237c5abb0290af30

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
72KB

MD5
c6e270761dbf42068e9081fe4ca5d068

SHA1
32600d7b74876cd5b8fb206837b0d8420d33e8d9

SHA256
d591119719c5272e0b56fe3f8340895c8554a530b938ae0fa2764152999acfa3

SHA512
3a5de10b5e0fd59c0e1d327f8a2951651864c536ccc1487f7b60f7d38d85d1b98c213afef7410af97627b17234eab713b5b6bd7a221c08445fa64dc223b399f4

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
72KB

MD5
1d1f13a0e514faf35463409e8f11b993

SHA1
5c06ea43014ac57804859c21c83a63a2974969b8

SHA256
982b127f52c327b6a9f138f19476aa9f80a51ab7b7fe1d79286605fff919e50e

SHA512
c0d1f50ebc68b8c86ccc71510e9ab2695daf3a73c44075c4cd089bc6ea6ae568e4ba229cbc83f9944f4a0c6cdec30601e6ca31ccb437efed461d871f56aad19a

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
72KB

MD5
1f78939bfc79c02365421d8bdcb14b3e

SHA1
5dbcb2d3d8c7a722b302aa24313add136b634efc

SHA256
2199a8693b91def31c92089e0e0a5b404d107eaeeb3c12dc39df4b020422082b

SHA512
fa5b787d3c5a88da7e6a0c1c7c2fd2e3a2e19af5d55947b563fe3c9892a3497a42be6748de3cd492e198116b394eff4fbea0b0e04d1b78037e5f69e9e4cf305e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
72KB

MD5
583fbe46d72fe6fa64222540ae8d2f6a

SHA1
faaed3faa201c51e8dd6296f540172a94c1a4de0

SHA256
db9a4a96563f046df54931abae37c63275fcbde62127eb61526a057487ae2701

SHA512
6469c6ac6fc21d0f78e5942e3ed7f508f03113814ce51fed9dff91942a3434ea2c6c6e7c2813988cbaf48297320865530f5439e63771ddd0240e7943b96f70e1

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
72KB

MD5
ef49c43c44aec06dcd9e58832067a717

SHA1
c935aa757476c724b5eb1c7db2d72970b94e0b14

SHA256
8b0a431feee8f2dce76e00891aec60096a87ec31cdf968d6068846f95c495be1

SHA512
e68b4951474336d679468798acd495f3ff6498dc2b9de2f40094288ff51f45abddccede6abb63d8198e6f1705027cfdc5d10fbea21c15266ce0812a112f5bc8a

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
72KB

MD5
ce96fe245104915b384760daad45a961

SHA1
eabf11c843489c82ff7c7446064a6dc383bf654e

SHA256
d2bed7416ba9d58a648939290e7f1573b039433a367d8f008bde55842084fd7c

SHA512
078e29f8c080674d30cfd3305386514c5f62b030ca64c3d4bbfcf830dc4658bf19032d2e1aff0c2b43640a355734d6f409f2580bd32dc40eea6a219d58055d6f

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
72KB

MD5
63127d661a4e7086984e83eaa3605717

SHA1
dab6ec6f220077e87f147732684a0c1be69d6459

SHA256
8397aab59853e737611aa7dd049c8c42d0d02b8870454e219b04ed60df727517

SHA512
a3a6117c5316ab1c10950b47d644f209bfc9d097be2b65d178ffd4fb3e42ff2c7f396d5e53701939596100276e05badfb9ab0c5f0c725b8da3205ae0a0882158

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
72KB

MD5
c9ac8c6fefe4e15729d76965c7522884

SHA1
8da42e3531886234e5010e7ac0351a6a8e0a2b75

SHA256
fe8eb1fd791eccba76c02cae3854adb1a89f2ed6774ecd23de0b35b68ee48829

SHA512
cd56a74f45d0c6c60f6b74cc06c8813efdfcb3e3c85157efb48833312127184b00ded8924db142feee117895e8a3c92be6ae33d6bf814ae348fa643d84fb6703

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
72KB

MD5
a78199bf3634f08dbf96adfb26d4a9ea

SHA1
23cd3608380a78f25ea00dc20fc6e38302a7736d

SHA256
a5093931e07deef78c8cea17c9b1996ddc95ca4ed45a0bb036247b9574238047

SHA512
29fe32eeb9bc845ebbb0e1f991266f0763b701fd130f917eaa5db86a355cf6f47640426e20bd9bb0c7883130cf8cc79e2563d1b83225397dbfc075ccd6084290

Download Submit
C:\Windows\SysWOW64\Mchqfb32.dll

Filesize
7KB

MD5
03cfc5e06d84064fc9d293a1dca4fe59

SHA1
1c7dd26567f8a5de31f0d4a792504e7489a6ceb3

SHA256
d30ac36c67c8ae6834a63acf73047828632470d7f9d51360e6ef53aece8eb0d4

SHA512
9e46219eef880c1f6c22f9e78bca65c275a89b53b2b60d7ec6fae26af96ea4377d19faf19911e2f2fd806b1347ac501a8826aa7fe69c19ea099150ff65c87149

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
72KB

MD5
92c5f590d685583b4f47c427674ed339

SHA1
1d21de71b40ba1576ab8151fc934c65b8cff9a88

SHA256
4c4904353e19e79355920ba7c440ca7ab2ea8621be12fe9430dbc853c8235cbf

SHA512
875ed5abf1c17a0d2be50f6c47141c1a12322457ae6b724a6dd15e9d0918f3b6381f4bc50e1a38aa23bfb81b0eb967b34d885389500e8ae3b0d70f78d1b3a077

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
72KB

MD5
8b7c5daae41b78dcee8c07cc50e820c0

SHA1
190cdb5c4b74078c53242dde1b8ba4c8f21de538

SHA256
006210563cd5ec73f2ac8be0832f4c0fc465f7e43f47b015160077a1ad4fb761

SHA512
17373772021d36a668239f20f922103e9a31834302e4fe6da426a4c563a301a0370df5d6f3932925d16c71645700291bca1077b65248e514c54602c771df94db

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
72KB

MD5
0990441ce9ea0238c1f6d55a6f456d9c

SHA1
528d442da4ea45209e647125deb42528bb32dde1

SHA256
be0f44d4e42e7e49bfc02d05ed99f204172ea11aa7c875eaf5af3a50b88e12bb

SHA512
336b5d4ed6310d1b1a7a8a374ae9cb987a9f25c8d811d86f5269ab2adf5b4552f21a1d31235af879ced9662c430df94eb24972585bc11ba368dffce3f02024c9

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
72KB

MD5
c7d281de4210805748348517340a40ea

SHA1
985e59b3c9e10282b1c4aff4a1d94b4974aefc7a

SHA256
8b87cd983db319077f553c21bb4599d0c82773ce48652a0e7a4a9a06cd6092cf

SHA512
75f50a0029fb649c7f5745c30e224bb5ea8532c44d8ff99732c4df2dd613b3e593560add63e939544345b746fa7074c2a1fbc5e2793cdf1cde98d84d933eaca3

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
72KB

MD5
5dc8de64c5c19787a6ef28d43db48087

SHA1
3813617c353d008bc28b79535a2ad916dbc90865

SHA256
d28b3ba97bae70ee1db8944f6011f5643a618963468b958fd69399d211080750

SHA512
7aa76e2a4febd7aeb776b513ba45538eed3053e4b6f83217b3febba13db5631a2929e8aaf985046bfd7fff7459bc54713d4604db94018f64dfd1b719002b544a

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
72KB

MD5
be990b22f8e27d1b577e74b2064482ee

SHA1
4f10ae2daed953dc3c6cf3514e8ea72667a98ab7

SHA256
a9d28036b09563932952e7a140570ed2eba219554a3fc6bcd66a35d541778ab0

SHA512
eb0fd1e199ae5022ea454bfcabba4af25e54d7d0754ccf566eb3a7c29ba89dd349bcf9d6aff12e66550c01738951d4d70609570029220848643edd035c1098ae

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
72KB

MD5
d832b311183f442b90c0dffb1e9d8617

SHA1
82482ca6d494a3df202cffcd6ffe54f847775385

SHA256
775760814d657ff10a396010597a8ce71f0e5c3015f56c61b877d967a394b509

SHA512
8e0bdfdea9db72c7564de05e3a982469dcb3b16d1273d9b33911738af167155f1ab9e63358ea0054d390f43c16a065be7c873b19d6e6ae0fe7d87f7474cf005d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
72KB

MD5
fae309f6c7ca94d8dfe8dfd30f35ab65

SHA1
beeadd5a20ca45dfe90bfaffd4ea93d3fd17ddf2

SHA256
aec4b1178530c3a72a43cf820f7c0c6bfa907701536c09f6b968f8281c4b92f8

SHA512
2ba9180322ca1db9bfbc172af6f1a9de8ef12d31576e9c3ca93e9cd22111effbce62741671d70bbb0c8037d00ab8505ee2f50966848ca4ae593fa943d02ed054

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
72KB

MD5
757818c62acd72a6449c139d4f621d5b

SHA1
a448bec5b8299797e94e85deb1c779e4f4544b04

SHA256
10983b396d1802f578e5530e0202fe2f7c6e6bfd4af4f326e899a806fc23e025

SHA512
0077013c7286403b497ce0e197bf54a4048a3d640245f399aec014173b3bbfa47f64cf56ca969b6bafa83cc41cd12b0903ece33a2b6aa77c836dc209549d9736

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
72KB

MD5
c5762f0fc09b29dd6ce0ec8cd21fed62

SHA1
44205ed850b71aa49c23a251de3bd577853a57cf

SHA256
0aef0a301b4b8e619a1662e0d7c483720e37bd186c1206eadfe37b31f2949ae7

SHA512
7676a670c83df626eba2525a6f941f72d2ea0ef00aa9ebc3535f6155571fe3eea60de87c341ed9066f1c3bcc085cbce77d8c67e092a947814c2efe89b1a0bc12

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
72KB

MD5
44b481ddde35574e130c0f4e75d2ec95

SHA1
75125564aaff22ca70fee560f1aa72a385598574

SHA256
f41796fe397d39bf839af0c918b564c059e0b358d242148ae0d62966b5e18698

SHA512
0b29a14b05a254a34b407cbcbb0745e185861df99b56115825b52a81947b33e498b8c8664bd32a4a95d647f95245d77541f77f04e1b1ed85925f15c9c1460740

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
72KB

MD5
f192af91f3f70bb5f392f534a5a9cf6c

SHA1
12d50d86acf30f5d2bd8568a00932fc92b0e11a3

SHA256
c7b69498ffd257459d5c0455a25547de0d0c900dfcebaebdb652362a6b4917d0

SHA512
3821076911fedc8a8fb3548c238b2495e63d873e62e4ca44d8b5b33cde254946bde210f8c57d5bdc42a2b01f59bff449f1c0836ee80fa46fd30803b57485fead

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
72KB

MD5
27aeaea544430dd5c29e58be021fd07c

SHA1
d09be0a30c8764fc50eff65b8e7d380a3e0290a7

SHA256
b6ec4705aca70a283878995c11d91d7f643a8e7f759ca8196280e5e02ca1c12d

SHA512
bc4a311f59b3397991b2865b33d90edf0f72c1702d960b8f33058a64e739d3faead3ba618780977f64c2d3b22ad459f333f4b5965bba5e06a103796b3e8cb660

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
72KB

MD5
8cce3134e084eee26b1b60dfddd0f7dd

SHA1
87fe30559457c76047ab4640ca483e517e8faaae

SHA256
6795e04e5206bf192778567f967c2de28b1859a8342344df35842c2fdc501f28

SHA512
b0f8920b1b569b52d29c503a1cd873092590112936dc27cc1a31bbd166b9b58f217e114209524618cc7cc61820949af29a4059c00a2340fbe319cc642480dc60

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
72KB

MD5
58a7dd08c9103d60c40cee1f631cf61e

SHA1
3fcbb09057975a10af071bf05f007106e9083d30

SHA256
3bc40ad8dc477696b4643c6da2c6907e08ee69b191d4498ded6515cd12413b29

SHA512
f8e8f4cce2ec1ff9695122064eaf24c3ab39d94c40f6d527cee4d158be27a874bca8735f3c18068de22dd0591a72d81f253566de37bdcb16bccb70a1ddeea1ea

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
72KB

MD5
626ba3b628145ff716ccbb9efec209a6

SHA1
6439945e28349bec0d822fc7f6876d57320d909b

SHA256
c5f9d4df8ea00a024a1e8c2f7f3048c5fd90cbb23450faaa8744f8527c57017f

SHA512
44d0c112701fb234e510071e82e1ffca2abec6562625eaab27eb43c4dda5b97de3c557f24d179fafbfdaaaf89abf71fd8efa179c24077f684bab541ed8ca429a

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
72KB

MD5
759d040dd488a53af7ce1437048c0f4c

SHA1
701f1b2d831534a71f4fc087368156f6d83803b8

SHA256
86c5df58fb0790373dc19704b980f810507ea378b7c9d369b37783d4b717eccf

SHA512
29a13c826b8d138d8ef9cffd19fd262373a8ce38439d7d51f5b3c6d211190518a856d5e155f1270148104ac4f239380d595962dd969b34f670d11bf06c48cedc

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
72KB

MD5
b3c602a855a7deefef7bad9cffe7c189

SHA1
fd1e194ec39089ed8f44dc6bd6a23b70adeb106e

SHA256
f89a3aaccd62f1da2c97029f3651ff014e691e9d583b7ab7439db0a52b8d6e17

SHA512
d531df9cf8db210a02de8438c740266a6cffa3ea5dfc5dc5b9ce40f7c659c2bd90674a13ad85b06c079d835548883630778b60f23a1f0324740873be4ef7d068

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
72KB

MD5
efe2a483b35e18174ddc29b5304301c8

SHA1
b61e55d8a8b5378ce041fae75c5f34e8e77ed486

SHA256
f28ec74fd8a34d650307a4747e9fd3fc1ec5bb137b9767f44cbf86f4de36d1e6

SHA512
5624166195cf439e6693925be2d179c45ed5909e07323162929babbf2cf7f5fc03c36bd208b33d557993aad83de37e9ac3bfdc04c407b31feec44f7dc77879b4

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
72KB

MD5
96a93ec52ffc12dfea51e694a4877812

SHA1
937f4531078af80ee4c15bc425babf467581df71

SHA256
c379f45fd2d9b474166a675ac37c382e8e3d0f7cb5ac39633f2ebd87621b5b0e

SHA512
502e533060cd712dbad67205f061f6ea20d78fd64c5a458780dabb18f9f84c48529dd9786fba5f8cd6fb08df50d21d856fd3170ecbfa98db8cf6ef46be06144d

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
72KB

MD5
3d6374158e72419b2986ccab71a70081

SHA1
67fd2cd8e256042ce4f8fdad21fa7fbf2123cfc1

SHA256
61c36fce52fb7bb67b2e68afa2fafa09fc4b061620b5df1121dbfd17ed6e32f2

SHA512
02b295c6d9a0d3e00c56b3d393d99faa1c3290bf5fd56f3735deaae0348441def5558ea3cfeff3598791627fc38e289c0098c55ebd53b6f96bb65f8ea0e74eb5

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
72KB

MD5
f7fa774d072de3f888a3bb9ae4d873a7

SHA1
98c8e4246967b539211d1febdec5167044f66e23

SHA256
3c8028d2b78777b463ae782da9661c02c5bb8cd62c93c9b488c8a92605edbdd6

SHA512
1eeeaf571fdd4e92a6e2511a27b42de6c7dcebf91b21963bcb85df418c765009e9cba18da9dd3858470d3bc90673a99e8024d7c6106a50f49ac378f821fcc8c3

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
72KB

MD5
913b5a49c6e15a93d521dfe5c0b057c1

SHA1
c422be6f0bd9f49a2287a92af297858c646b90cc

SHA256
555675929a4ec1115057a680141cf8210e29a2b515370e1f9e7b659a9b7c7c71

SHA512
fd4529a9833440aee68e21a9a79e1174ea7cdbd86e1792e2e6e4a346cbb22fa7511d00a9c058c39150a1a16f5da3af0db02f6b0554d2313c569e0155a250ecbc

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
72KB

MD5
c1b6294fd5344280c685faeda451cc44

SHA1
fd0e2706c9f19f543dc71156f9d7ad4e711f2fca

SHA256
d640dde068f380c34dee8e50a4b0b02cab717fe62395afc9a74b0fdb96271e1c

SHA512
c624f493d5179872f61c1761903a7b10dd90ee35cc495cac8ce53a3375bd2bee8d6077823e0bf19e5d5645e397d54b93cce1a05aed2e94e977d46907104752f7

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
72KB

MD5
4ba7d43f5b961bf08c726beba4b05a01

SHA1
139535bd73dd86679c12f0afe265836736515efb

SHA256
4f598293ef4f3c135d76045ef9f5b82a53f17b419492fa6a5325fe790f7af305

SHA512
fbb6892dd2582f4c350059be2ed453a24a92ff55b31eaba9455b774eeab9d657aea41db6d5588ca4f169cb71a9fd6ecf6757928ad41a7c3d0a8e3fd42694b20b

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
72KB

MD5
48a9ae87dd9679b7573d4fe0d090cbc0

SHA1
5b8b0e3843c355d267c8680e8a5ea259bd046b9d

SHA256
6d8329d11cce77c70e995a4f8507681b4b335482964798ac0d82d5737c5eb419

SHA512
e8790bb3aaeb952c7a537992b42117eda63a5acfe7d9fdefe3a62ac2654ded0ecc91f6282a55ebafa7b45075193a5bc9e9dceecbe287959c28240d9118c023f9

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
72KB

MD5
58f332748887268c31e3ff19d17fb799

SHA1
065093c527963d372c9e46c34b1c63fdbe28f27a

SHA256
89abc92c52fc22d09e0edab83b6729c4149b334e0a36d398f489d5c733081e81

SHA512
4952e9af39ecbf648468eadefed786a1b3f4593abc3604d1601a8d2063c04a4a2cd7f48fa981a8bb68a2c193e6bf191c72b8db4865dedf58e517f8d1410b4b95

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
72KB

MD5
9cb35efbfcf645021f09bc0fc70eab09

SHA1
e2a663cb61d10c73ed87f1f79aeee44ddc210eb0

SHA256
8d8a45da184a4e0cf661e4af1de55c7e12ed1dfebef1b86e23155a48818238c0

SHA512
e7ae6a803961b02318b6410590a537fcd9204d218dcd076b8471c7b883a48da85a217e8c46431c4f6a7dbeb89701c0f24774cb22fb01b55ac7d0e24157a25cda

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
72KB

MD5
c89a9b82f6cd70d2814ac3eec994710a

SHA1
b25ca5e0defaf4778e7d5ad0909cafeab4c7ea5b

SHA256
9f26ca4ed87389975b78849f3f0916b6db3b58a3dde5a8331d26d369bc4ada1f

SHA512
780d66398bb23096af092d1a76d793aab124a8a8f08601bc62e3e721febde316dd11a63fb1a08084b4764eac2258977421eed9b9ea7579eda2249cf13d54b294

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
72KB

MD5
d44181a34d2e4ae2a544a2d396d23dc2

SHA1
78dba2bc0186ed13f51c4332c1a925d70e358019

SHA256
5ef52f0455e409fe0898bed6403925fe7d9046da09ae5d9b3b8e5452563d0a87

SHA512
d472e4a30d09e53599bc44bb8044e857b3aaf80bc4c942ed9f784295f277f3ad1c5cb98bd3fb4ed813f9745923b82134e07664e710091f02128552918e66bdc6

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
72KB

MD5
cf1f66da5247da96bb4a9ef79805c3a3

SHA1
cc1870ad37eecbc9ae65a0e7e70781b39b2fbb4d

SHA256
c290a61bdd9d046cb1c3e8d27a3b8e41a32295d6126dff711f249393a9add806

SHA512
6c37a04de980876312a4121088e3a97180980aa94967a62b72c734060701fdc8bc61949a9cccbf267c22bbae58e631411a6b282ee0d38555afe8ec9c10c3eccf

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
72KB

MD5
80cac6409d44743ee955db367686b0f5

SHA1
ba4377caf8cad4b9c9b552eb58c11dd847bbdc50

SHA256
42867fa1d3eda3fe90d93858d693b04f72dc4cd5015addc80f73dfa3ffb8b92b

SHA512
13910ecac9a504897559bafa2e29dc453009836268752fc7c5fe2981e0a5383b0b11543da7f1cd4743cf0020b4184dd93f1111196e7fa969ea10077de5cd2fad

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
72KB

MD5
3bce632631898be65858ca51ef5296eb

SHA1
c2e13bb05766b4cf2fd0102b46a8ce04a1ae29ec

SHA256
bbde564de3a7d4744a6a88b503d895998acdb43616102f7f20e96eb5c8ff51a0

SHA512
91e1fe7c98ab699b4f44f0f452b134e6481fe93b2e22d1ea82e9230a8a4d0f82a1e228581a678c0f86fc09d2ce48996aaff2f89329267e512957396ce21dc005

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
72KB

MD5
273f4be54f7ed7a5b717e7f059358400

SHA1
9939f5ed4f5e233378598591f99f0c5f19a21eb1

SHA256
ba30ebb91d57cce9c5b34da1adb44bba0e8c8cfad8a0fb53491e81666df01be5

SHA512
881691af82214b29f62c3b08532ec64627088e141d0795a1588ae3f5ea77f1e25363e7bc5ca9aa3d803554bb3ae34c9a68cf4fa60b4f2a2b3857e5b1e4a23cfc

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
72KB

MD5
abda6d826b46ff3bee079a0595c0689c

SHA1
48d429fb84b36ed05ec4fe1c06b66f8a036ae981

SHA256
d19958071f53049f1e7c91b6d0c4b799aab4445bcf5dc8769ab4f159404c2a19

SHA512
4de0a3d00bf36643d3196ed066afb64de1def32773350b30e8399600af99d760dceca7fdd0a1123c1f44458beb2d80741ac590abb20facfc2daed7d0447dc0cc

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
72KB

MD5
1b3be4c981f9141baa4a9eb92a482ba9

SHA1
7f4ece63df0ae8b7425ec18f966dc7862d3b9b0a

SHA256
a7c9c485cf5700a817b5b6f72f6b5f87b5638d601cc4a7453bcb1d2e8982fe93

SHA512
dbf7a4b80b9e8467adf8dd3840919767af5b4697dbb2821f7ac6b29ed2afe2e6d1fe986a9fc4d739d5f9f54384f368d7c6367fcb7f4cd1fb76d742b69c8387d3

Download Submit
memory/432-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-868-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-808-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-778-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3164-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3240-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3328-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4048-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-839-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4752-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-763-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-762-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads