berbew | a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe
Size

92KB
MD5

b3954685fd0eeedc6d61a1ae6bb55bc3
SHA1

c40446428489db1432c5a84973a56df3c7e89e38
SHA256

a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0
SHA512

96128052f98a3c0c475187504241e79918d05e48b517d8b5aa8e44c6db1d59f39cfb554acdf6f745e83f40dcc83bf17bb4e8a27c80c38eb687883e53a2c5ad76
SSDEEP

1536:M5vbZhnOvIN4dGSRbV8bG5d92dG+eo1xC0GZFXUmSC2e3lK:26vk4dhxWb8924ho1mtye3lK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3116	Nckndeni.exe
4912	Nfjjppmm.exe
588	Njefqo32.exe
4140	Odkjng32.exe
2276	Ogifjcdp.exe
2324	Olfobjbg.exe
4200	Odmgcgbi.exe
3432	Ofnckp32.exe
428	Olhlhjpd.exe
3088	Odocigqg.exe
1748	Ognpebpj.exe
2200	Onhhamgg.exe
4924	Oqfdnhfk.exe
4596	Ogpmjb32.exe
2024	Ojoign32.exe
2524	Oqhacgdh.exe
956	Ogbipa32.exe
4920	Pcijeb32.exe
4520	Pjcbbmif.exe
1064	Pmannhhj.exe
1772	Pclgkb32.exe
4284	Pfjcgn32.exe
1972	Pmdkch32.exe
1704	Pdkcde32.exe
4908	Pflplnlg.exe
5056	Pncgmkmj.exe
4496	Pmfhig32.exe
2592	Pqbdjfln.exe
392	Pfolbmje.exe
1268	Pqdqof32.exe
3752	Pdpmpdbd.exe
2936	Pgnilpah.exe
3972	Qqfmde32.exe
216	Qceiaa32.exe
1528	Qnjnnj32.exe
2832	Qddfkd32.exe
3688	Qffbbldm.exe
1140	Anmjcieo.exe
4872	Aqkgpedc.exe
2128	Acjclpcf.exe
4804	Ajckij32.exe
3876	Ambgef32.exe
2780	Aeiofcji.exe
640	Agglboim.exe
2788	Ajfhnjhq.exe
1936	Aqppkd32.exe
2280	Acnlgp32.exe
3532	Ajhddjfn.exe
628	Amgapeea.exe
5020	Aeniabfd.exe
832	Aglemn32.exe
1376	Anfmjhmd.exe
1652	Aadifclh.exe
1028	Accfbokl.exe
3044	Bfabnjjp.exe
4516	Bnhjohkb.exe
5008	Bagflcje.exe
3840	Bganhm32.exe
620	Bnkgeg32.exe
2872	Bmngqdpj.exe
4332	Bnmcjg32.exe
2288	Bmpcfdmg.exe
3896	Beglgani.exe
3800	Bcjlcn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5264	5176	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 3116	1448	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe	82
PID 1448 wrote to memory of 3116	1448	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe	82
PID 1448 wrote to memory of 3116	1448	a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe	82
PID 3116 wrote to memory of 4912	3116	Nckndeni.exe	83
PID 3116 wrote to memory of 4912	3116	Nckndeni.exe	83
PID 3116 wrote to memory of 4912	3116	Nckndeni.exe	83
PID 4912 wrote to memory of 588	4912	Nfjjppmm.exe	84
PID 4912 wrote to memory of 588	4912	Nfjjppmm.exe	84
PID 4912 wrote to memory of 588	4912	Nfjjppmm.exe	84
PID 588 wrote to memory of 4140	588	Njefqo32.exe	85
PID 588 wrote to memory of 4140	588	Njefqo32.exe	85
PID 588 wrote to memory of 4140	588	Njefqo32.exe	85
PID 4140 wrote to memory of 2276	4140	Odkjng32.exe	86
PID 4140 wrote to memory of 2276	4140	Odkjng32.exe	86
PID 4140 wrote to memory of 2276	4140	Odkjng32.exe	86
PID 2276 wrote to memory of 2324	2276	Ogifjcdp.exe	87
PID 2276 wrote to memory of 2324	2276	Ogifjcdp.exe	87
PID 2276 wrote to memory of 2324	2276	Ogifjcdp.exe	87
PID 2324 wrote to memory of 4200	2324	Olfobjbg.exe	88
PID 2324 wrote to memory of 4200	2324	Olfobjbg.exe	88
PID 2324 wrote to memory of 4200	2324	Olfobjbg.exe	88
PID 4200 wrote to memory of 3432	4200	Odmgcgbi.exe	89
PID 4200 wrote to memory of 3432	4200	Odmgcgbi.exe	89
PID 4200 wrote to memory of 3432	4200	Odmgcgbi.exe	89
PID 3432 wrote to memory of 428	3432	Ofnckp32.exe	90
PID 3432 wrote to memory of 428	3432	Ofnckp32.exe	90
PID 3432 wrote to memory of 428	3432	Ofnckp32.exe	90
PID 428 wrote to memory of 3088	428	Olhlhjpd.exe	91
PID 428 wrote to memory of 3088	428	Olhlhjpd.exe	91
PID 428 wrote to memory of 3088	428	Olhlhjpd.exe	91
PID 3088 wrote to memory of 1748	3088	Odocigqg.exe	92
PID 3088 wrote to memory of 1748	3088	Odocigqg.exe	92
PID 3088 wrote to memory of 1748	3088	Odocigqg.exe	92
PID 1748 wrote to memory of 2200	1748	Ognpebpj.exe	93
PID 1748 wrote to memory of 2200	1748	Ognpebpj.exe	93
PID 1748 wrote to memory of 2200	1748	Ognpebpj.exe	93
PID 2200 wrote to memory of 4924	2200	Onhhamgg.exe	94
PID 2200 wrote to memory of 4924	2200	Onhhamgg.exe	94
PID 2200 wrote to memory of 4924	2200	Onhhamgg.exe	94
PID 4924 wrote to memory of 4596	4924	Oqfdnhfk.exe	95
PID 4924 wrote to memory of 4596	4924	Oqfdnhfk.exe	95
PID 4924 wrote to memory of 4596	4924	Oqfdnhfk.exe	95
PID 4596 wrote to memory of 2024	4596	Ogpmjb32.exe	96
PID 4596 wrote to memory of 2024	4596	Ogpmjb32.exe	96
PID 4596 wrote to memory of 2024	4596	Ogpmjb32.exe	96
PID 2024 wrote to memory of 2524	2024	Ojoign32.exe	97
PID 2024 wrote to memory of 2524	2024	Ojoign32.exe	97
PID 2024 wrote to memory of 2524	2024	Ojoign32.exe	97
PID 2524 wrote to memory of 956	2524	Oqhacgdh.exe	98
PID 2524 wrote to memory of 956	2524	Oqhacgdh.exe	98
PID 2524 wrote to memory of 956	2524	Oqhacgdh.exe	98
PID 956 wrote to memory of 4920	956	Ogbipa32.exe	99
PID 956 wrote to memory of 4920	956	Ogbipa32.exe	99
PID 956 wrote to memory of 4920	956	Ogbipa32.exe	99
PID 4920 wrote to memory of 4520	4920	Pcijeb32.exe	100
PID 4920 wrote to memory of 4520	4920	Pcijeb32.exe	100
PID 4920 wrote to memory of 4520	4920	Pcijeb32.exe	100
PID 4520 wrote to memory of 1064	4520	Pjcbbmif.exe	101
PID 4520 wrote to memory of 1064	4520	Pjcbbmif.exe	101
PID 4520 wrote to memory of 1064	4520	Pjcbbmif.exe	101
PID 1064 wrote to memory of 1772	1064	Pmannhhj.exe	102
PID 1064 wrote to memory of 1772	1064	Pmannhhj.exe	102
PID 1064 wrote to memory of 1772	1064	Pmannhhj.exe	102
PID 1772 wrote to memory of 4284	1772	Pclgkb32.exe	103

C:\Users\Admin\AppData\Local\Temp\a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe
"C:\Users\Admin\AppData\Local\Temp\a5d94e65631bb02d538315d424543b1f2e901d1e80d4f44e90961c885812fab0.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\Nckndeni.exe
  C:\Windows\system32\Nckndeni.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\Njefqo32.exe
      C:\Windows\system32\Njefqo32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        45⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        52⤵
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        59⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        83⤵
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3720
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        93⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4728
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3880
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3332
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 408
        108⤵
        Program crash
        
        PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5176 -ip 5176
1⤵
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
92KB

MD5
1de52d792d4ef4b985a487f95b7c95ca

SHA1
d92950cdcadba5c6c1d2b4eb4cc751e1951b0dca

SHA256
71113bc5a1e9ffe44f09c8aa51dec9f971c24289696e2e2a17c97db6313a96a4

SHA512
2c577028a871b17ac58627c766b8c0227f1c52bdaf87ba3a55ed74777354e90d2ddb5634bc2cac2ccc9a9340ea403fcf6211a4dc913ff29097eb3091e0d8ac7b

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
92KB

MD5
96ae36fd4db44a42d8a9897a7e96ff14

SHA1
c0f471bd2f8958a14f0dcce8ac64d1d59057b1c8

SHA256
f23ce30ad972db3a22f4c7fd2f7837b59292da6c7d6a44edebf50d0864252214

SHA512
001346f677d33ce2e3913206d49b125b77590bc6e28856890391863edc4e9009003bfe2a60f7c0b88397c50ec84d9e80d46fb1e086c3f2836ce4f2492375932b

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
92KB

MD5
f0e47695c6cf6866b8ef905a3f82a493

SHA1
c1d677e13c2f91f45b271eff3fc0c155eb118d60

SHA256
c1727a7ba11a72e9c3c1d8da85f590afd834d33599e26816e2d91a00097d4569

SHA512
2bf905b926d3ac66de957a5dcee8e259483a7d46cfe62bd1ed8b76e9f5b18d00af34d68fb6d4d83d135133359bca036f4bc75b3416ade9e5437864e0e3db0fbb

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
92KB

MD5
c7a238e41bc8677017ea89d5477b2e76

SHA1
99e19462f5b27872db35355e95f9063a6fb73495

SHA256
0d1710e2e9293eab7dd67719f0f53f907507985a3c32ae033bc074a8e0af5249

SHA512
47b39e2e9924fded8aa23ddd9a07005d6f28661f85e1bfa26d703226b0341202c5f94b546aea5ce4ba08e9f08e4c8772e4d6709665478c7d8f92cb1b8850f908

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
92KB

MD5
4466c7a32a3cdf9ccca655ed2cfd8541

SHA1
484569450413f48b7232662b7909505d9838e156

SHA256
f675e0b815901552e3899a141afd2791575350a9f922cd28ac5c73f1154915d6

SHA512
78f2f85221f4996072d6d0eef2b4c032de68323d99988c70d09e57c876fa2bd6379d9c06158e3f9810a3da41d5bc255944c48ed57d9fa0e54be367733469bbb2

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
92KB

MD5
51374fcda249b590bb09649acbdaaf3c

SHA1
64bb373f3943ad49f3bfae53384ff4ca2e01c166

SHA256
5f11f0a46bffd53cf8f58613431776a5240127be5302d492045a5aec9d74db27

SHA512
d001354992403b4850cc9e0b98dd8abd56033f27668b7a75ed2a371b4373835e0734812a5438ee90d756b3bdbc3640e01f8f51fbed431612e30802fd64126a23

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
92KB

MD5
28fd389bd94b197b828b7fc81389d5f0

SHA1
26dc0480361581be293b152dc56f6670c0e8e7c2

SHA256
0ddd1df7f9c014e9e7538a06f5ab172198ab325d0bd0f660218cb203f4acff1b

SHA512
30f40ec3e48f4d1076266698b5223b4f2cfca50c8fe58854603e204d6643a0fb2718e9dbaa5c273fed57b83572e0db2792a5dee53f39c74dce1cab2a03df1282

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
92KB

MD5
4f9f8f99b7daa9ab3ff792fe8b1458d5

SHA1
47ad2062d86ac685c4d651a5fe93a4b74c94d12b

SHA256
1f039b435733de02e1353c65d3ff723773ec1bcf63c8ff2dda9860cdabeb025d

SHA512
a1507246da8519a6797ee636d12b671c58f66ef7160e6274b8d3d59439923818d8784787a1e57a7956a5bc0acd5596d5dee9f806da8f1fc0e02fad505c58be2c

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
92KB

MD5
0c6bf408c2abf7c5ec48c35c1091c8ae

SHA1
962f55a5e5bc6fae5bc68bcdb7edc46601523d16

SHA256
cfb4ac2406b7ab9dac8579e33a15cf98bd73dd84e1a76f38cd6867c62062a1f9

SHA512
01ad665c85aaf3bbd7bed64d8212c507336c516e41f21bdcbe11dbba638ce27e858b75d9d9c98ef5554be2b4c63668142c429a2294f19dda9875253d117b7055

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
92KB

MD5
ce238a00cf2204fb374a24faf12196e5

SHA1
0ff7b0139cf4ba507dab3a6e2b696ada7d490b91

SHA256
f8c344ad7540a07b57608860837d764c83b9fbf05881f9665d056ea1c452df2b

SHA512
44f5a95d1164f4d32fe1d3d74de12a616d16bdad628358da7b9f7b9c1be76147990dc64df8ef190582fde4c8c4c3838fe5497defd25417d2c83afcd6b9c0d59d

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
92KB

MD5
798e3ca65ef4c77da99c124b0828f39c

SHA1
d4cbff4fe7e8194b1410c53bcc1519cd6d3daac1

SHA256
8fbe6daabbe744c4c808b7661c08fd97f7ae31f32e55959d6625a04326c81b4b

SHA512
664a2c03dab946b6b48f7095ba7f185b9d72e062340c4b0c79fc45c4e8c7f337ffe63ca8917233468073e358f14209bdef25b8a2aee775098720eb792b65dca3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
92KB

MD5
8929f31c31db8e0d21c7ec41628f68a8

SHA1
fdc78e64ec455c212f6449323c9a2f7a5d34faa4

SHA256
d3b31ef721d7e3a6680a21943ab5a2915f426db9e8e90cff1db37d8cf3c61097

SHA512
19934b54b8ac4376b10f6ae3f45b179c8f6b2d7844ab46b3956d42be9a648678ab401f973a8123f0f691e99a143c5703bd9b6da1e58dcde8385dee47edae7fe6

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
92KB

MD5
41dc3e82a3ef4371b789a6c17dce1230

SHA1
81c74e743341ccc3c207502aebbc4f4d5e2902d4

SHA256
3bc8027e0aac2864b7850cb8f9864c16b973d6dbe5d5ad4edd2eb61ee72c4bfd

SHA512
049c881278f3f0c53d176edaa55835572fe208f6480bfa0b90f68c65f63e802a4d14d14a362eb52a31aca48e1ee609f986301b020aafafb60df6061e456a96f1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
92KB

MD5
b7a5fa99951a98f5865da8fdd516d82e

SHA1
85cb893a82ebec9208ce3ab8d54cfb835ab38356

SHA256
cf7bf9a41cadf9e7d91b42632c058e62bc6a2f24338540db3550bf13ced3f531

SHA512
6cef42d86b637550bb28c139658c71908b544e09ee94cbfaaebada62cbb18d2868196348768c0ecae4a18ea13d83ac05d1abdff845ce53b1f1725321ae7332b7

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
92KB

MD5
3b17fe9957e8838d9a1ed1382c90506c

SHA1
f6d50b5e374f291f407437df523b3728c59b5fdd

SHA256
c7845bf8a961d39a6cd5f5c62fecf5e7323f830030b916db17d46dca7f612af6

SHA512
7107b022f17de8f9716c59c61694f69d657508ef5db0b5fcbfc7f22bb0afa41f12c4abd7a6dee0eb0c1e6fbb19c74cf4f5c04d8c5872429cbe6eb578cc0c3015

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
92KB

MD5
a399a0ff87113caae2f636f0ef33657f

SHA1
b7c2a49ddaeeec7fbf2be774cd1c9d26632ecc2b

SHA256
655b2f8443b6b36f37badeb2d6ca25947a4054cce3f5bb003eb1949931634df4

SHA512
75a8e892434c8eb1d352cdb8cfe5af22a94c65e287d265861dd292220407d51c1442435d4258cb048fc467cb1a9320ff7dcb6e43f77df554c681b54ce723c6d9

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
92KB

MD5
5e127702ef552f5be614ecaf1d72cadb

SHA1
d80f7cb030cf31af8e296579c5920568d501ec8e

SHA256
000667a5a9ce2d4f5cba1a5fedc6aae2e5ff5901411ab973e9c773134d8c5346

SHA512
27dc4a8840199dd4b38d12748b5a1ed07518224a9b70e08f636e66fae5cf5e9ab78cfeaed1b6e8e850c17e3e3516d2353dfb49f4228cb18d01e75ac026862a5c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
92KB

MD5
5016e82c52b03a6f5071d2b728766992

SHA1
9ead77b706b87bb979ae49a235ff128a55f3393d

SHA256
cfad662d0177f24d2bba9e52fcf13979e8f7462de3ffe18fd40a5591004aaf8f

SHA512
56e150d2fb5b79dbbd2ac2e07baf276beed4345242d4703a5f61ffa3594afc4571ba05b2e3f514d0534a2fa50b77c1231bd2347796f2a30a34f32211724ed53d

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
92KB

MD5
97b09349cd077c7ac3b98e27ca37379f

SHA1
2dd58757c9d15401f78eef4b4134cb1f51a8e38d

SHA256
5f040c415bf71c369259a542bd34314cde73d92cf1896616683968bd0dd9de44

SHA512
d1e731748a46948aace0804944fd0adbd1201669a338d0df50b7b141a8551dc3e2b84581c91b5177bb7edde4ac7ad568e49647c94a1d07e36093a2fad32b4464

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
92KB

MD5
b906005eb7ba34479377e98df484bddd

SHA1
bbf283f22785bdb5c16030d5ee152a465b6aa7e6

SHA256
c22fbe3f4dd901e2c6018fb4f73e191fe402d1ca6dc0d16ff37c17736f018e2f

SHA512
9dfd11224468efd5677b4af27d5451e1c48dcc373b12ccd254d90c29e47512151e1e703842724a16d4b55f847737df477e89e5e9cb1cd2c690d4fbbb6b306166

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
92KB

MD5
4de6916230d62f0f1c942126d96f1de7

SHA1
943b7011bfdaece79db19c6e0b398b5f1b96353a

SHA256
dc1b1279f1ba127e80891872c32ded08513be1423a525677ef0fd7b249d8fc00

SHA512
8c711ee4424644b8fbc8cb423c325120f4bdc97d998385a8edc358850e742a219d08b53daf5e2fbef1978e5a96ad4213f8b379990ea6105a878b97582e969cb1

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
92KB

MD5
a20699365fddc6ff09cfd6a12c1b53ec

SHA1
92bfb5207d3b5c50496036e107edad32caff79d2

SHA256
d101e82bf0e6432fb2c2166e7737923521e89ad9b593eaccc7b10556cb938878

SHA512
c6d833a8e39ef56d2c55c177808ba46c732da0ea7d1f8a4d1908de5f0d5b2f4476fc31c0235b95949adb54abdfa2ff415b43fd6a92fb20e72a40c9d29428733b

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
92KB

MD5
1bc4422f533bd2ad78bca3e009ecf02b

SHA1
65499eda74e4b80f4f6808225a3b0180f38a552e

SHA256
3d43b12744066304c5b4967190f419658ad00d6b3c8d572f73e79485422ed2ce

SHA512
bcda1c0abd08191cb1d2fbff9aa9e3b1cb8f8b013d0f111ed8e940fd795ebe0cbf6442eee14d3a53fa2d4618bf3620e02a0e816a6828beeaac7e1b634418c8f6

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
92KB

MD5
4303874c4e89e265576fe142ac58cf2c

SHA1
1af02892e4a43775e22477fd14321e9dc374e1bc

SHA256
e3ca0f8c83a0dedc4998b5e12a47eb8ef2abf46799a96d4e321873c1f232df1b

SHA512
295f07266780d82fc1c3bd196a1862bb942e957c6b5a7af67846dbbba32047f6d4455a1f9b4bb4202ddded4370f23728f5235bf37487020acfa0e08752df8ad9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
92KB

MD5
221841293335f5ce569af79cec4fb16a

SHA1
dba968c6ae837d6222de97615c07d0c8ea0cf302

SHA256
6289e2cc87c8bffb9f6b7a6d58c11ff2273662eaef5a35037d60ee5082066f86

SHA512
2af2f0517864025ef36724262029169ae3e0d45e63c53417fbffbd162e5558b2b881c50c456b3fff643361aeba474d9048cfe5ec7e796134bee7ae869d1cc657

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
92KB

MD5
3f01fe488590b26478c42cbc37cc9aa6

SHA1
23c4ee30683bf3114187d1f3bae96c6719f1e14a

SHA256
cf92456352243d85c796f53ff1622835ef0a3801560ebbfc02f9a458a02419e9

SHA512
5215e1cc24ac927d7349bf51462cde1094475d8d6eb59765fadfdd25f726df093e96201645c76fb4b91c2228f1334be7a170309414625d9b9ae5ade7e276def9

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
92KB

MD5
7e3efe66724eaa43267b82660cc2bfd0

SHA1
ba13a72a086cb34b6e8ad5d6292e4c3dc2240ca9

SHA256
82977a4f2b5d2912a15243cc0e228ed2a537ae91092abaa2311121953c4cbaf6

SHA512
64ccf8916e16188a6bfd8e26c382c598ff05dbe47bbc3fa23eb22b862377db8dfcc8547ba08e71c2dcac097c06b562fb75352848a302ca50c084a2c2b83b336e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
92KB

MD5
9fbab02e0dfc0220a925beda32c9a3f7

SHA1
edd74cabb2ad6eb4a67bda2aa596c0f6d12e134e

SHA256
241c689baf5a5bd2aa4efa23b937cdd790e9b00414dbf9a2ef7afac013cc323e

SHA512
b98649b9d7dbd90a5b6ffd2d837f76933160c0d5496381078e0d71d49fab31fd2bb25f2899cb8d5963a8362878d13ca4e07ab030341a096945af109b5f9ae0e6

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
92KB

MD5
7c5f026287e2dee1b3fd7e1226f17ff6

SHA1
282276b270deba64ebb93660f03a0345f236cdb4

SHA256
9e456f2300143b4f2135edf4c5d98a75269c0099c0eaea3690b283de99f0c03a

SHA512
17a3bf6a2684ad50bd05f3c85693e97b684925cf75325d2a24d8cedbd510126eed9c3b73ba6c0ab444ced2d6031bc3b78f5c712fb4e5083348b92029ac14a934

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
92KB

MD5
e6bf9440af503a6a973796344367503c

SHA1
57d71bf0e7bd3f72bf08906c7e76ae79a940da28

SHA256
36a4d2e1aa4778708294823f26d2974520f4bb1b0d1913fbc5279c0800b9f43e

SHA512
006fa33f62d8978a8ecfd3e96fac6061d3f289a0f397027753bf89f8a46be2c4f55164871053611ee68c1ee6c5a3a995ca48baa7adcd1966249b50abd80a5ed1

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
92KB

MD5
620154ca4f0c1fd81b417f071012b6c3

SHA1
991182c2f39f4faa1afea150a1bc4eb5c58d56d0

SHA256
417282c9ed0111c3cbdd5c234311af1d168edb5da2f0a4258e88d2714b6df72f

SHA512
f44b7b4ff3bc9c931abf732a7c39b54d14a7442141a40778c6a4dc795fd2b46c3ef7b33ffb0e6d180adc61ab994f4f61daf5bc08f4d15bef17788cf02cfd052d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
92KB

MD5
543ccd7e3fc944dd79fb3f0b9ea8b83a

SHA1
1e2ad2f4ada9d4ed4e7000c77bb848596d29e9d9

SHA256
da9011ed0ae9509b31b9b873086638b28b169c9bd6b23a831f7f787eb0f276c2

SHA512
64e7fdd739d4b3880465181c199e358fd15fdb026a466e35e67b4496b8c045423741dac6b1ce76398ab03f2d84a264c5e956ab2e979182ca326d01fc1855a5c8

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
92KB

MD5
29141dfeae77cb165ef94bf4819723e4

SHA1
a632d030f1ee23294a567648a165f159005f9d92

SHA256
9227b75fd02af254edb527a62b1830cfdb01947e85fff9d6ef7e06b94fbcca32

SHA512
a7fd427f8cc2d4a74cfa3146b2f34928331d50c744d86ebbb156708e5e727c4b223dab9e135b34478c4de8556dcdc6832c2434622f68ddde9c10830e139bbf26

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
92KB

MD5
0bca93d219fb17ab3d50c26a76de031a

SHA1
8976e4f5b6eba193cd2efd830b91d9ccd6f03f8b

SHA256
4c3fbc86e7ae27c86aac56243dc9c60e218a3d626a1fdb21b7ea61bc2d571401

SHA512
27274759dc72c6c1c10909f0bf2e0759c84f796c426240cca70ec2053f42d86623b2dc51dd0db21c9fb811fefcb0999a5e1d38b68c32ef11e72ce96edf6a8de4

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
92KB

MD5
d521f94640fe59242d8dad3953ea4664

SHA1
ff44a3fda11f0b6c83f3b027fd229e22bb4753c3

SHA256
502bd408103f17210cdb0e6f2cfa5d32cae2e1cb2d7bc499b4a1bd6977fe51b5

SHA512
227b3ef6b822e6b5bd738b6350d6b628befc9651a272af0a00e7f996ddd41cb4a1ed520ebca4c5a5f27b7e6fb46faa826543fdb6375eeb3f640df6bf50afab48

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
92KB

MD5
e348ff640afc48ebedd9ada8083f25ec

SHA1
a1eb6954bad79133476a24d7c4017ab9e2b5459b

SHA256
7164e5e04e19166493461eb3ff52776a93ed271329df8f44727aa1cc172a8c7a

SHA512
e5e34c79998235d079c7eebcbca978130a5802b8344767cc901cdf3ed0cc3ab6f4a48f339a51f6309c4bc9ba6dc641add308418d0b611cba50db976f008be0fc

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
92KB

MD5
ca9eb04ea3cd88c03944729352e4b5f2

SHA1
590418dd8e12c98ded868ca58d5b57aaf848b25e

SHA256
91869995f2a3235ab3e217a1e19fe863098f1fc05c0ff03b8e33bc9307b83d1d

SHA512
55e85df069edc6fcf719072b6a9645bfdc6848ada449e47630bcbf7da72c8b4c6b3107e7efb51cda3a51cffdecfc18c07cae848ffa0338523529cd90b8e996be

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
92KB

MD5
1b490217c25feea520f1d039d428e222

SHA1
277294b0193f8234f1de54245c8a7ed2c37232b8

SHA256
2151d953a81ae9e4db540cc184e4f15adab7ea562629d5fc4a67939c259019c9

SHA512
acccb4f663ea3e61d2dd86673e2e76d8d08c63388b17107dbff523b29f705e332512e3b53d7e8202a1f0b6a3cdf4f1fb254b9fb0e354ffbeb2d31fbd9534c371

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
92KB

MD5
72aef3e0de2e394c04b52362c24b6cf1

SHA1
fac58874f905f506fa6ef03b73ef0aa4bf27ea99

SHA256
e290c7454bf8319af47a34ff37a3e18ce0908817089febf55380e27af6534a04

SHA512
7a1d10446c630ac391a35346217f6b3e25d7814025198266002e3f8d98e0ba2a255d25e3c5ce850d534914a9d878f0b033bf4705525bb166e93d0be6ec27a717

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
92KB

MD5
ed25138b9e0768a4cd53493730bcb7fb

SHA1
b744606d08a1d89b0a96b560f022ee22eff152f7

SHA256
864cae8e0771b3ea60e8560ccc742492100692b5d6131a456b63a44b82586667

SHA512
0d2ecfcb251283069a0c1fbc3be291f452c67f45d8058c8192517218e01f251cfa3abdea66721df81fd67f5bc43ea7babdca98401a5691fb3f01eb2ecc8f4f06

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
92KB

MD5
dfef45373b51eacba6e9a0457f69dfbf

SHA1
031993e418a1a76f5f15d8ff23df789367deb218

SHA256
8a3a0bf784436a7753a6c327e25c6743441ef99dd6f70f830b5319864e56abe0

SHA512
c29d752d766e484aff170c6f8b508e08e6941b25d41f2c997fb6abc25e73c1d4b2d074be04051d0dfbac6720ca15ddb294d375622d1684d053bbbdf1c4ed7b4b

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
92KB

MD5
44d1078766eacd96de56002783e62a06

SHA1
b2b5f5e3fe7b14ef7de043d44ae4e74f577c81f6

SHA256
a3b9e52e85537c8d85d30ea8233be438d46f2307103a236c0b62301f0243039e

SHA512
ccf650d8c611eea3014ba6e0dcccb3aad4b54cce9de40fdf259b7bc23dfe21ea17736e8d04264fbaced1882141fb4f2bb4ce3b485d4771bd82939dcd9f5c5a89

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
92KB

MD5
98959b803cb0dfc4ad27c587a8a75c5e

SHA1
add4a2c4da376e033796ba3341b0b7d4477373ef

SHA256
d8b8ac8ac85b7ee9e24edf69401aeac53f2ea7ff85df6b2d51041a7d4a79aeec

SHA512
a8ea99acb0ad37e8dc40e36f80fdeac417caf60ba6734599c69412459a03782cca82eb7f5e546593a87d811a6e1ba3b444095b366d1a43dddca398aa159cee33

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
92KB

MD5
b566342983adab8d3854fa60e464657c

SHA1
bda0de8d35caccbb5c0ab470eb077d7ec68f6354

SHA256
32ac3f7abf835a308a96e9c0daed64e7f33cfff69d725b26d422e444db0f3f3e

SHA512
d539bd1013fa140c4eabbc15100b74adb555e4c13df08635ce563e9b71d4b84614ea4a45008420f682e187a873d8f33b2dc8ab41ae92c2c2dfbf9e99ada4f7d0

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
92KB

MD5
5eb7a2d33d690474748378755fbcc989

SHA1
cf18c0b8a6b59a8f854d6c7d410dcece149dd2f4

SHA256
e0fa243fb20ec38f23b48d5f0092362d458cd91a9e14d11261743392c58f92b4

SHA512
14343c3bcf811eb204dceba8acfbba3565808b12e8f8fa117e4a3ab449e47661229552c9b90a9d159555edb6fecf86b3133dc67e9a3104cbde11cfaaa2dee4c4

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
92KB

MD5
e7ac61fcf7f564d4562f2ed819cf6dd9

SHA1
4054c927e839662cdd9058e8b0b9e29df54756b7

SHA256
a56af7ca2d820a3e75bc8a88e436d3585f30c90951d3bc8bf345078ee1dce0b6

SHA512
77e8874bb323a00b803c25a595e358dd892b6613cb4a5bda416fa2233bf662e4801ec20584391ce3bca63459c8904b90ce7441e1a9edda79763268a2dc91b982

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
92KB

MD5
411808a9cfb7489baa54670142ab608f

SHA1
61e5993774a5c3fc08377edc3c6bcf53312efcff

SHA256
9d95c29ac35971472e7b51a71788e5a67c1595b308fb489a1fa9d779229dbea9

SHA512
76588c8b78699d465505a113cd403989428a2a8d418ac2e5743eed0c642921f93189a9332551c2491ffc416d77a402ecbde1e0bc05e0d13f6e78729464ca5b65

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
92KB

MD5
92a616bc3209d71028d3db7bc750d8a6

SHA1
ccafb8aca548a6834bfe95b4a946529b63e3cc3b

SHA256
e123b6c5ea466d3cce522bfb98ef736e393db066e7cb274df36ed0c763683aab

SHA512
f62bb15333c06f373c8ea6eac3edca0ac174f38db08231ea50b686fb8fcaa11295ad56126da6d05d843f17491a3ef9f3a6c07b208ce290ba3d89216138d28f9a

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
92KB

MD5
b7dfa9bf22b3543de3b0a84ec661a2b3

SHA1
0fb19887197e30b6a2189f0b1147c28c428f9fc3

SHA256
6f98f78cbb1a726df14374b223a5c1d7dae6a45bd10780965cdf8fd9dc8d6ef8

SHA512
74bbd9db04a5e4f9f4a7cfb04e03ef391d11e82b43e7b4924ef381f09c07dbbf93860931948af4809b49841dfae03fe4f2cd5bf92bba117310acd694646a5a74

Download Submit
memory/216-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1376-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-772-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3116-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3288-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3720-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3800-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3972-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-808-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-815-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-822-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-823-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5056-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads