berbew | 74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe
Size

45KB
MD5

9caab7b7214842a6884f45c81b4f8be0
SHA1

6ed0fb2a7596a507cc127b10929ffc33dc0d1871
SHA256

74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581
SHA512

b65cdc0f1381e550ed1bff904ee101731a2620391f9f04f6e0ea940285c2d3656635c8c54322570dc727b3604de029a13d58adc37ef93e24a58d3d87d3a43791
SSDEEP

768:j45wUiO7YM2zxx/92SMQqvzBqB7Oxg4r/TYWZPd/1H55:jQwvMm9Vqvz/y4PYWlX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2944	Menjdbgj.exe
4468	Mnebeogl.exe
5048	Mlhbal32.exe
2148	Ncbknfed.exe
2340	Nepgjaeg.exe
3560	Nngokoej.exe
4852	Npfkgjdn.exe
2096	Ncdgcf32.exe
3576	Nebdoa32.exe
1944	Nnjlpo32.exe
4928	Nphhmj32.exe
4500	Ncfdie32.exe
3924	Njqmepik.exe
1940	Nloiakho.exe
3360	Ndfqbhia.exe
700	Nfgmjqop.exe
3432	Npmagine.exe
2344	Njefqo32.exe
4896	Ogifjcdp.exe
3408	Ofnckp32.exe
448	Olhlhjpd.exe
4676	Odocigqg.exe
4660	Ognpebpj.exe
3504	Ojllan32.exe
2292	Olkhmi32.exe
3444	Odapnf32.exe
2428	Ogpmjb32.exe
2224	Ofcmfodb.exe
1064	Onjegled.exe
4772	Oddmdf32.exe
1340	Ogbipa32.exe
3980	Ofeilobp.exe
4084	Pnlaml32.exe
1960	Pdfjifjo.exe
4336	Pfhfan32.exe
2920	Pdifoehl.exe
2216	Pfjcgn32.exe
1476	Pqpgdfnp.exe
4752	Pncgmkmj.exe
4080	Pdmpje32.exe
3108	Pfolbmje.exe
4532	Pdpmpdbd.exe
2932	Qnhahj32.exe
4464	Qceiaa32.exe
4916	Qjoankoi.exe
3604	Qqijje32.exe
4232	Qcgffqei.exe
4952	Ajanck32.exe
3728	Ampkof32.exe
1128	Adgbpc32.exe
4596	Afhohlbj.exe
216	Ambgef32.exe
1760	Aeiofcji.exe
1364	Afjlnk32.exe
1268	Amddjegd.exe
3480	Acnlgp32.exe
3424	Andqdh32.exe
3196	Amgapeea.exe
1964	Aglemn32.exe
3428	Afoeiklb.exe
4912	Aminee32.exe
2052	Accfbokl.exe
4332	Bfabnjjp.exe
4800	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5300	5208	WerFault.exe	188

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2944	1612	74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe	82
PID 1612 wrote to memory of 2944	1612	74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe	82
PID 1612 wrote to memory of 2944	1612	74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe	82
PID 2944 wrote to memory of 4468	2944	Menjdbgj.exe	83
PID 2944 wrote to memory of 4468	2944	Menjdbgj.exe	83
PID 2944 wrote to memory of 4468	2944	Menjdbgj.exe	83
PID 4468 wrote to memory of 5048	4468	Mnebeogl.exe	84
PID 4468 wrote to memory of 5048	4468	Mnebeogl.exe	84
PID 4468 wrote to memory of 5048	4468	Mnebeogl.exe	84
PID 5048 wrote to memory of 2148	5048	Mlhbal32.exe	85
PID 5048 wrote to memory of 2148	5048	Mlhbal32.exe	85
PID 5048 wrote to memory of 2148	5048	Mlhbal32.exe	85
PID 2148 wrote to memory of 2340	2148	Ncbknfed.exe	86
PID 2148 wrote to memory of 2340	2148	Ncbknfed.exe	86
PID 2148 wrote to memory of 2340	2148	Ncbknfed.exe	86
PID 2340 wrote to memory of 3560	2340	Nepgjaeg.exe	87
PID 2340 wrote to memory of 3560	2340	Nepgjaeg.exe	87
PID 2340 wrote to memory of 3560	2340	Nepgjaeg.exe	87
PID 3560 wrote to memory of 4852	3560	Nngokoej.exe	88
PID 3560 wrote to memory of 4852	3560	Nngokoej.exe	88
PID 3560 wrote to memory of 4852	3560	Nngokoej.exe	88
PID 4852 wrote to memory of 2096	4852	Npfkgjdn.exe	89
PID 4852 wrote to memory of 2096	4852	Npfkgjdn.exe	89
PID 4852 wrote to memory of 2096	4852	Npfkgjdn.exe	89
PID 2096 wrote to memory of 3576	2096	Ncdgcf32.exe	90
PID 2096 wrote to memory of 3576	2096	Ncdgcf32.exe	90
PID 2096 wrote to memory of 3576	2096	Ncdgcf32.exe	90
PID 3576 wrote to memory of 1944	3576	Nebdoa32.exe	91
PID 3576 wrote to memory of 1944	3576	Nebdoa32.exe	91
PID 3576 wrote to memory of 1944	3576	Nebdoa32.exe	91
PID 1944 wrote to memory of 4928	1944	Nnjlpo32.exe	92
PID 1944 wrote to memory of 4928	1944	Nnjlpo32.exe	92
PID 1944 wrote to memory of 4928	1944	Nnjlpo32.exe	92
PID 4928 wrote to memory of 4500	4928	Nphhmj32.exe	93
PID 4928 wrote to memory of 4500	4928	Nphhmj32.exe	93
PID 4928 wrote to memory of 4500	4928	Nphhmj32.exe	93
PID 4500 wrote to memory of 3924	4500	Ncfdie32.exe	94
PID 4500 wrote to memory of 3924	4500	Ncfdie32.exe	94
PID 4500 wrote to memory of 3924	4500	Ncfdie32.exe	94
PID 3924 wrote to memory of 1940	3924	Njqmepik.exe	95
PID 3924 wrote to memory of 1940	3924	Njqmepik.exe	95
PID 3924 wrote to memory of 1940	3924	Njqmepik.exe	95
PID 1940 wrote to memory of 3360	1940	Nloiakho.exe	96
PID 1940 wrote to memory of 3360	1940	Nloiakho.exe	96
PID 1940 wrote to memory of 3360	1940	Nloiakho.exe	96
PID 3360 wrote to memory of 700	3360	Ndfqbhia.exe	97
PID 3360 wrote to memory of 700	3360	Ndfqbhia.exe	97
PID 3360 wrote to memory of 700	3360	Ndfqbhia.exe	97
PID 700 wrote to memory of 3432	700	Nfgmjqop.exe	98
PID 700 wrote to memory of 3432	700	Nfgmjqop.exe	98
PID 700 wrote to memory of 3432	700	Nfgmjqop.exe	98
PID 3432 wrote to memory of 2344	3432	Npmagine.exe	99
PID 3432 wrote to memory of 2344	3432	Npmagine.exe	99
PID 3432 wrote to memory of 2344	3432	Npmagine.exe	99
PID 2344 wrote to memory of 4896	2344	Njefqo32.exe	100
PID 2344 wrote to memory of 4896	2344	Njefqo32.exe	100
PID 2344 wrote to memory of 4896	2344	Njefqo32.exe	100
PID 4896 wrote to memory of 3408	4896	Ogifjcdp.exe	101
PID 4896 wrote to memory of 3408	4896	Ogifjcdp.exe	101
PID 4896 wrote to memory of 3408	4896	Ogifjcdp.exe	101
PID 3408 wrote to memory of 448	3408	Ofnckp32.exe	102
PID 3408 wrote to memory of 448	3408	Ofnckp32.exe	102
PID 3408 wrote to memory of 448	3408	Ofnckp32.exe	102
PID 448 wrote to memory of 4676	448	Olhlhjpd.exe	103

C:\Users\Admin\AppData\Local\Temp\74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe
"C:\Users\Admin\AppData\Local\Temp\74abbb272871abb10fd659166e2649dd319173d19cbbb5e4c8a5b393ff669581N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Mnebeogl.exe
    C:\Windows\system32\Mnebeogl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Mlhbal32.exe
      C:\Windows\system32\Mlhbal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        52⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        60⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        68⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1456
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        81⤵
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        82⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3928
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        88⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        104⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        106⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        107⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 404
        109⤵
        Program crash
        
        PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5208 -ip 5208
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
45KB

MD5
44445c28944e6e0bc3dfe1b5ed99d0ff

SHA1
49b80193a8e644b4f7e1228a0110493fc1bab4b6

SHA256
20f1dd5535fd1587274798ad136677019cdddd19250c16c40d3610c8bac25a59

SHA512
a0185700fecdf7dc92fbcbfe815cfb504fd44abd8ac0fd988d20b1fd9285e8bf22c95bdc0007bb8fa45fb00e9a1dedc8bd4f35fea55bb95b4dc51ebd4957056b

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
45KB

MD5
288167bb09b21e29bba54d5e63bdf068

SHA1
43dffc67bc85cdbfa47a8ba3b8ba2c7720f8af40

SHA256
f04f5f8e9957b39721c9d5f9107823232abda5548409ac54712027c991be3774

SHA512
33e7df7f00aecddd7938bf40b767a7150dc98d3b2f10072dce521f9944571f7c204c0d925f22e5f4411ac19c1067dd76e4cc279605ce935f7c9ce4fff301ee1d

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
45KB

MD5
5a5a0fc566ae4908477d5d6db2cae535

SHA1
bdade262ab94aa08e01322df141f03beb0b82c75

SHA256
54dc0f206f5a72448bd1b3a75b774278918cb7c9b1f80af92b2b1b06544c22a0

SHA512
b1e31128b493bb3adf4e26628aff2062c4ed8abecd07f3dc719b0ffa60bf3c71ab382950d53581d84baa6e38ad7612a51b6fb4741e96fa75188b870e2a569b03

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
45KB

MD5
86d195c4f80720e6031b076dbd6fa8d5

SHA1
c408fd50fd0ff969312765d279cc8d8b7f2942cc

SHA256
3870b410dfc8924062657d1544ddd4fb0aa9963bdccdb19c37fec36dcefcbe1d

SHA512
131381862d3fc756b371c5521372d594ac2154a5364ee168bbba98930b0d931c48cba2eca054e00e8302b689cf60b236acf5333d22c3aa298eeb4075dabd5469

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
45KB

MD5
64dc9e002b1040b82bbc26bd0c96597b

SHA1
7d5c3db4069ecc948cbd036589d113bd6cd82152

SHA256
462bdd171d2627be7bb5c2d12e281c78b87819a4a838eb7892c8006b00f91482

SHA512
d11195bf900f8e00fe5f89f5592445b06e11eddbee86dcb0e29f7690d53ddc81e7c488492925dee48f7ea2c4e45cf31c7d7dd20c3ff20006be51bb666888f1bb

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
45KB

MD5
5b400c2b864e0d66e01662b6d6c6146c

SHA1
c40a56948249b481092c1c2c2082b3211c9245ea

SHA256
5956f28d361ea690d1b9ae9d9bb50ff5838d9563573a30a2322feb0c3eee5af7

SHA512
b676913a3f971f942264eae6f62cbed085f1e8584b1e64a94ceeaf714b307c5f912b49c724596758ffb5631eb71a545db9937a4c13c53b5010a3b3796436dfba

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
45KB

MD5
1dc337855344a03e7bcddcc785caf3c6

SHA1
b9d95f498986a19bf7d626786f54826678620d4d

SHA256
215a75bdda591b96784fc768fbf0e0a85fb811597df3ad64f5d521a21806564f

SHA512
ea35c1d96f0d433fd3e4e120bc34d29a34ed6a289d54213b2adf98ef1be0a67479ede8c527d34d4e565aaa90f869879983056dbc9dacd12b8e9eb15731abcbc7

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
45KB

MD5
dc526509cc69a08bfdb569c6a8cc1805

SHA1
4c1c5df5d0cc9ac262992557085969fc2923bee8

SHA256
7cef35840f338d7a88cfc37dfd790c2428c592a91e7f72bc6653946f214e4958

SHA512
d3d9ff08469c246c502c32a0df67cfa88e8f46d3ce3d8cd870a06faf3e2e4bdc2570676d2137f432b2929f7213ed8e7e7a6693418cc4268fbe0726483cf755ae

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
45KB

MD5
56ae3635a7ed6ae7fea5dde272815c4a

SHA1
facea06845f1e2fb56144ececdd89fdd9f8edcad

SHA256
ece7377852b7f241585424f5a6ef3dcbe5fc3fe84dd4d74d38a91b4b74513dec

SHA512
17b97a57bd088c34df1f2fe111c2b387b8745c071f5b51cc3992ef0a7cebc5e8a0c90d150c1a0e5cba2687741d74120ab96744909956d47c296a05f30da75601

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
45KB

MD5
333644ef196e81148f45e2b1677f45f9

SHA1
60f7b14b90defb1cad6b3e8488368abdf943f4f7

SHA256
33603ac1e3a9d3f22e51cab9a360b3a33c93fd3348e9011e08924e05ced19255

SHA512
99389f76ad89a7da6e25247595f56de427d6a68f12e34122ebfe5aed2b2c31e0edd775a956332c16263b4bafa0fe9c8247b03a76d7d676cdecf596e8127cc085

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
45KB

MD5
738c6a64ec062e4bafaf2d59c5ebbcca

SHA1
6b6c84edb5db84594b8e008d0ea74cf048af621a

SHA256
ccaac2bd6d3b519062485c103cdc74378e4c377fbba9e9a3498fd18e6e8a7576

SHA512
e0f5948a8e2c1f3cd5bdbdae3672cc78966d0095cd1af65f2468369a40e7ccba5c88c33c6d0961fa58bbedbba36b62e6a2d9a1bc3db71fd5720388199cdeb1b9

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
45KB

MD5
a110bf78d3f2dc63dbb8fea52863a7a1

SHA1
ed0bad23b9fdc802521ecc41832a8c271e421df5

SHA256
195b2bb509808362dbd7a2ae519ade60328a9b7e6a15889a6f2f360c5b21f061

SHA512
5776c04236e2445ee2a7a6d5022732ae06648bde149d2c556d31c090b4ffedc61dbadedb7077ed01bac6cd3a1b60314ed541083fe2d84ac8d22ed0583d399572

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
45KB

MD5
e4fa24f02269a318b341f588c21d4bc6

SHA1
954137b6ced527b1027bb37e4c180d4240dbe5d7

SHA256
ce1fccbcfac5c1895a17ec90108345470b990db5f10071a19d23347a561afdb4

SHA512
95c29e07ed71a09fa2bd14b8f1006cc744f1ddb7b9a7d98c4fb09d408e8e143ff3086831c047e3faac377824d85d76119e1b36cf5524829a106bd9f752911be4

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
45KB

MD5
e55f6057c8377a56bde20ef81e01c5ee

SHA1
40822f20b4e1ce0801f957c9275caa9caa6da543

SHA256
560e81e4f633cc4fdbe465a54379ec21bd9fefefee414dddb3b9c9e1c37667b3

SHA512
f83c2626767f601ed9597060c5fb3f31aede1a58a515106474fcb574ceaa85dd1c4365c7a5f0008d00c20cac475e9498155c4b246d11999c4c4a26b132f3eb3c

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
45KB

MD5
45dc82376815c912c2f4242be8688d7d

SHA1
ae401a842f7e0e3fa994bedceeb1c0db622eb37a

SHA256
747dea70fff93b26e509671bf9204efe43eaeb568f911378d710f48b994e1177

SHA512
f02ffb9bdd4b93a31a03d0625200e6455502982dce3e56f06d0f8a713930940166434a74f926e0ee30804f3bcf14d00d663e5db32c8fb341985234d286d8fb32

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
45KB

MD5
57fe2af6a2923b795997a71769c06550

SHA1
8e388f07eb05ae041f41e50151ab5ad863c43143

SHA256
2777ad8d215d39c51183eabd0990008ca1898975c7deb0977afb669d8a4400c1

SHA512
319b07e8a122d71b37d69690b45820c74524b86a14052d345921b4f5e450bf3c70e4b8fd6e1ca9c319c15661c22cfc727bac28bd2ddf9abf7fab12b5ca057132

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
45KB

MD5
f5599bc5b78b81a256485693dca7a3c9

SHA1
5c2348ee0371ac1902c20644d35b11065cbb523d

SHA256
06ec5c167350dd2ffc0c0ad02c07435c5f0486cd2a68531109c93faa47adf848

SHA512
5242e932aa09cf902b124bc18d1d0374fa2174fbfbd2e8ded666c460f3a8a615610d78d3a4236ed0d22fa31e5f9835e081360b66b21188ff3054f18fccfbb53b

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
45KB

MD5
95114c0b3f7499360be19e01ef015735

SHA1
bceb7a83efea23930645c83b224b76b84371c672

SHA256
bc23c8a7a7df2bfbfb6e75030a944e83d9d773c58c27be186b2c8fc91f1136ca

SHA512
83c7391ac761180bcc3f34d7f42de28559e8524a54790024a1e66ac5651170b33e9bc1f84f829548b9777be395ee79e7290f0d05e1a070680359dddc7ee538b1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
45KB

MD5
fa1fac0fe2d804559cfaab48edb6e7b6

SHA1
c2c50137e191d59002322ffbaba5e708da117834

SHA256
506a366329838f219315a2577da878d9c09b0552ca075a1758a641b03a6b6e93

SHA512
882bd57aba111957e302aee4d455dad880f443bd8192dc70d6a75688f91d5ea7975c747c86079a61f676720e7032a4507db6c92f1fc89a168b41cb606ccc81cd

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
45KB

MD5
423cc6e132ad18fb3d4e491330e89299

SHA1
1f63703d1d37dbbab4d81a168397cd5302018a4b

SHA256
eb94a81caf58fdfdb56bc634a22d29bbdcb010e51b3e238878be92e5c1c6c614

SHA512
02138a0ae6ad820897c07d393c1dddfa97ca8ce5aef88dc3d2080242120f954536852116717e379e4b717d7b3d02356e14fddcbc84ef4f6092b9a0f629e87942

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
45KB

MD5
78b7d89329397f3b345cc6d83fd19bdf

SHA1
cfd67027339d1186da883458bcc7195a10c13596

SHA256
4038692bffced016d392407abf158cb612765bae0b42de37595c88ee9a8a42c8

SHA512
c58940c2733b348f04db78b6a1c9d8bebb2f04e820eec0eba902f0fb8b1a1c63ec868bf656f2785ba06245245aa725bf8df4de02b2cb647e4d9d3aed7b4977f0

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
45KB

MD5
45486e9184c3b3bc45d65d1162ecf7f6

SHA1
8d386175077156a3e10bdc58e61fcf0082955307

SHA256
0248932271741febe0b707c2b1f0a80b7d8b5ba8a4c1989016a8b1db5274d7a5

SHA512
3bc437022e5c387bcbb1c999cad50319bc14c56f9bd78469ed5a6dff3c0fbf436e8ab0d41d3bfdf4350d75a84729a4b03f140cd4908b267c051a307c668ae27f

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
45KB

MD5
a0163a51a837244ba9961ff6b2db3730

SHA1
aa969af6874a2e4d951900d245b263781bda463a

SHA256
7975004610e03918b21ac6c577c6f99b331cd823050d4744e4c3729cff804077

SHA512
6bbedef2416673a9b78e6ead1878358d675d30766c2853ca1b4f3908d7853b3816da9310a3379c70c9ad9d74ce59e2fdc518326f25a9e2655f0837ad682698a6

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
45KB

MD5
3a116d6056768e992bf543b0374d0809

SHA1
df075faed398a8e0230cf74ee17dfe3b1abe8b28

SHA256
294e04f2562c8b64625e197ab75f1320ed4c2618d73c289700ce08f4f5fbf1cf

SHA512
ac4a1df0cf57cb4870eea5f83ecae1d170dfb3448330dc2eb191cd5444d15a6b2416b9c8560f57822a6cd4c4de40eeccf90d131a7a6fc6e235f681c7d75b3802

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
45KB

MD5
31e72e3bfeb1c91e56d88d74d1744810

SHA1
6acc731826ebe8c4d494566a459502666678b8f8

SHA256
4c8283c620235e467989c8792df852e58b63b291fcdc9ed177695b29f0f6f5ce

SHA512
b741984a2d708d209cfc672b66dc512fb168cf25e53bbe0b348add64208d0a587373dab74738040ddc4921e62ca6120ecc43a44731f2d83093acf1c8cd4e56a6

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
45KB

MD5
c32b388456f80e6519e38e826985fd0c

SHA1
eb77c465b5e60283d17245f42c4da982db234bf6

SHA256
a1c28e707aadce1b26857c217a486847803b689df16e4f310cd0b443d5ec6af9

SHA512
00b3da315282407f64525fab93cff9aa85737c566691d018dfb9209ec94e9882e8cd253627f708a03944cda767a56b21823e733980e19a1bb69aa9baa394b3fd

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
45KB

MD5
46677dd5764b3636aaae3f17e2b58ce3

SHA1
ed690dfa6e622f1f579cde3bf2f02187061364c0

SHA256
69236296789a97537335e1a1281dcee70868aa6fd1f7c413d001d894fd906448

SHA512
b808bc5741f2d85fa8d7b231c91e85e20597df768824cff1b150bc18c01cbed4b81f864195773d638b5eb9a130758945848628c994dfd8248339a454f3a7bdd9

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
45KB

MD5
be73f72790be7ebf0aee4427e2795a4b

SHA1
b76ca09809394fa52134d2b9c3316e4be7a3e3d1

SHA256
7cc1856fa1d2939d1268f2d00341b41af7f642e72cd8dfdec85392a649f01d8a

SHA512
439dee45d17b16b84ce8376ece7a3bc05c8daaea48125a13b532829173d71b0e94a8c280805f05caf036b0b37b83752c8c1ec937f931f998dde3807a148e212c

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
45KB

MD5
abbdbf1b630770639f0d99dc13af466e

SHA1
fe29f4df1f3f7ee5633f2a61e33a51ab19e7222a

SHA256
66b5f09bb0c0a75a2fd413df3fe8766c1dac043e81b928f5a2abc8c2bff34b94

SHA512
180cfc495c87c3eaef78c8ce8b6765fd6619d43a2d905f17ad499c9c3809c421333598a4d51383170e272bef3359e8af5e56779f949cac531540e977537f7382

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
45KB

MD5
bac0d62d5152234fd2233357e26dc08f

SHA1
38e3299800adc88d25e5bf5466e0511bf03f0c2a

SHA256
859e9f1ee5369f57e7c0d10d8a63e9a7e2b048680432dfe54be8adc780561d8f

SHA512
1fe488f46e83038338c91781002398e7d60b942a1bcbe162b69df239dbe369f531319d9acffb3cbca34f16c487bb2ab6b6a2b616880eed2fb2f1626afc669e18

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
45KB

MD5
81e0cc73269aec9de001e180272b416a

SHA1
5ec43a6a634b1dbe13f506e7dccf2d267d9887be

SHA256
16b93eb856c1b3d2c0d46f5d4076894d265349654e5636e966fde7524c7b97ab

SHA512
acea580be3ebc5020b29d810e2d6f56097ecf1097d0616ded7e3975982039c34f4bc5ee881f26d89054177786be1d3f6076d318ba490597b3bb4fe383f7c3a34

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
45KB

MD5
7c442b171bbfd14673908c9a5fc14375

SHA1
f57d83d4a64703a0611d9da4f4d7daab8db79a25

SHA256
61fcef36d730ab76b3bff7f74308de4034df68896b340d3cd8d67497e4a04576

SHA512
b234b5ba0663c40dbf4033cda58a1e7810152f1a648f8d2a763c6d8b96a6fd3a002156e34bb95d6e43298003802a61ddfebe834064663c2bde8836e2df333fbc

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
45KB

MD5
3d5b7e075012f0dd8e9694522308d0b1

SHA1
8236a3c40e775fdd5b4a3b5da11fc70bbf5960b5

SHA256
d25d91a233cefb87cb144e71861ff6ca1784c1a6d02cf7b1300be03eb0ce8a5f

SHA512
9a2b9d0883d555f2aa4148823e1a7d114272a32684f305605064787232fdab747ac4e0f2c46c67432821b014cb65223b13719e4142a32b41e9f30b14eae53d05

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
45KB

MD5
e7705a3c3018a03a885c293326d047a3

SHA1
703c72ef26ba165d6b9677688cbd4d53c592a919

SHA256
8cff91fa98c024290d53cd496d0c68ac1caefddc947413dc1651cfba21280965

SHA512
5c4482422703478dfb51c79c0ea5b40b65fdb1c966ef816adabc36b7d9a37d22100dd13e3effa8cc71703e046fa99faa1da585ea5664243e375845d04a8783da

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
45KB

MD5
6d825cb4ddfd5a685d22c29ff4e12759

SHA1
342a5c9f06b320e568db70b5be63b9e3d747de28

SHA256
ccba761db49aff26fbbd745da42b25973093c875cc3ceb698366eaad44b4a038

SHA512
ab1fe5b685c01784f153a9f3f76bf1cda79bb81156903cbdc3c27e7e5c23f1dd34b423a7c5e52602fc443f1543e048f967b63ef41a71b8e90e8666f0ce8de1a4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
45KB

MD5
4ffb17ba5c7776420d0ba835ce04338b

SHA1
87d63d72e8a5fa0204b75d0277c48dab0592c949

SHA256
65d10746b53f5fadfa9588fef9cbdeff721959a55d7a0e8d0a5e649a885adc6b

SHA512
ee6a86c93e3129f1940c42a5315893b0b53a1c1f17304cc5f6899ddca71fc3bc8a3706fe2102bcfca9002e3c1cd574ceadd22b877e19a2586af76b611332c03f

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
45KB

MD5
7899c461ff9ed3a5e9a711bfbcec122d

SHA1
8a43244c35cab75f95582c5e8ab076d85094fb6d

SHA256
ba4c3dac5c43d439a1f975f90abbc24f06dd268e031a73bd44105cea2181fed3

SHA512
841e67114e93143e1141542f3c40352dd09ee4547e4aa6e5f3195826768596c6b380a4378affa8ba148f2bf3ff6634ee8d52ee90e6d3f4a79fe6a35b26834ce8

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
45KB

MD5
5893de59007563fffe790ebbe17b6e04

SHA1
518f65c5339c83c4a70cdc5e28b98a1f0e2be277

SHA256
2fd8ed2db85a399628a8711e5b9cc9d420540666061d0212a87f1694007511f9

SHA512
8949b733be82452afcd875432097e62d719991a9ab242b0bbc2a3f82249c429b67c77680d327fbfaed30c6a201ea1c038d2127be579d95533a2810013db267d6

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
45KB

MD5
02cb1677eda07ab39f830914eedd6f12

SHA1
12a8ef3606903eca0dba379b2112c5b0140c112b

SHA256
4d8e8af1d21e7b966333d21c91a0e5d01bc501594e69ffcc367fde918f97c62b

SHA512
fd2f98a25f225adcf670e2f250be264d5484a8ce26de180f05fdccc4254ef36d0d597ef962a93cd98e1719101bc56b941d54be53400dcae62b7af7edc8d56b2e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
45KB

MD5
8fee71e70cd719774ac4d368005cdad0

SHA1
4a8edbe54a9e4844dc5a984e6d5f26bb3a2acfb5

SHA256
1ff39099d7b5fc9104d18eab5be234d8b046b1ecddaa4f740871a1247986fa9d

SHA512
1619c12b133931af23b35c5fad07a3a91521c728cd1222c01ff5867986f055874adced4b7e2cbc00827f35645bfd7f4b9564de8e4c24166429d50bb52c17089d

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
45KB

MD5
02efdaa6250442b670367c3fdcb8b577

SHA1
4688699b4dcb2f36071a5f38b6c41fe8a96a5ffc

SHA256
ca070a20706408407e2a16a4d185ab22182b8daa2499438b05d84ec107af3b74

SHA512
8709989afba41ff61e6c583ec244997678d70c2875942286092e820d331cb07000d59be3b65f5c38c69ee49e6e40ca3d3cfcce87dc62f708d5f83053f061422b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
45KB

MD5
87961b8a30bb4191152df50e80b43c05

SHA1
9454588c678786f3f3219243199714ba70a5afce

SHA256
8d5037cb311e8e45988a6d311ed667bf9ce8eb174c7df306323a2311e62d704e

SHA512
70fa58906f6aac1e4e01e248dc375a889ed21b60abe7a988385432518962b19854d8f7ba7802d3a85b509874e8b7b8e3118edc10a7c8aa6770066858c65f437f

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
45KB

MD5
b67f47d0c1579b1474b8659953899c14

SHA1
52be6bc69c56a19c7a99216f12a6c419a879fb4c

SHA256
cba5ab0cdb8d08003f2798b2f714e27068cb5108216870771fc619c32d9042d3

SHA512
fff9a2a43b5747fea975e41882d01a5c8ac292ede4e9d4fc5ba8d0c3c034ff46b93f4e52717389b09e18d93e30ff039ce834ffcd6a3643ff736a95ce49f91361

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
45KB

MD5
63f3226b3fc8e23bb694b06f33fc766e

SHA1
3e6140fbb3e05162261056232ed27c9f08860b94

SHA256
73ed57200fe362c30831b69bfbcef2d2eac5036e638fa98a2312c981f2fd0872

SHA512
a485b084ec39c69ab65f7120bac8c4e90d7f68f9c000f72ed65265cb74afb525063945e61fa5401b9caa55c69f60a073013efc4efb826e728f8f021de610674b

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
45KB

MD5
ab8ed79ae463332fe1a28bea6f474bcf

SHA1
879a074dd06d198b314a01c902a3b3528110fcc6

SHA256
1887926526d01a7e75af1181bac05c5114a33a21f1f00401a89ab2b51cffb3cd

SHA512
9e526722f09552cc6b26cedefa8be33b8cac6dadd1d2cc75cb837149c218518a4fa7e8285633e39c9b8d4aef006cde2192b540636e95ee9a0e85c84b9e0d4538

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
45KB

MD5
42db818de69c47e8a931da2545c26e7f

SHA1
5a808c9f0f25f94e2c9b22f28aba61480fe2ff0b

SHA256
83bbe044f596dae5ad45efad889b9b376bd57fa063587a01324769a6777b4f42

SHA512
d4e53c4134d0fd79ebfeafa878937ae0354dfb1c493e214972765a779c7196e8a541d02a32d8a8bacd162b904a70575964d8a64e504e4e03c2ef895ccfe0154a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
45KB

MD5
ff7eb09f92966ab2a50d2caa10cbf7de

SHA1
9c815d7b0df76d505b9b6366f7290fcd596fb95c

SHA256
27ec497f8403b1f12def375c5b473e7835fdc32b526ac16905d53133ed7b955f

SHA512
62119577fb36384506162fa1fe21cb3b9e3366c0319637d01a90f00d31f2b998843f5f850e590f5b0607b5136ddfad973631867a21dfdad0fda05cf667b71b58

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
45KB

MD5
cedf3c7a498a4e61cc971ea9c7098650

SHA1
deceb15d6f82ec4bf6e5eeed980a6aed210dad92

SHA256
788811a7eff35ff2d4cc7078f5a250ec45cf7d0d82535749fd10c6a9feb70b2c

SHA512
52836648193bf9be835a43f1ce3dc934a148947f288cc4da10a2436b2f553c0ab87636b026b9301136828100b3620171451fd0049f8d0714bd4c184febaa4435

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
45KB

MD5
dce8e5909fdfe0a3484f9c82911fe09d

SHA1
0df819f4fd2cc922cf40c87c8f1b64cd0ffc3bf1

SHA256
7af93af97303c6c62a76e21cba5f6024f888f77a0da818709b59b62f879c79d1

SHA512
9a0cec57ad099f44cd356f1983157e89ab663088c9dfc0072249b0d03f5df734ac795e930cba44c9bf79e6be95bbd37280cc9aa336daa33c5ce0211723f68e75

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
45KB

MD5
6df98151d7e87f3b725b4269f113e0a3

SHA1
a1eb228b75167994a88a3ef9d4e500024ff614c0

SHA256
e91b6a7beffeeb632a4d7c5bf7924a4348b645666676897500ed886a5770726a

SHA512
1bb0c6fc3bf0351e5e5455eccbbcfb758eb6baa89387b2044247dd2c185f2daf145cce29174966959f4412ebcdfaf09f1a60143584205756538b52a3b49be8fe

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
45KB

MD5
04c528ae9b49fc9eac70311741cbe963

SHA1
126499137af96176d8f6b4eee66ea6fd95bd1301

SHA256
31fd84c806feff135bee8ea470034100ae8145448ffb167369a0974df697d1a3

SHA512
0fa629bb2ea9c3a33b30eab55dd04e66656169c95cc0fcb86c10ae06b5c2944914a24baa049fa12cebdd1c20da1c297f512d6b0c750486088008d34554489ba7

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
45KB

MD5
9d0d372b606723ffb05b9a0c58e90ada

SHA1
3dceb1e00f90f902cf2aac891fe64ed5e9ec6ffa

SHA256
daca86efcb7436f4f9c1aa6060fade6dc318aa2efb7da8ec8108d22383162260

SHA512
44bebc98a3a36d877c745e28640600b2efbb04542b1a8f2705ff9f3e3abf3cad93d79f63853ddb6c3268cf47cfff964199f77575579f4c4ff98e1779a5aa73df

Download Submit
memory/60-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-837-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-597-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-828-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4660-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4772-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads