berbew | de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6

Analysis

max time kernel
92s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Size

64KB
MD5

61d6d2c74de69b098c02d4b5b923215c
SHA1

6ae3f10cae549a52275af3c45017cecdea222c03
SHA256

de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6
SHA512

fc54ab09c8148e0fa9590c883f00af5d1a6d41eaadcba8b8706702c232da986ec08d92289414a7172ff69cf18c58eb3f3185bc73fbe41d33472558514db1be3d
SSDEEP

768:3C2vTElI8bQSsHr1WtCmlrwTezBUBP6WDI/AiiHH/1H5l6XJ1IwEGp9ThfzyYsHf:3Xv0sLwCuP9uAozeXUwXfzwf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2316	Njqmepik.exe
3976	Nnlhfn32.exe
2944	Npjebj32.exe
2768	Ndfqbhia.exe
3508	Nfgmjqop.exe
2096	Nnneknob.exe
3284	Npmagine.exe
1156	Nggjdc32.exe
2932	Nnqbanmo.exe
4880	Oponmilc.exe
1052	Ogifjcdp.exe
4496	Ojgbfocc.exe
3748	Olfobjbg.exe
1768	Odmgcgbi.exe
824	Ogkcpbam.exe
4412	Ojjolnaq.exe
1968	Opdghh32.exe
916	Ognpebpj.exe
5028	Onhhamgg.exe
4672	Oqfdnhfk.exe
956	Ocdqjceo.exe
4812	Ojoign32.exe
1600	Ocgmpccl.exe
2644	Ofeilobp.exe
4092	Pnlaml32.exe
3772	Pmoahijl.exe
60	Pcijeb32.exe
4784	Pfhfan32.exe
4424	Pnonbk32.exe
2140	Pqmjog32.exe
4532	Pggbkagp.exe
4852	Pjeoglgc.exe
2248	Pmdkch32.exe
4408	Pdkcde32.exe
1548	Pgioqq32.exe
2984	Pjhlml32.exe
4380	Pmfhig32.exe
3052	Pdmpje32.exe
3136	Pcppfaka.exe
1652	Pnfdcjkg.exe
2880	Pqdqof32.exe
4916	Qnhahj32.exe
4528	Qqfmde32.exe
4704	Qfcfml32.exe
3496	Qqijje32.exe
4868	Qffbbldm.exe
4700	Aqkgpedc.exe
884	Ageolo32.exe
3460	Ajckij32.exe
2288	Aqncedbp.exe
348	Aclpap32.exe
1428	Ajfhnjhq.exe
712	Anadoi32.exe
3716	Aeklkchg.exe
3164	Agjhgngj.exe
5092	Ajhddjfn.exe
4224	Amgapeea.exe
3360	Aeniabfd.exe
2424	Afoeiklb.exe
2616	Anfmjhmd.exe
3988	Aadifclh.exe
3732	Agoabn32.exe
3920	Bebblb32.exe
2204	Bjokdipf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5208	4348	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Njqmepik.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2316	5040	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe	82
PID 5040 wrote to memory of 2316	5040	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe	82
PID 5040 wrote to memory of 2316	5040	de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe	82
PID 2316 wrote to memory of 3976	2316	Njqmepik.exe	83
PID 2316 wrote to memory of 3976	2316	Njqmepik.exe	83
PID 2316 wrote to memory of 3976	2316	Njqmepik.exe	83
PID 3976 wrote to memory of 2944	3976	Nnlhfn32.exe	84
PID 3976 wrote to memory of 2944	3976	Nnlhfn32.exe	84
PID 3976 wrote to memory of 2944	3976	Nnlhfn32.exe	84
PID 2944 wrote to memory of 2768	2944	Npjebj32.exe	85
PID 2944 wrote to memory of 2768	2944	Npjebj32.exe	85
PID 2944 wrote to memory of 2768	2944	Npjebj32.exe	85
PID 2768 wrote to memory of 3508	2768	Ndfqbhia.exe	86
PID 2768 wrote to memory of 3508	2768	Ndfqbhia.exe	86
PID 2768 wrote to memory of 3508	2768	Ndfqbhia.exe	86
PID 3508 wrote to memory of 2096	3508	Nfgmjqop.exe	87
PID 3508 wrote to memory of 2096	3508	Nfgmjqop.exe	87
PID 3508 wrote to memory of 2096	3508	Nfgmjqop.exe	87
PID 2096 wrote to memory of 3284	2096	Nnneknob.exe	88
PID 2096 wrote to memory of 3284	2096	Nnneknob.exe	88
PID 2096 wrote to memory of 3284	2096	Nnneknob.exe	88
PID 3284 wrote to memory of 1156	3284	Npmagine.exe	89
PID 3284 wrote to memory of 1156	3284	Npmagine.exe	89
PID 3284 wrote to memory of 1156	3284	Npmagine.exe	89
PID 1156 wrote to memory of 2932	1156	Nggjdc32.exe	90
PID 1156 wrote to memory of 2932	1156	Nggjdc32.exe	90
PID 1156 wrote to memory of 2932	1156	Nggjdc32.exe	90
PID 2932 wrote to memory of 4880	2932	Nnqbanmo.exe	91
PID 2932 wrote to memory of 4880	2932	Nnqbanmo.exe	91
PID 2932 wrote to memory of 4880	2932	Nnqbanmo.exe	91
PID 4880 wrote to memory of 1052	4880	Oponmilc.exe	92
PID 4880 wrote to memory of 1052	4880	Oponmilc.exe	92
PID 4880 wrote to memory of 1052	4880	Oponmilc.exe	92
PID 1052 wrote to memory of 4496	1052	Ogifjcdp.exe	93
PID 1052 wrote to memory of 4496	1052	Ogifjcdp.exe	93
PID 1052 wrote to memory of 4496	1052	Ogifjcdp.exe	93
PID 4496 wrote to memory of 3748	4496	Ojgbfocc.exe	94
PID 4496 wrote to memory of 3748	4496	Ojgbfocc.exe	94
PID 4496 wrote to memory of 3748	4496	Ojgbfocc.exe	94
PID 3748 wrote to memory of 1768	3748	Olfobjbg.exe	95
PID 3748 wrote to memory of 1768	3748	Olfobjbg.exe	95
PID 3748 wrote to memory of 1768	3748	Olfobjbg.exe	95
PID 1768 wrote to memory of 824	1768	Odmgcgbi.exe	96
PID 1768 wrote to memory of 824	1768	Odmgcgbi.exe	96
PID 1768 wrote to memory of 824	1768	Odmgcgbi.exe	96
PID 824 wrote to memory of 4412	824	Ogkcpbam.exe	97
PID 824 wrote to memory of 4412	824	Ogkcpbam.exe	97
PID 824 wrote to memory of 4412	824	Ogkcpbam.exe	97
PID 4412 wrote to memory of 1968	4412	Ojjolnaq.exe	98
PID 4412 wrote to memory of 1968	4412	Ojjolnaq.exe	98
PID 4412 wrote to memory of 1968	4412	Ojjolnaq.exe	98
PID 1968 wrote to memory of 916	1968	Opdghh32.exe	99
PID 1968 wrote to memory of 916	1968	Opdghh32.exe	99
PID 1968 wrote to memory of 916	1968	Opdghh32.exe	99
PID 916 wrote to memory of 5028	916	Ognpebpj.exe	100
PID 916 wrote to memory of 5028	916	Ognpebpj.exe	100
PID 916 wrote to memory of 5028	916	Ognpebpj.exe	100
PID 5028 wrote to memory of 4672	5028	Onhhamgg.exe	101
PID 5028 wrote to memory of 4672	5028	Onhhamgg.exe	101
PID 5028 wrote to memory of 4672	5028	Onhhamgg.exe	101
PID 4672 wrote to memory of 956	4672	Oqfdnhfk.exe	102
PID 4672 wrote to memory of 956	4672	Oqfdnhfk.exe	102
PID 4672 wrote to memory of 956	4672	Oqfdnhfk.exe	102
PID 956 wrote to memory of 4812	956	Ocdqjceo.exe	103

C:\Users\Admin\AppData\Local\Temp\de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe
"C:\Users\Admin\AppData\Local\Temp\de51985cc0b106e0c8968f29cf275c6e21ab005fef4b6433bdb4cd9d21cc0ab6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\Npjebj32.exe
      C:\Windows\system32\Npjebj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        32⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:348
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        74⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        83⤵
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        98⤵
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        99⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        102⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        108⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 404
        111⤵
        Program crash
        
        PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4348 -ip 4348
1⤵
PID:5184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
64KB

MD5
e29b4045b3046ae1f5eb97aeac16daaf

SHA1
3fe3d9b424f3e77fe0385f163d7c7b566d10bd88

SHA256
8e7f397c27e7dba0aa69265330914e851d1dc795405e01109534eb6338fd1af6

SHA512
f8ea087092d9f5c2e907ceee8293163abbe0b05798b63c48bb904eaf770c839a8ab4aaeb097b0534d00ba8c0ab127fe24aeea2a45c334e77763b944d047388d2

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
87298f66f937aa8b8b8df2c659156855

SHA1
5458b9cbd185e47a64e98f3218b27855d36b5145

SHA256
7d6bf1a1064f9e7dd15619a53d24f9e3310a26c9ddc662237ccc03b6393c140e

SHA512
a45f571ec8b62f3c31b09b54ec751f620ddd7db2decf4c2a0922115007af2128174fbebdeca3003dc4b7b77d530b7977ebd2fc055b68a57efdb285cdc9307378

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
fd4f44f0ea22ed5f71dacf1e45ef7c62

SHA1
18a8b7f3c182041df8aa0db4294b7c0493d455b3

SHA256
207f4644df84825472fadd9c090dabd4bb4a2c87912f928f6fc5a059aa56eb87

SHA512
e7f8dcedb1a7b7795e52ab53abd3e099b0c62a3e72aa8a7816e1cbf6a21b0324e670528db44de5ee316cc93fcc4c8b0e370e94990bc02d52a464de4b707203bb

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
821a76160d0a49072dc33b154042b1f5

SHA1
c667928d73d003ab2cd0c46228260cd7ec8f96b6

SHA256
5dd589d09f57a6bde01e5fdda17806bb9bafa5a9dd42928995fb1710ad654483

SHA512
0c54013b64cc768fa196af2545303c38982eee083203eace52d6d626b28030170d702582e941c96cadc273122e3307f3aae535306cbbb2545a3bdf98b8197a89

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
64KB

MD5
dcb0a41e885ec7f13be5af0a2785b4e8

SHA1
ec57116cedee10157bdc72fb583fc1d5948703d5

SHA256
a3b55d9fce1a6b7072168a3c5f8899b46ce01dae1add7949b29cd590c89bd86b

SHA512
6c39a2dc26a4a74efdf49085d15e32e216fee078490e484e554b33db61f4fde8f49afe96883c0d9ca74cf5f9d627679f67dc7563cd063bc62b31c336bbe5c57a

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
6531b65c7c67b93ac832596f8865676d

SHA1
ec249dff940826f6ce152ba43508d7e5406f4ae6

SHA256
f5617f8764cb808df550c7e5983dc8cc460785c0522086662b76293eb5c1b075

SHA512
36b8ea291c9a36d20abc51f68d2b133eaabe804c97b2bc995ca3f019b710145b64d50e9fd7a300546a97a16f44ee0f41dad7ec6086f8d9ca23d0b11704a96a3b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
64KB

MD5
d183c4b173f0f6bb9e8bd8e2f827332d

SHA1
eda7d81d47266401bf7b2ab004544dd5ed09532b

SHA256
34aa4dcb930062459dd6713dd2a2a7f59ccf21d1e5ec9be144d18c8be2bb8b66

SHA512
85fb302c097be8c383f67c115f73410e14850c1c1c61290d02a671c868f1407a5de868fd4cb39e356b4e0c8604884e137fa29384c279ab3ab6e2506994bb7c7e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
64KB

MD5
23c2c288bf82d5d893f04dfc544e547e

SHA1
8a1f3e4975004a8762d17ef4618c97b72fdb8a87

SHA256
295471f46409eb3fa8259151ee4c1835c46cf5e210b4febb036b0fa5150a5052

SHA512
51bf1d4ac2aa842098e7e187cf77d0acc5d30e579dbbaa0c21dd1a39c5b8fe6cc7ebf694197ab28d0afe16bf19be99e26d3bd2714ad7a4ae09edf0c3324164b4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
64KB

MD5
829f0d5d631702568400b0eb71e7f995

SHA1
7e079a5e18ee7f681bb7a45a18c7ad5a01976f4b

SHA256
9a64bbb75104bd93f80c5cd453b7adc8d118219f6317887b90e121c22a0cabe9

SHA512
9f1b2521e358ab791aac8023dfab62ac34b944fd37a1ec561adf7078c32c4a4ff5e7acf9591c7547e973a148a33ec90f79b064f330849d9374641dfba498403b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
63a123296b0ea8d038e5518754463200

SHA1
ddaee08bd8e0a9f3575c34339095fd57c5aa4229

SHA256
4ee8769626b4d7342e8a4b026de3d7eed33b09530bd42fb9f889a1666b0cdd52

SHA512
cd05d6031047e8441ef7cede5b1497a2f2a9ad4069703b9c219fc5e29662544e254d00735c018afb5d396e2ea998c53023cc6b39ade852eaf14f7da13845d7fc

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
64KB

MD5
f02a496e2532dd82c9d52e015d59a2a7

SHA1
433f8b294cb968d84af5e4097eb631beb3f8d8d9

SHA256
c0bb6d23c7c7aa50e2a35bb1465adb34731833e37479284e398c02d95958e9a2

SHA512
2f1c432ee2ff9ceb295840224a7a13510217005910dae176601b9577f1e769e39de2556f6f9392b1e6ff6f2ccf0b5c0549fa4e805b40e026a6491bd04d846d88

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
64KB

MD5
46df47973b533f525171628fb1e005fd

SHA1
85bfccdd8118edb1dbc2f42072d93331e8adf535

SHA256
8a97fe139c07596b9038ea4a7476b6b619f25f734e0e045b054c330dc326a49f

SHA512
0b53dec517b3f34baa7d5147fcd9108ded94173fe6457c855429d7a79d620785251d5b419aacac7c5021fba265a827248910bd15f07245391020bf7f2dca0621

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
64KB

MD5
e381e0d68e618236b9292fb1a8a67620

SHA1
721ea607a660e024fa5a3e08efe8ad5ae698ff0d

SHA256
ce741e9907e0b4adb660fa5fb16e82df1ce5ebf17710729bc64075d6570568c1

SHA512
ede97008456a192e5aabbad9eb4978fecca1527e394a99b8fae8d9def08a6797f68c5a4a873349eb6964b5c5358111612740c92caa21d96a79b802f9eefe7b1a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
64KB

MD5
350e05ccdde1221bda0f3c6d65ca80b9

SHA1
f25bd2ebc0fac9434aeae05bc379aba756bf91a5

SHA256
70f99b4717eedd55ba77a58111d74f2738a2cfa6398eddfc73e5bef425a12f8d

SHA512
5e85a6602190e1a56c3379f35f9c64bce32e8e58c6e5293a30d4e7ebb20624bd8061158a60a5dd6317c41b3f33d8112431054900fff2bd263a858b5fb23cfa90

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
0fb7fae396a9cfe9b2bf68a42dffe0e4

SHA1
e00a1648bb81b8b57394675232e1c269c9ed3c10

SHA256
23588bf1a73a6ade2e15b582253dcd16833a697c19e830959bb67af4cb00bf56

SHA512
c024f3dfd5803a6e84524bedabaf93bd6023962558ac5cd285533e6a9fc5bf43af5b8f741040881156faff0059783e1f2290c70b4ba8dc3e0fcc332edb28218b

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
0f007bde5735a2f94818cac5608de121

SHA1
055660aa8c684af6a3f44f03c9e5d8d036ddfc83

SHA256
7b799ff7dd8873e181df45a1dd8a659303242f1441ef3d87c7c228a973636182

SHA512
55110a0e795a2059f8bfc400008970c72524b500c7fed5a1bc87586a98ae9d1df2d6b9a539064fc0abe9b757a8af9b4c795e683229d2b7dc83e5ca9058b97906

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
7699afd2d130176e5172d34847489fda

SHA1
279500fc768b737a2717d6fdde84a0dbeb3a1cb7

SHA256
1f2397054723111ada7a2ad6719c004fa482aabb14bc30eb2e7a0402dde0c7aa

SHA512
df3176e8a2b940b0ab8784c0828510cbb4f34cc7d7be801437a413328bad5ec6d61909ce6d73a62bedbdedc36e8b2b3c1a1892a53e1008438e0058e35c7567bb

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
64KB

MD5
15149dd21d0b270a306e55d43dd322aa

SHA1
8ba47d340267d72d5e4b88c4929de5decab2f301

SHA256
89a18841acd1ff17ebec82fce905c30a91f74bda2fcfae78fca55d5111b54522

SHA512
d7aee90f5a7af2206efd64b1b8d4becd04d6ab597c5ac47aef37b5c427a1cd3e3356a7fc94e017d29e888b1f126a3e03ef9d051f328acd8a906ce971909e10ac

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
64KB

MD5
7904f92759541f4dcc6380f4242335bc

SHA1
0b39a8aedb087b723714d67340a06788867b3254

SHA256
6080a4643f75bead9106bf30cab0f03372cc1c027f27cc8d0c6073c97d2e445f

SHA512
61d2b02bdfe632cb053a3f5c62dabe68760a5453ada803f6f26d1d692b8388f1951df9ad9938ef16f7f7860edfc8c60964d89b184ca60ca6a70f4e82c1413e90

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
64KB

MD5
c671d0411940a31b1d6b2143ad7c089b

SHA1
c3cc99cc737484eec3994f41c09d0144a275908b

SHA256
b2c893b6540c16a7ae784f95022462d88dfa135a1ffa103f8377a2640aefe01e

SHA512
88ccb5d0a70e62888cd44f881df3d8641aea4b1dd861b5eb3fb4e84f9796d11f4e28faf128aa34ff8b5514793e495d08e1034fd7430ff8fa319c57cdc1a0d5c9

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
3ff89af5503baccc22cd6df1ddcc380e

SHA1
c4b613ac35f57dcd423fec67010d675d1408deea

SHA256
b677a81a5cb1504f2ea7b573b854d52ef2b1b4b5af92a300ef22151c0385492e

SHA512
18017d5245011a98ba8528e1fb3dbbb138d29b9751d073836474ced9b4a389d4aca9f1cb4bf92224a300780e23ac1db9d380e7bbe47ddbdd2f50e388ed2f9f08

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
64KB

MD5
c6d57744514e49755665f4ce811eb745

SHA1
8256e53850bcbdabbaca708501387455bc0496d3

SHA256
f922d885665767100b991895b51327f779abd203329ad2d7cfd2ab636252fa84

SHA512
4270b3c3813647c5a3f247eb993ddda0a115169ec49bb0d0d2248a40e3733440359e441095ebd3c7f7bceba028fdb7b921dc846115cac79b3e119efa5a4c4af4

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
64KB

MD5
b7f41d316e42a14597661c9cf368971f

SHA1
5b0d4beea4974f080f68dcb1bb29be124065be73

SHA256
148be6414efb92992b259c554aa9dfd3f8f1be6a39e8cb2031de3e03430e0b4d

SHA512
8ff37f68977454ade7ae80d5b4761794bbb125001460353a972a226d3e2fd89fbb9cbbf658d4c050e498d0a4a17b7da71cd6b0f6b020487952db2ee3db6a11f5

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
64KB

MD5
fdd2b84074c7fba7e8cea82542bef5ca

SHA1
d5c27074b435c8aa3a7a9785039e48de43e695db

SHA256
ad2fb2973c111549cb9c1970cfc37c3a3ce5256820760eccb8e43582c07c2d2a

SHA512
499d68d346db31f3212f8d0c91d81b6900a5ac36b1ed37357c6ffeb6e94de04d606abd9da0131ace4635f04c3cf295c42d6633c0e3b1042c49f78a5f8b98a961

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
64KB

MD5
583e43085a771566b3aef4e03f949a11

SHA1
1211372cf03a5e6f5572c43f25fd8a67e25a10b1

SHA256
ce48cf402cd0e3a9dd9fd8f0b516c6b344d31b99c3e95ec2e42556cb199583a2

SHA512
b2735b6301e045f2167062e214b3a4951d0f7c663cadcdf8c55eb55e325c654dd25aa03aaa91fa4893ae98918f9ded91eb1512a9ccd11ceb76310008b62c3cb7

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
3729b06c16a340f41f73ac0cbbba6c21

SHA1
63d332d47b7242a4e5c7cee67698348338af21be

SHA256
6df5f49c251cfeafb494406790c8cbd5f73b34f004b6e57c8568ad168556d42b

SHA512
6dd7fc1c435e59fb2bde48776a6632b98221e7e636af062679113a5c0f625252782e04fb3386315f845661bd3c2eeb52f1d7477cba2544eb1a4e4e1f5714df01

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
64KB

MD5
24455b202ffce349cd092121ec789fff

SHA1
e6f1d7415144001ce16ae707d8726b9f10cdb544

SHA256
e3b7afbae8cc6637d0681e288be2455e0bbdb6fcf94d8ed4614d62ecb290cb0e

SHA512
56da2659ef0df1eef905b259c28eeef3037fb1636b48d4af08862128b46d5c8f5d96323edf287e19fcd1be603e29e9dfacff1a981d41b64ce8d194a0fa7e67cd

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
64KB

MD5
db4a07cf0c311cc5be66345d86edb63f

SHA1
659bdaf7052a9d50a40ab2cc9fc363286c60b781

SHA256
823fda3810cddc15fd540e28d205e0b3ed2816632c3a5122d88c1672696f0f92

SHA512
ca85ab5ae702919b7ef8e046f2038d795aa2df9857b31c9dc721ee35670e9c58d235f1da963baa58130b4072297b24437c5288e183dc6018b8b65a1324780e52

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
64KB

MD5
f50541c0c334b3c6b22b3674fe42d85f

SHA1
444bd215b6213e8758c5b3051c59930d8cdd4578

SHA256
59997f73d3d3af3e8c742d879ff8e74c1ab6d794db6e75954ba2876fb532ac8b

SHA512
1a0f7c877c2291ca194ce84c205e65e8e69b01207e6bea159a0f9ddbea6da1666211501c7da95a5a8b5db2929003d90caaff4ce38a8d4a9a94931089dbd64462

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
64KB

MD5
f1bcebacbb9406c6d280409b84042c60

SHA1
69adfb40b2cbcc657ca2029ac8340aa262acefbf

SHA256
cfef31b5d2154b3577a25cb01b1f3d927523f2598fda484e4e1264baaccfe687

SHA512
fe5c7ccd93341e420641def68f3a95e966ea39998788f295fa5b784e8cf7ad1651b7e7b6d3b7ae450d30afb706d9372863ad96cf9299ac8bfce8ea804a848ff3

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
64KB

MD5
db784de5fc8301efc28819b0a1ea3a66

SHA1
7f20df742685fc21ac09bb2e0fc474563f95b408

SHA256
e3a179bc56cde84b4297c6f7c56c562d0e7bd02f6d7b70f27d3a54796f1b2752

SHA512
afc5492354eba90b835930f77231c26160dd3bce8f6405e73b95cdb3b23d2ec54a3d3a31587b06722e5e28035b0a46588972fb24c436fdb0d185b91b9ae0cc07

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
2879d5c879df6c79264426a626360294

SHA1
7ad1e2922401971249a54d710ac4f1eef4e9c361

SHA256
a75c343fac4cfaf856ea0250684242077a9c8257f8cd597a017d2f55af7eac0c

SHA512
a52ccd7a1a516d0d20bb9164086f8c65beae3d83d0d4d39a989f446d74c1f8e14eb86f26afc12cf66097ad8d9500ac6517f06409ec835e0fcd185ec2e31a12d8

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
64KB

MD5
1bc49ed42943b9e3279e89f19f4c58a3

SHA1
852e2d247b86c99bf259edc5ca25078fe03e09d7

SHA256
dbb343faa5e5e88c0c8adccd061e42d37255de9a1a75935037fbddcf54c8a629

SHA512
e985dd53640a1f22bba9ccf94f412dade7355b6b2be82ea68f8e7daedae791e7fb9fdfc54f01e107b7c802fd72e94dde322d26d07a2cd99349723017bf8222a5

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
0fac2165bbe95a0801dccc24ecf64a89

SHA1
c0123cb22c23450ad8573c7d66478ead766cac1c

SHA256
3025c38018011d9e173c5d5ea1ef172a43535708410c30de864319a26123967d

SHA512
06020c94d766122dafd1b923b564caa0cf9bf54ff2b50de250909f0f003a20d842c109a10cf761f7b0d04fb64c0c2e91f1152ff742293a7648b55f051a77c169

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
64KB

MD5
ba0d28e84a36a8c5519f96c3aea3dc48

SHA1
bda41bf45fcb504adfa1a94a5a3b31bc2bcbd3f2

SHA256
80f955d88db964fd7e44a0ea4de7a8d05bbdc86150b9c920171e900129d05681

SHA512
d642053ce455796df13a35253981136c29ce1ce15975a8ae4db65854dd5f229747c52de75dcd7b3bbbceca5798cbe592b7dccc958353b70ff302353ae7664e0f

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
d68f425c739168daf9edc70bd6514b0b

SHA1
94dd042ed54eae012ac32d8a36b5c08f476bd414

SHA256
81af0c27c575c777390332246c14a3352cfa9f9c0c9d14a395500400819f3442

SHA512
5062a59a06b3a0d771c346e7256374c2790f1497d39718979af2dad26c6a37ea36634ffe6eddec91162d7e4f12f469a6c79101d2f6025ee9329d56f66f76cb1e

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
1d17b2dc94947ed5c7224018a00be18f

SHA1
0fc1bb8f643ba51aae5543585f5a0275ea50b51e

SHA256
b7758ccf93e99c2e25a0262311631358aa4838b43afa9b4e8ed8cbe254501a2f

SHA512
0aa10f1deb09e282f3033d7e77a47f5278fdc3704b334f1fb0f6007f7ae002ffeea040324b193419861218442c6ede719f0c1fe61061a3791c1a6888ddb9b68f

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
f5124c81eaf559cbdacd946e797766c2

SHA1
d23c86be13fcff862c30b563cf63c78368c38101

SHA256
0d2d2a955fafbb92588068784a48509ff314e417ab4591cd45945a6d4de29a6e

SHA512
59273578651e4795872c5f44df94d043bb29d082aa7d11224e0fe8c75881425e525fba351a7325355ee50c3cf2bb11f850dad5e9c37e2b811d1ad77cb4dd705f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
64KB

MD5
fff911ef2b3c011c19246656a643e798

SHA1
23d1bc3743d633b656fcfd77f882764eaad2e6e2

SHA256
a869b73667d3e552ed8854cc13c02caedc17eb411fe8c9ca0d17116504132020

SHA512
c2bf963f118b2e98376dadcc05d6fe6464e9d13543d2591ec156a0cdae733261a5672359c430a40f4a57333d325e51523f5ba670dc3fb7b2510eeab9de689e44

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
ed61b859311976bbace20c53f8e1d8cd

SHA1
5f03b698e40d4dc30bac769dcb6e410c73368614

SHA256
80d35689bb18b07b5abea72e173298ac77beb12924f2e6b014380d2dc674f771

SHA512
b2f02070b8e678f859e5a6894a646075d2124d8f54104d9a3a7f6379a69b05491a1f715e23a83e7a3272a2a2ac17d68d50d0ab2c6b6be3506e0c58a8922c2f7d

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
64KB

MD5
5ae0f93bea6c5229878f33b3c7b52f1f

SHA1
dfeed6213016b55dd4fcf153e535782c11ca8adf

SHA256
dd166f58b71921b1171bca84f997babb25dfb10bba58a6ac26f033fcc5f4bc40

SHA512
20c34150b19197cdc18a0234c5ecf24b5726b4610c881d25f28f253b8c852b2a621a9f86cb26e8e5294a6052e8900dc5d0ccf8bf1b834dcf1388790e03b32e7b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
64KB

MD5
f364a3aa79bc1baf4f62ec485884706f

SHA1
64d7f6718bb4d42276e963049040193c4483484e

SHA256
ebe53b3ecc40ebd3fd0d3e8f0b778ce8128897ab4d4f60723a2622a878dc89ce

SHA512
39a609b1b8592c6ce6798b9107179df03bc93f0d52fa14c0111418b137fb55363fb8af0d5dff2ab5266dc2d2bd5b1abbc3e1826ab9a19b3a04f531202ac2f7f7

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
64KB

MD5
1a012fe5fde1476a54bb0a99df0bc0f1

SHA1
48a5c8bba10fad57f64f1a66a79a1fad303a7943

SHA256
ba580a0a72316e8dfcb3495a374acad0e11912960bdddfcc00259cf1f3424b40

SHA512
c004878bf6f2545715717c295992231d6d475eae55c4aa7bfe8f6744a63d0ca7e87939da874be271a4742ec5fc54b8af824e2a4cc63ec6050d0d3f7cb2a562b0

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
64KB

MD5
f38e9d71c7755ffab62ae0939931c8ce

SHA1
2f3421ecd2a33d99c339d39d2bc4b5e8cdff6acc

SHA256
42bc0a108c66c4b3ef2ed3f991b37e9c260f76dbe1fe0c494438fb0c2fed4442

SHA512
1a8cc7f0ca7bc1c108250bb8f6090bd82343bb42afdf5bf42b1fb36e71f85f33a3ca8eec33537a1f321344263bf05b392e3067629bd5d67108b414f93e65f066

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
ddaf2ad9759f0735b296c8f873a84beb

SHA1
b39bb29b443fc1af3f2c4085c3689fb359f54534

SHA256
82b5a8237f112ac35117c26bd3a0645ad35d3050369dfb04dbd5a1f6d756048c

SHA512
181f952994a320a717ab9a122f2fe602edd44bebc40d6b215791e10f929feb337e7b2e3a3b706da5669d979148624600beb24ee480283172985535e578457a36

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
64KB

MD5
38737e885aa3ef333b17ec82bf67137a

SHA1
2f15540b408a59955f32828666a944f0cbe678d6

SHA256
42a25ddf3b55c4d0f81eaee7dab08124c2c7d020b390120bb4374fa5d9f6bbd9

SHA512
d4302ea5922d258806d5287a9e64ddf7698112cd9e48ab287e64cf14d7ab9d765624026043a3c613949cbb171a0163ac9ab2629e371b8558fe0903aa6cb39694

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
64KB

MD5
96bb00e127b57a33774c767bf4c212c5

SHA1
61ffd67a539213be0e8d298bf9d1c0e39413ee6a

SHA256
a2246d8c4cc351dbf77122ac6862c039d7451de33d5cc073b1a0e1f7cda19f15

SHA512
e5f4c14e07cfcb573d57762da012051aaa33f671b00748946cf42be83c0b78a11a2f7b1e186b8f5f099028a82d7443447d059c98ae6b643aa5497162ec7d467b

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
64KB

MD5
c368ad0a1f1a9a00565df1c288d9836c

SHA1
3e659e10f029cb345f0c86ce161154aab10a18f0

SHA256
999c9e76a6c4e869fdd8662227ac12e18b6006d78fb2c995c2964506d8d39ef6

SHA512
e93f6cf61c543105eae949c930dd389fd6ff64be3336060d30fe15f8fc8170d022785b1b91bf33a29f5a8d1e7fc44deab5a04779569aa9bcfad50fbff0f9fd00

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
64KB

MD5
8a9ade4f5841d06cde4f3744378add42

SHA1
c6fb89799ef4388df1e4cea5404d8372ce1e1476

SHA256
8c7e2ee5164bdaab5df3ce91098c66ff2ee0d71c5d165540b1310fe510c66426

SHA512
1c8f11b0029683b2a50743647ee319a07815bfe6561bf624416cb963748930a845de74e47085ccf6fc54a72cf4fac7c15ebf57d5101a557b21f384ddcabf6e74

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
4c30fc4a5b9861e26f592d64b65d6d51

SHA1
746ae94028825ac464c5bda9e8f111b8496d1566

SHA256
6d97061a995c459ed68b4f60998de21af1ac0f5dbb6c35892fd1af551dd6d6a4

SHA512
2e090d46c193f3a73b3e9ca06257b07e9ca12fbb2c89f9927754c286a6575162284d43d794e875e565b3f5c479a426ba4ac96eca4e18b307eace6035e2501515

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
8100d226a958470e7310ebfafeebdc90

SHA1
c1e8e3c25122e487623a65f5370e03c5e1b80122

SHA256
41e673821897b4692f86297c791a91b209eee03f6ef82823ef6807136b719198

SHA512
74315cd39208810efc7e746f4749acb1e5ff7164c2eed0be674deb9ecccff02c0b557a78655901198030e6a499f87c870498f156b2cda3991c8161f96496c963

Download Submit
memory/60-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/712-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-842-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4424-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4868-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads