berbew | 9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe
Size

55KB
MD5

663a3f0a1abbd95b795fdd31042a5bc4
SHA1

eef59fdae7634c77780b14b5616b73f087815ed9
SHA256

9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5
SHA512

c81c047f5ecdd3cd112c1bf5ed0b2b0361c9c825d28f762e387fd0acdc5f1e7da0eacb2d8fc2b51f745c8acdb1bb7855934ac418acd38ec7ff9f7960b051680b
SSDEEP

1536:wAiX6gjjUXY2Q3GhCymetuLyNSoNSd0A3shxD6:w4iiK3wwLyNXNW0A8hh

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2248	Mdehlk32.exe
2392	Mibpda32.exe
3260	Mlampmdo.exe
4072	Mdhdajea.exe
1144	Miemjaci.exe
2364	Mlcifmbl.exe
1972	Mdjagjco.exe
3620	Melnob32.exe
4592	Migjoaaf.exe
4668	Mlefklpj.exe
1792	Mcpnhfhf.exe
4704	Miifeq32.exe
3068	Mlhbal32.exe
3076	Ndokbi32.exe
4824	Ngmgne32.exe
4548	Nngokoej.exe
4804	Ndaggimg.exe
740	Ngpccdlj.exe
436	Njnpppkn.exe
2428	Nphhmj32.exe
512	Ncfdie32.exe
4792	Njqmepik.exe
2908	Nloiakho.exe
1904	Ndfqbhia.exe
3020	Ncianepl.exe
4700	Nfgmjqop.exe
736	Njciko32.exe
1464	Npmagine.exe
2688	Nckndeni.exe
1876	Olcbmj32.exe
3980	Oflgep32.exe
1208	Olfobjbg.exe
4380	Ocpgod32.exe
2880	Oneklm32.exe
3532	Odocigqg.exe
4316	Ofqpqo32.exe
1520	Oqfdnhfk.exe
2308	Ogpmjb32.exe
1680	Onjegled.exe
1804	Ogbipa32.exe
5008	Pnlaml32.exe
1572	Pfhfan32.exe
4808	Pjcbbmif.exe
3724	Pclgkb32.exe
4880	Pnakhkol.exe
1532	Pcncpbmd.exe
1080	Pjhlml32.exe
900	Pdmpje32.exe
2360	Pfolbmje.exe
3832	Pnfdcjkg.exe
2720	Pdpmpdbd.exe
4920	Pcbmka32.exe
5044	Qnhahj32.exe
3632	Qceiaa32.exe
3956	Qjoankoi.exe
3796	Qnjnnj32.exe
4128	Qddfkd32.exe
3428	Qgcbgo32.exe
4428	Anmjcieo.exe
4376	Aqkgpedc.exe
3872	Acjclpcf.exe
772	Anogiicl.exe
4448	Aeiofcji.exe
1264	Afjlnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5996	5856	WerFault.exe	202

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2248	3352	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe	83
PID 3352 wrote to memory of 2248	3352	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe	83
PID 3352 wrote to memory of 2248	3352	9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe	83
PID 2248 wrote to memory of 2392	2248	Mdehlk32.exe	84
PID 2248 wrote to memory of 2392	2248	Mdehlk32.exe	84
PID 2248 wrote to memory of 2392	2248	Mdehlk32.exe	84
PID 2392 wrote to memory of 3260	2392	Mibpda32.exe	85
PID 2392 wrote to memory of 3260	2392	Mibpda32.exe	85
PID 2392 wrote to memory of 3260	2392	Mibpda32.exe	85
PID 3260 wrote to memory of 4072	3260	Mlampmdo.exe	86
PID 3260 wrote to memory of 4072	3260	Mlampmdo.exe	86
PID 3260 wrote to memory of 4072	3260	Mlampmdo.exe	86
PID 4072 wrote to memory of 1144	4072	Mdhdajea.exe	87
PID 4072 wrote to memory of 1144	4072	Mdhdajea.exe	87
PID 4072 wrote to memory of 1144	4072	Mdhdajea.exe	87
PID 1144 wrote to memory of 2364	1144	Miemjaci.exe	88
PID 1144 wrote to memory of 2364	1144	Miemjaci.exe	88
PID 1144 wrote to memory of 2364	1144	Miemjaci.exe	88
PID 2364 wrote to memory of 1972	2364	Mlcifmbl.exe	89
PID 2364 wrote to memory of 1972	2364	Mlcifmbl.exe	89
PID 2364 wrote to memory of 1972	2364	Mlcifmbl.exe	89
PID 1972 wrote to memory of 3620	1972	Mdjagjco.exe	90
PID 1972 wrote to memory of 3620	1972	Mdjagjco.exe	90
PID 1972 wrote to memory of 3620	1972	Mdjagjco.exe	90
PID 3620 wrote to memory of 4592	3620	Melnob32.exe	91
PID 3620 wrote to memory of 4592	3620	Melnob32.exe	91
PID 3620 wrote to memory of 4592	3620	Melnob32.exe	91
PID 4592 wrote to memory of 4668	4592	Migjoaaf.exe	92
PID 4592 wrote to memory of 4668	4592	Migjoaaf.exe	92
PID 4592 wrote to memory of 4668	4592	Migjoaaf.exe	92
PID 4668 wrote to memory of 1792	4668	Mlefklpj.exe	93
PID 4668 wrote to memory of 1792	4668	Mlefklpj.exe	93
PID 4668 wrote to memory of 1792	4668	Mlefklpj.exe	93
PID 1792 wrote to memory of 4704	1792	Mcpnhfhf.exe	94
PID 1792 wrote to memory of 4704	1792	Mcpnhfhf.exe	94
PID 1792 wrote to memory of 4704	1792	Mcpnhfhf.exe	94
PID 4704 wrote to memory of 3068	4704	Miifeq32.exe	95
PID 4704 wrote to memory of 3068	4704	Miifeq32.exe	95
PID 4704 wrote to memory of 3068	4704	Miifeq32.exe	95
PID 3068 wrote to memory of 3076	3068	Mlhbal32.exe	96
PID 3068 wrote to memory of 3076	3068	Mlhbal32.exe	96
PID 3068 wrote to memory of 3076	3068	Mlhbal32.exe	96
PID 3076 wrote to memory of 4824	3076	Ndokbi32.exe	97
PID 3076 wrote to memory of 4824	3076	Ndokbi32.exe	97
PID 3076 wrote to memory of 4824	3076	Ndokbi32.exe	97
PID 4824 wrote to memory of 4548	4824	Ngmgne32.exe	98
PID 4824 wrote to memory of 4548	4824	Ngmgne32.exe	98
PID 4824 wrote to memory of 4548	4824	Ngmgne32.exe	98
PID 4548 wrote to memory of 4804	4548	Nngokoej.exe	99
PID 4548 wrote to memory of 4804	4548	Nngokoej.exe	99
PID 4548 wrote to memory of 4804	4548	Nngokoej.exe	99
PID 4804 wrote to memory of 740	4804	Ndaggimg.exe	100
PID 4804 wrote to memory of 740	4804	Ndaggimg.exe	100
PID 4804 wrote to memory of 740	4804	Ndaggimg.exe	100
PID 740 wrote to memory of 436	740	Ngpccdlj.exe	101
PID 740 wrote to memory of 436	740	Ngpccdlj.exe	101
PID 740 wrote to memory of 436	740	Ngpccdlj.exe	101
PID 436 wrote to memory of 2428	436	Njnpppkn.exe	102
PID 436 wrote to memory of 2428	436	Njnpppkn.exe	102
PID 436 wrote to memory of 2428	436	Njnpppkn.exe	102
PID 2428 wrote to memory of 512	2428	Nphhmj32.exe	103
PID 2428 wrote to memory of 512	2428	Nphhmj32.exe	103
PID 2428 wrote to memory of 512	2428	Nphhmj32.exe	103
PID 512 wrote to memory of 4792	512	Ncfdie32.exe	104

C:\Users\Admin\AppData\Local\Temp\9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe
"C:\Users\Admin\AppData\Local\Temp\9cfc9970d6551bc0bf81fd7efa762d767a2d9d5e0776cd4d1d0d5174867596d5.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SysWOW64\Mdehlk32.exe
  C:\Windows\system32\Mdehlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Mibpda32.exe
    C:\Windows\system32\Mibpda32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\Mlampmdo.exe
      C:\Windows\system32\Mlampmdo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        25⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        41⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        48⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        67⤵
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        89⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        91⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        93⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        101⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        102⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        109⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        111⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        114⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        117⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        119⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 396
        122⤵
        Program crash
        
        PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5856 -ip 5856
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
55KB

MD5
fb19adeb6ac1998d4b60c40325fbe8ea

SHA1
00fe718b90aa9f6bbbaf4935baadac9695db43f9

SHA256
a111b7ab91f58e13321b255bc6325409de60e0784d0251bdbc079d9b23341219

SHA512
1989612cab793b72be6cba65271198661ae0f324e9f9eff0a9c3a572a20f10bb981226112fc9ee576a98d22d36a0938b2a850c7ee06c871ab8b7459c6ed5ad3b

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
55KB

MD5
2505213380c24dcd20367a6773bda52a

SHA1
d45561877889a9485ce4c6e632f8bb74bb3fecdd

SHA256
ab277225501cc980b3e2dadc0b126f66067b6572a14e6a67f4fe2234dc153e73

SHA512
fb6eb865bb1e44463b8b590de59bb468d206da31b8b108633ab941089c0cd99d4da6449ebe7bd1b0381b3a9a2a96c55fee0354bc8e9a9a1b92ff35a26ba4fd92

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
55KB

MD5
d50bac608a666fe22e626c3feb365c9b

SHA1
3eb88fc35d5a8fafc9e4f8a0679c8954edb54ca1

SHA256
a67242d9dc59d28d882a1802410ffcce4326160ed3f0430d52811e5f9dd1b642

SHA512
f1a43dd0817fab5d76d110992ddf8a82e79da23cc6b0d751f749ecf326c69403ebe8c5496aabdc6675aa35c4c69e55c5a4256e7ba2e28539c73cbd5ac61cd098

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
d61d35fb78c1171b26ce0e9255cc7e2c

SHA1
cd03b9d8633b32ca07e85354de31ee165f830906

SHA256
169cb11b3532e6697c217689794042e947fac34dfc74f87e940b0bda8edbe9d1

SHA512
a1168a6c90356b04918653b46be360802ac1ec5b7f15dc68ec5ff07412e1f3867c241fa88372f40c6df1f6802df495333529d02b4f812ec9bad325090ef50daa

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
55KB

MD5
3473b4d21d0dc9a70de0ba86fe39c5e4

SHA1
761e5d1595dc744332ec1e512da43e31c5ca6e6f

SHA256
df16bcac5b92339fc8aebf541ca16722b5edf04fea37c759f83000bcacafbc04

SHA512
0c66c14ce7f47c1e22726265393e8bec4a64958d5de6057c620d8a04b6994a2e29a7ff070b3d97182d8abb405bd1799ba94e9efdc1720c4f41807f13cdf55e2d

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
55KB

MD5
a9ec5fe1b6fea1684808cc8f08ed9b71

SHA1
a658b6389cb0eb6184823f5778843658d78e50ad

SHA256
e824325007347d7d817b55630fcb9ebbb75c3b618d69db47fb05d78dc8f3840e

SHA512
feb927d22432db4f906f0cbd30a2cea0992034a3171ef7502412b121d7438f5a44f70c2897bd42a774705bf45fd91aef6aac3f7fadedda6cfc962963cfcfce9a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
55KB

MD5
9f0dbf433ca0ad4d58bf0d0c3450aeaf

SHA1
d3a791f0208d8a8280f62f802011f0e175cefa40

SHA256
122af8928e1df38cea0bb62854a27c53d8d91d8c49265b4f522cdcbd25c4dd53

SHA512
ac0a6a5a5f4b95ba4615b8b44b1e3d3d52e8c9189409e3a5910c28c0c254debb25b689c27b8be2e157d9e11f485727df4da75e7c914d8a8856d3b78b3d81281e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
55KB

MD5
0bc9d3acc27ca004d615899db948cfd5

SHA1
fa35a52c4a80895539601f507c97d395d36e2f27

SHA256
5a4de9974d3d3490129b71d05a4bd2a29c9590b7ad1d1d5b0218bece410167fa

SHA512
a4e5da0c6584f3477f83e719472bd379f3cf725ca151adc33b8ae0efac024393eaa70e3e028facb5ed3de1c3387ff2814cbbeccf82d84e458fbabe4f3daf7476

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
55KB

MD5
28fd1ddb4eff12abf0988e5c3f6ec09c

SHA1
91ac7fbb500c62ccb1563f80559d657633ad0b1e

SHA256
0165bcfd0c1ad2b71f6d1110587363511544dd5f5097c2f5f0acee61ccb7187c

SHA512
a1a4b50c045f1ba98f178378ce44e0cd8a844a07b9e426ca8d6066883b7da64c97e2f5002b43edd9a6bcb6cb4517b1c2548a5dee259a1abe875fdbf2ca2ed421

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
55KB

MD5
4fb8a095e42644a753463e7a1dde5e64

SHA1
b57352c8e5ab9895780d003f176818d46ce42150

SHA256
e785bad6523beaaee5fdde301828b873cd901533cd21bcc227cf4222c5aba5e8

SHA512
c722f48b37552ad0ff3e0303795742a5d61564232eb2d321f32cd95120aa892961eba5dbaa499445da1457f112865d37565ce1c3c764d04b09e00efd93f3eb2b

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
55KB

MD5
2e2ff4699e583d183c3b05c91134b475

SHA1
b6e616a5cbb8403467b4761b5c97f4bd67fedecb

SHA256
cab4e125721560b52b33f70bc020b5395b3d5f883b54d23c7de7f92faca4c894

SHA512
14f093b11391017f1c052230468935a47b7ba4f9e48ebe72191b16fbe71f82683f33356e7c447262192ac23096163ab5e0d9267467a60d5824adae85916190dc

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
55KB

MD5
d36366dff62c6253c33b20bc19cb1b03

SHA1
89c89a84f1be726ed160dce7b7119736e337996b

SHA256
ed08ba3c8b134c53db5b7b8010463dddce5a388086b7eae0746aff61d99caf48

SHA512
f7ec0457867ef03b85733a79c69b88d80e93dbba94ca29c976802d7ac81286a09ab4765b90d6887126e1c2f725164b9beb99326a3707177490b55f6b58b74c52

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
55KB

MD5
eda4a28f746e7372ad1321dd4331196a

SHA1
3278d5e3179702c5b9dfc034a579327c6f6ab8a1

SHA256
09acefb7f956c09c65b7590cba0af99b222bc22e87e6ab7dea0ef280aff2f010

SHA512
0c493f6a296dde2b0e85385bae228422c1efe570626c9165f9d2229f8adad1805eeba8eff4b8cec3a32f0f8aa514776ecd3cd92ce39968df88eb5bbeb7651967

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
55KB

MD5
e840b70cc9c7b96260c830bf58f23ce1

SHA1
f25fa52cb5842cdf0a62d8f305dc6bbefb24d83b

SHA256
a577a4ab87a70481d10bd446ec4bc6c7d15ee8df785e2a1e43a99a07f21a12bc

SHA512
3ea264060b027a0961890ee27e1bae3ee7b727b271c3dc5dc6d6e386527cad121755a4953e028313addee70350865fd574aa8e8e2b33f2fb7fe13b01fb4470e6

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
55KB

MD5
6341d5976975541eb820c3023ba9d21c

SHA1
6c7983e86017f2377e475507bbb6d77d09d6d068

SHA256
04f666f8d13f689199814b196248536190c598199182185bc18622bfbf972c7b

SHA512
cc8218bfc8502a88bdc790c82d3e0cf43fceb7967879a1b8e82a916c003016865913be4f87d84c97ceddded144a6527ec2b767b7164079cdf2e2d0507d074716

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
6666ac6518cb6100e67a6ad718f3fe33

SHA1
6dd705b04caac5e5074265b1790ee53812db8db2

SHA256
9290096b1c6b4ec25f4b33f9481896fdb2475f48560406eb526cc66b0086f366

SHA512
09b54e0965bc61867a08975b04cc1e7a3c59bf9174c94fd88ebe924c4110b2cb2937dbc70b31c5523f762d6e95932472714580df6ba83df333f5e7f3c73d3a2f

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
55KB

MD5
530672833cc43591e5b68bacfb946a1b

SHA1
14249494558cf756f2f6cfe9651fc46e943e8a88

SHA256
9bb6815564bae2931b9bb15f6cedb99f8fb93eafcbe3874ef73717a14cf8720f

SHA512
f77eeabd2be7b015b0a2792f7ae0ee4550972509886258176bc2dabb39ad1a0e808755a16a40a9853575e9a154ef6f85f3bd6dd106b3265602158087da84a81b

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
55KB

MD5
5bb9f27a4529518d7d4d5fde5bc46a06

SHA1
9ae524510c17b9603726e91df9baf07193ab78c8

SHA256
29e215396d33bf81c1a92e544fae3fed95870f1fa9c12d740d8cfe4a3f6d2500

SHA512
e384812b0ed1b45f7dbff0ed78ee0622f2a9c9f0a308982a4dd044bc42085a71c739596b4fef892c44ef1f652ea2ac79568aaf16aa332efac4481b95004179a6

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
55KB

MD5
60a6795e431b41cea8969a4793bd6eb5

SHA1
7e36787e5c0e30b94c90c367f3e3236d8d539dc3

SHA256
87d1457fed37b90c83c017a5b6d3f4cca5a888ed0d43b8ebb5bf5ac4bad101c8

SHA512
fb16d8b848e77ab6c80825d66c0f6183b0302c96ee7169e4d7772fbdcbe0a0c6be55b61a4ddfcc9eb5151731bf7c6dc0915d3363fe968deba6c0e0b6e51737da

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
55KB

MD5
1c1c6a39f5de05017b94d1f18ab7487d

SHA1
205c3fb1d124d9e14703ca39a541da36b977374b

SHA256
a76476c4251d9db625d4aad002d7a2693c08c570bd80468d4e1400177bcabf90

SHA512
aa02a012433230227319fbbb787f7fdef632d028f19ee9bd38daf4d48e70cd209e1f2156d12515a61247fb3a1749acbdbacb894522e00041afc6609a639740cb

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
55KB

MD5
4a59b6843827f1ce0d8b26fe156c72e1

SHA1
ddabdc880d5ffa94118dfd9a63b4ae1ab6726ba7

SHA256
6024df41724b0023c93006c45873f680170285b59f1bba9362028acfefbafe57

SHA512
eea15a4f9abc42717ab50495df88c2bb3b63ee824bbe26bd3dc56bfa67105702e64aa71b7d8427004bf611496e2b46c61a686c539220e7a6953fdbdb9a276896

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
55KB

MD5
fb98332559f92e96397d44fe3421bd60

SHA1
739bc4a902ceabf5e4c5e09b935c0ba85eaace11

SHA256
10fa78aa3fa772572dbb1fce57377cf1b1ebcc4968cd4272c5e30446e4e18d03

SHA512
856641bca7660d31154b5da2aa68bd7b5e0e752f764b4dc0a0928f50b1999a893964b14313f7f84c3e9b6908c7433a051198ca454237de5ac381a37a90fb3f06

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
55KB

MD5
7a7e35a09753a309d3ffa02f1260448e

SHA1
9076541283da95b52ff33d5c32f4d20175b59d5d

SHA256
9ceafb42746ae62b3958e5c002bf1c142e249f0aea4180c8d71209c077d98af5

SHA512
795fb3f84e1f6299692d4ec1dbdbd47de89f875f8558021c69198ff2c3dc181f2a34d4da3cf79e65258f33909300d2c69856551427a699b60eed3da30668c9c8

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
55KB

MD5
5c4d863acb9c7300edff3350aff0eb98

SHA1
f6d51f9f6007da6d81948c5a045a5f7b38d7ee3f

SHA256
a03eb104bfc661a1303ce036ef38f0fb235fea3258ad737fb63edfb4c4b642c4

SHA512
cd5230c312d241333278248acad0e6e4bd47f9d6e9a7062df6f49199a629bc572ed46080bdf7d273e380fb658e741d973af712e98cc29cca9de0d4b066912bbc

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
55KB

MD5
d650fb185875d5ec3bf89b07a2129d4c

SHA1
28e95722926ea52134e1158d76f587b795df54f6

SHA256
1a6a9ec26f2fb54146fb48b3b871f322386e6af9cad33dc902e83eb8f853c89f

SHA512
467d9d76642b5145b5d2e19132df91ef681896c7657f1dfa1892b9bf3ae8737223d299eab0543afc8d3c3b528cd53a362aea161abf3aef15146f1155bfb09d90

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
55KB

MD5
d9628561674ca37a9823d3d79fda4e1a

SHA1
33fa9ec444bc248e00b594eb8babd0ef1f856608

SHA256
bcb6a2ca20430d1cebe3d54bdb324ae2b2a27bdace8cc1fe97087a2fc1544ae7

SHA512
8f539c0f7792b30eb88d841e49c46afeb359b31f8ddfe26cc8f5e85289e204cac03aa3468da981fe19d3403ba2cf0b499748adbfc61da96d2045237f13297b59

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
55KB

MD5
fac56ccb1a2bb4bd403802b32eb68e34

SHA1
dcb7862265db5d53b58304a6e6789eb21ce245b7

SHA256
c19313df7d9e87a15a07240512f06e90b8d70105a68a7c03c2d859d8ff30fcc4

SHA512
ab86e26afbafb3815034af55755b285bbceacf041a960ddd5c6c0f4340b886bc3c0d29935edc77cd5dead9ee883ee7fddb4040fde017f6a7cf53fcb8137eab56

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
55KB

MD5
da0a146925e7a37564311a3464d0f591

SHA1
b6343df5bb8e2f5dd33e10348ed57fdc7e8b701b

SHA256
6b5e3942ad4b5dad021abcce74d14fc2ae8bf5ccc0eee050392dfdfaacca0cae

SHA512
60fdd2685ef537dcb880a1bd6e0ccd156863575557484d03fa335a37c4df06d4d7f6067226c79d6ec277db1ffd40a1fa2e323c6ca52232cd67313a908d47ed77

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
55KB

MD5
bd5de304f6171c0f2e22dd2782c995da

SHA1
2958a5ef27e743616f5ba7a654ad4f36a45a2c40

SHA256
9fa73854a2ad0e8131b73e9511ee1a43bb225c8f031e416937d28429a7bd0efd

SHA512
da7e1bcc8b70501009545c9805952d17a55b5152789f18b7ab132166a2ad7dbfc934b1ea67339356cd8cfe990cdc86f7ef4fec122c5eb0e320e7d673e7daa5e1

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
55KB

MD5
7d7c694010462942ef6b73eeb886711b

SHA1
0efab3c6f9e76843da17ddb668f5a75b33e07b41

SHA256
1d92222066f2c3892640c3ecc4332a08fca7330d983e9192a6784c3f79dab883

SHA512
d840f4feb32442def26d9c35abcaf2a60bdeb138080dd14a150a1c16f999377f0ed5eb899993722a00b6f99ba1c00c99ed420bf21a54031f9c35150015319478

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
55KB

MD5
6085cc1166aa93fa8a62d9694bd2ad68

SHA1
19bdecd32aa15d1e8e42aff565ed987831487fc7

SHA256
244530b29a8ae2e770eb63b30fef531cf8776c6239e4d428fc25d1333070418e

SHA512
d8734dfb8225dcbfac9314f576ae01fb7244d300f44762b44f4ed9e24fc58879b42facd9dda63f4e57e3c3d55c670adf9375d20dbf681cdce78afe8fc40e916b

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
e2f9adb35a50f651320a8452af7f8eb4

SHA1
aa7bc03707af65b765db2a9f5c87e6c5a3722ba0

SHA256
b85d8251d44193d41ce13340437c37dfffcb429145b2703db589392172a32ad2

SHA512
b6fe0dc0b03b4161fbe171a17cf55b5d4942f85f73262278a30f82a063d290d62f708711625c27350cdd21176ec10b67ec6f00ed705d4751669167c749db4f75

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
55KB

MD5
db99b153ee4c4701f5cb28fbbabc5a4e

SHA1
d511a09a82a29cfe342336dd493fd0e5c9a8f6e4

SHA256
f8e10035c540f5cd2174891566cf4d6a62d56bbb59614f0b07c912346be20af0

SHA512
8773bf95b33f8e442ef83bdf2d4106c2fe44c83ca6caccbb58da7fc004ec5a3e690deacbbba9cb24a01145a9fadacf8410ca90f58624d3e2ee02430534123563

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
55KB

MD5
dce264478753bd3924abca98b8af9689

SHA1
1de007de5829683696eb06b9e24a952dfd5b8e0d

SHA256
6d61df3882bf670890d2397cbc2ff99743481a22a030ec250048c34380a71051

SHA512
aea0398e2038ac15b7ecc30cf66c270ba21c1e5e748cede96363150214fa3bd0c44e412b9ed9855e0205c453d8f90cdc7e9bfb7959b5094cb6ff2d45de5f6e58

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
55KB

MD5
005fa5fc0246d59f125f5b82dcbec64b

SHA1
55e005bfc37ffd50954ec9ef6179be99aebf842d

SHA256
17973c6511602ca63f5a246dd06652523de5217d122b648197ba26688ddbc576

SHA512
2ae9eecbd9c87400ed363a2458ae4a7dc9e8b02014d0777e018877643ec60ee3182759900d8f5693e755a4d894bac4f26cd9b11300c3dd101f169062248c9c8d

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
55KB

MD5
9f3057295f2eae68e76aecae04ecdc63

SHA1
2a0058cd9123f0a52dad0639bd4fe1b67acb05e7

SHA256
004c9a982c1896f9bf94df5c8f64df5fdf21dad1a732d1bc87cb1ea8ff5ec4ac

SHA512
3724061a7050794f81c0b9acb3c387f67b1ba72daa19922f70d6b7941cbcfccc294ca17f10e4c9da11f4954f4ab1c85af70edd1b61cfdd92a473bf88ba63c8fd

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
0d91e22835d0c4bd9cfce6545cf27d4a

SHA1
aec390b146a3326fb5bfb35d3063ce42fac60d9d

SHA256
0d40d2a6c368b5f91dfb5ee454f6f8c2061cd7af87a2795615bb5b19ec65534a

SHA512
d1c7aba57a357a98f91f53c1e09ba53b9fafb48c450ac6302d7044f4be14013d2f931c3a882534945924e069ef76e9a10f7edbda6c28f55bf57d09fd1be9cbf5

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
55KB

MD5
8ce2cc9628e536446ad03355846c198a

SHA1
59a978f4d5bff7270f5e4d1b540c60f025ca7fff

SHA256
0c219866aa8272e95c076ff0a77286cc1a290089949160cb82e7081432806da6

SHA512
09c98d8f03f424a517ffb383e4129b78a8eab2068439448a37a1a392f235de383c3a07b0798063c1a461160cf00172e588a683bfefbd1bfa483ab45afd87d59c

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
55KB

MD5
3eb04e0a64b5cac3f8f88d55f79d4a22

SHA1
bd4fb5accce7b9e9187c77ab0332f5519367372e

SHA256
a1fe6bf0a021adf807f55da150edd9291f6e09d6113d165d069d54545d2f386f

SHA512
0414e59bd30478295eda4f93e6b7f0d69b0600726f324ca787ece36134ecd60c033e9966114296b78a79efabee04364c9254ba6a6de51b1c5316bc1ffdc4d729

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
55KB

MD5
3f1318e6c7dd56ab9deeb2d9633482da

SHA1
6247b6df8fe9e8a95b896f2a89e9bee4ce020d95

SHA256
69e20ca35e35ccea6795e82655b5627aa4b7fd5e278d527a4085e7a2a513020a

SHA512
f9833461dd4c280655291f6e4bf4286ed9dbcab6b065977bb03824d9f614085fe871bec8521090ee6e174f0a9fdc86d18f28d4f8db62af5d2b07faf312012560

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
55KB

MD5
46176e4f6cb6cd376c5783033c776255

SHA1
6197a61b205dde2c4ca370eb9e6dad276459b15e

SHA256
31ee99755bc71a856b4b1aa202085bc613b8edda429b83aa572b1a33aaf4043c

SHA512
66603330d9e348f6863d3657a6d1c71dacb7fdc4cb02f59a59246a1b28c034287003d852f022ff3dcd67c10d66553227b647721ce2f165ad88ff8b68483bbaa8

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
55KB

MD5
5686644a87c4a7acaedfd2b95729ab85

SHA1
5a9f72873b82382156126cdcb60cc1d2cadfcdbe

SHA256
4913ac1694bea50a3f7342be7167aea0069107fa56ea39d6eb25a8a0df92ace0

SHA512
12eefbffea0081ac17024c29bca96d37a48d92db7b88005aaa7aa0f8f4405980a944ada22a1330701db900c0b4d52d89cb165e10fcc62aeb5f95fdc72cca3f7d

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
55KB

MD5
4ed1c4fe4857efc47372103bf35b8379

SHA1
2a6c47388430fa6619903242ece226405a7aa421

SHA256
cd117aa737ffbef5528e2ceec2ab4fd043cc6eab2423a16db21086ca74ec809a

SHA512
717c195232bdd56cc575d7b998125179e1891d750703dd3fe342427efd32f3396a008495da18d3005ee76a6fd747771558dc10130b45d5b22d6ff117280ae4ca

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
55KB

MD5
6085ae1c552fd68f60362bb9ce371156

SHA1
6857607a165d79021ea48b113a3ed746d544878d

SHA256
42b5e4603c953d546718b247cf76d7305a5823fb69833162c21c9cfa65068e31

SHA512
f2f42a066bde33703c42ea1a71e8b219e4fcf9723758229f07d722b43167a4ea051ed3c0726160baf9ad059be3eb0671d6fae465771c82acac4350f8eb339a31

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
55KB

MD5
311ca8c6c299f00785bdda9bac3c4998

SHA1
310b5090fbacc88bedf242897873ca6ea1b60cb2

SHA256
dff24f821f654a26b2a8c66be88da76bd90928df407d729529ce18c57b6e544c

SHA512
8a186ecccd18b027ccfe4a437ff05a78ba17801c04d3a581d76f4dda5241b6f9ba9946a13e14e3be367b1209230a6ddb57b2ac2704b4b83f266be33b53aec77e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
55KB

MD5
a456b09559dec70cfa703388ebc2c1cf

SHA1
fc398a4acf84ecdfaef603f430a32d844c503682

SHA256
8bb0b9465af02e2bc759f012470bd1519aaed3f5a5b45ad93ec45e7d595dd1b1

SHA512
1171f1a6f19ada5567d6b8e90723a7f4e176c56f53940eff5c3be12a3894d91be9b550df32cef53adf4b16ebb43831c58dd87b6f21dc88b6b94cb6eac5ef3b38

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
55KB

MD5
857dc2c9a82c8a9621d3a4ed50eed436

SHA1
0caec9ba79d2ee5d8aeba9dfea4042a0673f6985

SHA256
c40651b4c09f974a8bb66a7c90feeeb8f459f01227a4a6251d930a936cc14c79

SHA512
47a1e20806c5a4f1a75faa09d68104a9c7de69ed1fc35075aed659aeffce281b75164612b4886fa1c307c2dcece9a495a7def27ab7f8df6b934f5208c573dd41

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
55KB

MD5
e35f7db74bc27d4e0c03cc04a13a2b21

SHA1
90efd35be490839c056704af7d3fcaae087e1ee3

SHA256
35f30c333d9f66005ef4caaadb1e6320b7b548e85e3804730e8a519d3cd728c8

SHA512
2158a7d04bfc0f07415ec6c50a747bf39e44080c0f1e193f3bd6938abd5c81900dc9ffc2aad0fe5f8875e08dfeebd18d69b976ec6aa7259a47740bf38cb98db3

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
55KB

MD5
f8726740d5570b2977358f6a3a0cb3fb

SHA1
fe00dffe4d48fb13e5b9d02766ea8d7049c75e95

SHA256
e21e2228a05063dc58c0436d7ca5b56e96f4289551c4511204d5cfb3140a9b6b

SHA512
8e93fb01f30c2578c2320957120e2186132d2b01fadd9086ef03f8ca08e3b7f6ec625770f9da7a74d4308423ffbda588b061fd50736ec009e5decafc952dc909

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
55KB

MD5
c079e63268cde8bb3a198ec69e04e21d

SHA1
dd84707848226e0cece812e61f7eaf4d2db85758

SHA256
80e34f1a51911f59bad6a2cb6c210e3652e9e2c86c51d1c477832e6681325fc2

SHA512
d0cd2fa27ffd323053234a7be49ae441e0ee9e70e284d3a6e1aa6f0f7599c13d02945fc62adbf1c8288e48ba7a4a5ba47634158ff0f4bc748ff2ed9325aa02c3

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
55KB

MD5
1bdfdb3663a2b5db75c2d3ccbfdcf8b0

SHA1
f200948da8d5838421d107f52ba56aa2aaffc575

SHA256
b918a70d578c5ee6f39e8ceab44bb5409b0cc2498cf380428cc014bd9db4fbee

SHA512
8e839441c54bb7f98c85805d63941fef235b09ed98e400c6d71d03c6893ba0b1b6e977cb53b17651028b1df871cdeae7cc383569c85e6afc04fc25ef2e157098

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
df3d34b600d8fadb2cdc5b5a0bd7b280

SHA1
b36d0fb4328ff02f0070a9b2e6de179c74d4371a

SHA256
05401594eeb30fa53c4a6e78f2406d9ed69133d5e80c9e5efdb2ee99eedc8f81

SHA512
6c03a3a640ff4000eca3354457e2e1927870157e8fbd0673d276cac4384a76710dffc3a59af08726739714648cf1952f8dfbd345466487332b8e7ade718962ba

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
55KB

MD5
aac95dc76882fbeb48bd9a4fe948ad39

SHA1
24ccb29070d6c8973eda048f5bf3f03b25a4f634

SHA256
53469c7863c2ca86edd3f72d5e8036a417b49995f51cd50da1e3c15e39cefa8f

SHA512
16be836a1272b59e02ba82ae53b210bc38bc7fe93a04e32a2b46c8c40ad10c3994ea792d7f8a86b9d7554ac98a5d1ed7be5be968059eb53b2fe125ceea249007

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
55KB

MD5
a6a04a6869d1033410895426cde90cc4

SHA1
4037028a276869d334269ea374233d702a510059

SHA256
4f2ac7d64677c9a792dc543195d481378c624af88a2180ea694fd731892ab6b8

SHA512
be54669797bc24c39dbf1cf48e9e34457b4e48b804b63cfa7b4021092473791c7daa6a697e4e47b80419ab8294dfdb68ec5aa60532cda91bcc099acc6f6fa3b5

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
55KB

MD5
b3c731fdfe7b35cbd86bcb2b1b852b8e

SHA1
d8e0e68902c55204cc3545625564e1750801ce8a

SHA256
a02a75fbb9aadfce2c647c9ec4292ef91201ce1997a72342ab89d27930696307

SHA512
1a1feb3a19a61793989c0ad36dd38d010b6d584e6d53ff0f64354be43b1bf80f24077291ec69c5b18a2e10dcf15511f669492c1705f270a7a5e8b67901ce6d3b

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
55KB

MD5
d37b72a53d5f291f18e4e013c2b0645a

SHA1
bdd5e609df1286920a277d219c7eba464abaf768

SHA256
ec44788222c86696401a45a68d6056316bed5bbb668c21eb80c12ce520f0ef79

SHA512
d42623b1bed32250f4bf6ca5b709a8fbf59b53ff26c0da405274f3a6c344c2891bb59746ba7f6baf670758151fab832297b32e5e8a826bd335af50393831bfb8

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
55KB

MD5
95cdb7566240391bc97ac323b5cdd14b

SHA1
f3da3ee4486f747b7e530ab328eb52d25f3aa7b9

SHA256
73e5158538086fe0df12f3d5244e917d60bc286a2a6a812f8c2062144a9f0378

SHA512
df7049f27b60d10d285810949efa36904c7705964b020cfdd55ff89cd4fda72555e889d582a5af7da40768a0c815585e23082f1b0685eb8e6f05326aacc745a9

Download Submit
memory/232-862-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-884-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/772-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1264-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-893-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-855-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-871-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3260-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3276-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3352-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3632-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-883-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4244-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4316-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4508-880-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-866-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4704-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4716-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4824-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5504-838-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5548-837-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads