berbew | fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe
Size

95KB
MD5

e2f84110ebb5e94268b007e9bd2512f7
SHA1

b91b46fa26ae57c08a46279e6e1144355bf3578d
SHA256

fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33
SHA512

36b58dae2397f1fd915304826884e2c0a8bfe7da43420566785f488b7053833bc63c153fc35b2861cdac7b9348a6507237853c2787e34f70e10b0b9620c3b1c5
SSDEEP

1536:UgzbxbhnMXcj6kH/Vu92ozb1nK/NpNc5GEWdjfOM6bOLXi8PmCofGV:UgZbhMMj5/QzbiQoLdTDrLXfzoeV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2152	Mlefklpj.exe
4316	Mpablkhc.exe
3036	Menjdbgj.exe
5020	Miifeq32.exe
4280	Npcoakfp.exe
4796	Ncbknfed.exe
4208	Nilcjp32.exe
4492	Nljofl32.exe
3956	Ndaggimg.exe
1568	Ngpccdlj.exe
2872	Njnpppkn.exe
4960	Nphhmj32.exe
2380	Ngbpidjh.exe
2900	Nnlhfn32.exe
4196	Npjebj32.exe
2612	Ngdmod32.exe
2440	Nnneknob.exe
3272	Ndhmhh32.exe
2032	Nggjdc32.exe
4012	Njefqo32.exe
3012	Oponmilc.exe
2016	Odkjng32.exe
4048	Oflgep32.exe
4588	Oncofm32.exe
2748	Odmgcgbi.exe
1488	Ogkcpbam.exe
1128	Ojjolnaq.exe
4604	Olhlhjpd.exe
912	Opdghh32.exe
3408	Ognpebpj.exe
4592	Onhhamgg.exe
4292	Odapnf32.exe
4352	Ogpmjb32.exe
3432	Ojoign32.exe
2208	Oddmdf32.exe
1996	Ofeilobp.exe
3004	Ojaelm32.exe
2196	Pmoahijl.exe
3064	Pdfjifjo.exe
4784	Pfhfan32.exe
3268	Pmannhhj.exe
1644	Pdifoehl.exe
4972	Pggbkagp.exe
668	Pmdkch32.exe
2712	Pqpgdfnp.exe
1268	Pgioqq32.exe
1000	Pjhlml32.exe
1408	Pqbdjfln.exe
5096	Pcppfaka.exe
3260	Pfolbmje.exe
3484	Pnfdcjkg.exe
1696	Pqdqof32.exe
1956	Pcbmka32.exe
2860	Pfaigm32.exe
3648	Qqfmde32.exe
4544	Qgqeappe.exe
1748	Qnjnnj32.exe
4084	Qddfkd32.exe
4024	Ajanck32.exe
4340	Anmjcieo.exe
4536	Adgbpc32.exe
2904	Acjclpcf.exe
4156	Afhohlbj.exe
4832	Ambgef32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Nenqea32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5576	5456	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2152	4904	fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe	83
PID 4904 wrote to memory of 2152	4904	fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe	83
PID 4904 wrote to memory of 2152	4904	fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe	83
PID 2152 wrote to memory of 4316	2152	Mlefklpj.exe	84
PID 2152 wrote to memory of 4316	2152	Mlefklpj.exe	84
PID 2152 wrote to memory of 4316	2152	Mlefklpj.exe	84
PID 4316 wrote to memory of 3036	4316	Mpablkhc.exe	85
PID 4316 wrote to memory of 3036	4316	Mpablkhc.exe	85
PID 4316 wrote to memory of 3036	4316	Mpablkhc.exe	85
PID 3036 wrote to memory of 5020	3036	Menjdbgj.exe	86
PID 3036 wrote to memory of 5020	3036	Menjdbgj.exe	86
PID 3036 wrote to memory of 5020	3036	Menjdbgj.exe	86
PID 5020 wrote to memory of 4280	5020	Miifeq32.exe	87
PID 5020 wrote to memory of 4280	5020	Miifeq32.exe	87
PID 5020 wrote to memory of 4280	5020	Miifeq32.exe	87
PID 4280 wrote to memory of 4796	4280	Npcoakfp.exe	88
PID 4280 wrote to memory of 4796	4280	Npcoakfp.exe	88
PID 4280 wrote to memory of 4796	4280	Npcoakfp.exe	88
PID 4796 wrote to memory of 4208	4796	Ncbknfed.exe	89
PID 4796 wrote to memory of 4208	4796	Ncbknfed.exe	89
PID 4796 wrote to memory of 4208	4796	Ncbknfed.exe	89
PID 4208 wrote to memory of 4492	4208	Nilcjp32.exe	90
PID 4208 wrote to memory of 4492	4208	Nilcjp32.exe	90
PID 4208 wrote to memory of 4492	4208	Nilcjp32.exe	90
PID 4492 wrote to memory of 3956	4492	Nljofl32.exe	91
PID 4492 wrote to memory of 3956	4492	Nljofl32.exe	91
PID 4492 wrote to memory of 3956	4492	Nljofl32.exe	91
PID 3956 wrote to memory of 1568	3956	Ndaggimg.exe	92
PID 3956 wrote to memory of 1568	3956	Ndaggimg.exe	92
PID 3956 wrote to memory of 1568	3956	Ndaggimg.exe	92
PID 1568 wrote to memory of 2872	1568	Ngpccdlj.exe	93
PID 1568 wrote to memory of 2872	1568	Ngpccdlj.exe	93
PID 1568 wrote to memory of 2872	1568	Ngpccdlj.exe	93
PID 2872 wrote to memory of 4960	2872	Njnpppkn.exe	94
PID 2872 wrote to memory of 4960	2872	Njnpppkn.exe	94
PID 2872 wrote to memory of 4960	2872	Njnpppkn.exe	94
PID 4960 wrote to memory of 2380	4960	Nphhmj32.exe	95
PID 4960 wrote to memory of 2380	4960	Nphhmj32.exe	95
PID 4960 wrote to memory of 2380	4960	Nphhmj32.exe	95
PID 2380 wrote to memory of 2900	2380	Ngbpidjh.exe	96
PID 2380 wrote to memory of 2900	2380	Ngbpidjh.exe	96
PID 2380 wrote to memory of 2900	2380	Ngbpidjh.exe	96
PID 2900 wrote to memory of 4196	2900	Nnlhfn32.exe	97
PID 2900 wrote to memory of 4196	2900	Nnlhfn32.exe	97
PID 2900 wrote to memory of 4196	2900	Nnlhfn32.exe	97
PID 4196 wrote to memory of 2612	4196	Npjebj32.exe	98
PID 4196 wrote to memory of 2612	4196	Npjebj32.exe	98
PID 4196 wrote to memory of 2612	4196	Npjebj32.exe	98
PID 2612 wrote to memory of 2440	2612	Ngdmod32.exe	99
PID 2612 wrote to memory of 2440	2612	Ngdmod32.exe	99
PID 2612 wrote to memory of 2440	2612	Ngdmod32.exe	99
PID 2440 wrote to memory of 3272	2440	Nnneknob.exe	100
PID 2440 wrote to memory of 3272	2440	Nnneknob.exe	100
PID 2440 wrote to memory of 3272	2440	Nnneknob.exe	100
PID 3272 wrote to memory of 2032	3272	Ndhmhh32.exe	101
PID 3272 wrote to memory of 2032	3272	Ndhmhh32.exe	101
PID 3272 wrote to memory of 2032	3272	Ndhmhh32.exe	101
PID 2032 wrote to memory of 4012	2032	Nggjdc32.exe	102
PID 2032 wrote to memory of 4012	2032	Nggjdc32.exe	102
PID 2032 wrote to memory of 4012	2032	Nggjdc32.exe	102
PID 4012 wrote to memory of 3012	4012	Njefqo32.exe	103
PID 4012 wrote to memory of 3012	4012	Njefqo32.exe	103
PID 4012 wrote to memory of 3012	4012	Njefqo32.exe	103
PID 3012 wrote to memory of 2016	3012	Oponmilc.exe	104

C:\Users\Admin\AppData\Local\Temp\fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe
"C:\Users\Admin\AppData\Local\Temp\fe0278c0440af59115542ebaaee3a290921a70d3236f6ff27fa44a7e876e6c33.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\Mlefklpj.exe
  C:\Windows\system32\Mlefklpj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\Mpablkhc.exe
    C:\Windows\system32\Mpablkhc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\Menjdbgj.exe
      C:\Windows\system32\Menjdbgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        24⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        38⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        49⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        54⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        78⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2728
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        88⤵
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2680
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        100⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        111⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 416
        112⤵
        Program crash
        
        PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5456 -ip 5456
1⤵
PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
95KB

MD5
f64fe0b0bf5b8f209440f75c68cef6ed

SHA1
fdc95e7af7f27823fff52b16ee6d7813987715e9

SHA256
09fc7ed8aaf9fd59c5dd76a68949604081feb92ad2bd83ebf097a0cb7da65a62

SHA512
871065de5c744b3131b85ca1515cbceb1bf4664682c6b86fc06328ff8bbfbf8fad6545bcad00e6f7b325646f50cd30fdbdc85090ce110b90d6668f1ec667792c

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
95KB

MD5
678513d8e944855d47177e30f8d567fd

SHA1
0bf38f465b3bf662502ef7b77699e03e3d2edfe3

SHA256
53da3d147cd4a4fa11f2dfb6d0cbe55bea07689243af1c3bc23cc39728c5771f

SHA512
55d50050f46e0e0bd3d3cd63d79b888027aea46a24080e885466ff5459b8df60254b3fcb71067b3bf0909b3cd2b048f399456c6eb13b9dca7bd1d181cb788e0b

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
95KB

MD5
671c95abee2fac5b54d646b2107c6357

SHA1
67abcb101fa82e6b4f7012d7392f8fdee9fb6f2a

SHA256
6650bba26c8d45f17412f01ea8becbd9da1984847c60208d4ec0367083c2935b

SHA512
d40130b6f11044663da0a4407a1b1b4af283b72b1ebefea7e7699fe5cfbfea700b89f4b3c9d16ed87ab0c23969703a3a80caa2bbc0843483d081524ffde88075

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
95KB

MD5
c9f596940e456b3942aad0256bbc856a

SHA1
fa006f3cd83f906dd3148fb616c2cfbb2a465647

SHA256
e3ceac3bdf08d670015ebc88bce456cca6a96a07da20d047b3d0dc1886988b1f

SHA512
cfe04b255f1071debf7a035e6e4ae044214912fa4f34fba1f747ee1afd387917cb06f6488234450d2b68e25e52779b1bb87744ff8c2ac48729fbfa329ff407cc

Download Submit
C:\Windows\SysWOW64\Bkjlibkf.dll

Filesize
7KB

MD5
ca684947a180790ea9c7469fe861f963

SHA1
ae159cd84fb74985fa1051235a89cd8935f1538c

SHA256
8e7785af21dbb362d7cde1caed4cf68fa2ff6f841f55311cc899b8915e0120c4

SHA512
f96d6d70109baca19fe5fc17429c7fbefed04b7ca87f7224141c016a7bb0cd04c56cf1c839408e71b35ae97a5db5d583fbc295fc9aacdbf641a993a7370cdcbf

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
95KB

MD5
046fe3b220e8d75d473e4e741c35e297

SHA1
30364fc139c383cf0f92d23d6416823106e67025

SHA256
b5fb1174e97fc2eba007a2eb623630368d14df84721775954f1b1877bd583092

SHA512
d81472a7d5f262219d557f553388d5ef0c74069ab9143ef3bff0abb44a392837d9fbca8186a1feeccaf1b53d579ecfd2ee4baf98225744bd26c8c119801d4c92

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
95KB

MD5
9a478c2eec68f65bd7353148438d2939

SHA1
9ddf16704e2c0c792fad69a48eb3477096a0f50a

SHA256
7aa6868a738ef5e9c0ad00b2fc9a277efe0dc6500d48ebc5161a3ea4746003da

SHA512
fc96fd7013bed5c84d7e105329e3d3cd199f403d2f37b1d468eac08160498cfef3073581702c7ddf890417514e8f2431d47686f59af2ad80db88f70d8525f6a7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
95KB

MD5
30c03e2cab50409ee6f19ab5dd62f608

SHA1
60d5d5589d5c585c76ee9dd05c597d5905ef9635

SHA256
fa3368f023c78b16da335ae2947eb772cdb081525383a70f0d51795e2002012b

SHA512
1dc92769e5ad65bc09364034df0fbd1c19d1b030e0aa61245d98d1f7e6f4f18d83b71b5727d5d5652cc2f37cb7884bf17497ce700c5245a9b7425d70647749cf

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
95KB

MD5
7fdbb68206eac9ccf02143fc1e0250ae

SHA1
3819f7ea381ffacecfa95d65d62a01ecc984e6b2

SHA256
c846d8d25c2b39493ac70da80de8e0d0acb2483fc0f1bcf262c5d1959824e540

SHA512
f444a1b2fe5607ea0735f0855fee700d577f2d77823648930520aac6dbdd9e980ee54fd4bc719ebb808ec58ba6f2f8ba6d6fb14a247891ae22d242c4ec1f1241

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
95KB

MD5
1de03801a1a655d3dd3fedc2d539452c

SHA1
5e0e0912aecfe2bffdd200b0040c8233d0d931d7

SHA256
e8f2786403006c6934f17d475e07795b7a1fc3e9cc76f16b1e690e21cf4fb4a5

SHA512
cf58898e30228303bd8a9ed41d689ca3f7cf2891051b6e95bf3768bbe06b27346ce3e45b729f6aec4a7b00ad0260dffd0ab5488ff06aaf0e0966c57c1bc7ffd0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
95KB

MD5
226c9fb0dc022c67eab04608dc252148

SHA1
328d6b5d7f2702bb8f9cd63ba0090f8440c8fafd

SHA256
032f7ccdb4b20567555f84a4992b93411b614f5f04f0fa49cea0d3ccc2fffaa6

SHA512
2bfbcff223cfe41a1225731608e7f7cc7747171bed6ca76070a2aa0931af7f2bdafbde95c224b0dd5d311c6acd014986f81a85e9d658ebef01ce7503bc1fec24

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
95KB

MD5
dee4a423664784714e5a4d30bfb21acb

SHA1
f2f9908ccc3a4b994a47af4ceead3e98aca7b432

SHA256
5514b21411a05975c1206d311bf26463a8a23509be1ccbfb85dae2beab02a536

SHA512
17c1f22c9045e151456b785512b7f986437f9b74876eff95df3fa27a64370c5bf5ae4952d8f8206adb870e2c3603d960641d2a7861e9e538cd8b980ceed29de5

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
95KB

MD5
dea90786f0b56b828489606eaa9b4b5b

SHA1
4f4fee6e4804bf91656782a87939b8f05e155adb

SHA256
9c8b5a7dff8ce601d55fc4d8ca28659a5f9ab2533e73534c18e9368a5d3e963b

SHA512
f485b966cad9d91d1ed7c552e659565d47d4f34acdc3e739ba61cec8e4c8a949d012588ff8339eb45b2f24af80f5a6f2a81054241c05fc4d45f618852f27ccbb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
95KB

MD5
452c9612b163089c618ca3f68ba83223

SHA1
a523f15372d4ddad996fa949b5c85a78f8acfb31

SHA256
a432088a377ea0302f01d098f606c58952caa58b75856e2e7d9aec44f266d742

SHA512
b74dd7c92473e2ddb55c2a409b7a8a47bb2edcd0489aa464f084c92261f86c84883e242b66ad6aafebd149887f3e9703ae917b67015573c728fc303b616dc7d6

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
95KB

MD5
53d3b45584ae8bf888b6085038280d23

SHA1
478f54ef0af338bdb57c924833e8c5b7dd09246e

SHA256
1227fb88986d900f38453203786ec573376a4502cdfe3d5444cb02d05941ea7a

SHA512
d8ef0522e8776d597fa527c415aff716620566c364fe9d21ef16e04ecec6595751e408776ab6d91295e3b8ec45f4bfe2626da83a65a4eeca74a8be33133a7321

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
95KB

MD5
435396d3dbd4b59564b52c8803b9d974

SHA1
c2f079098d92650611cf8296de876e7a3f8cbb42

SHA256
ffcfc0755a65c37cda8643bea1c4a87c9a1f7a02405837eebe5cce1db1f061b7

SHA512
733cf277043bc4d7947cc00161bebdb8e50bc558bfb4a8a887b0933955724e7d49275854df2d394922ddc7aa94c83172b4da4357db1c565d8cfc918b2754d206

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
95KB

MD5
67595433e0e96d2fa71185442a1e3ada

SHA1
60a0572b528b7f36f386ae4ce0f96584366f92a8

SHA256
bec27a10fccfc31385066732864af30891d087da3249e0007b621fabcd444310

SHA512
c63e5ad03c41fd0451575048eb8f49ead2994e3dd1f8b3d97a4a975792423e40663d4bea419a23ae11a7e21c75f39d85b98ce13d02d200b0229a684072c04db7

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
95KB

MD5
fe42a43e34dc7dc758a9ffb4dbadc601

SHA1
ce2645a979faae4f6aedd74d81830e2c48f2ffbf

SHA256
8c9b3715217280cc64722ae1a21ed4572fb6fbbbe51c04fe868faf90d8752a8a

SHA512
484d563f0869200565f80f9b64c432626fabbf9950deeeed46997832b0d4edc0f5aae11e4cbe6f2d1ddd26ae1e89acbe2880cb719017c57703473fc0c3a2092a

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
95KB

MD5
6410d8bd6c0bfac5160631bdcc15c649

SHA1
9d27c5f707d874bb84a1b5271da1936e4892a7ac

SHA256
ed8424281d0e20a1e64aded38a1927101d4120a2abc1afada33fd67a07210e91

SHA512
c23dc0f362c250cad056de8f08619de910abc9f2d17b81707256829f6064658c17a6f957f1378074c16909004659204b2cd2cf62e408893f8651295ba7a0d541

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
95KB

MD5
9d4236ac1ff574efb0c26ac77c597eb9

SHA1
5e5dffcf9dbb6e782ec3d64825eddcabd91166cf

SHA256
b2404d0186e6e36b750488e3997a507fb6fcf3489c7dfbb8a128ead09ed47feb

SHA512
33d0ae746d305e2aa3a411be5b75d05a04614991aa8486568cca429bb29e767c3eb8921c2be31ada7766aa032a00e6c5f626b99ca20fd1f23a5b0cc2cec65785

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
95KB

MD5
62d5161ad0d9684556a6d6a30f0470ce

SHA1
32b9ca99c69a8918f1e72fbef54dd188e5dd3f6e

SHA256
9bd1b7037156c1d556a2ba6facc52d9a91cddf415d25d9dffb9f38fba19691b1

SHA512
bec9620b97d7192ed0e554a202099fa6b009c8bb9bd5b70d65a83b332b9d6240eedd67e21af8bcca26c8b332d2618c81388e8339c7923386a7034df53fc1985a

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
95KB

MD5
0c6c53b8fd6a3c9fb4e817b3fbafd98a

SHA1
59ac79734a627bec23bca3ebb285a3d59a257799

SHA256
558e3cb0c782779c6542911258ce8ebfe60c2dca188deb42bdfa8c0f4ec6f533

SHA512
9ca4c7a184dc20ecd10ec5c4ed7c9459518ee3a77b07aa4c4fb054e30cd0277577950c7c90fc6f767ab36e1c874af8e02e7e954375fb95a4284520107bc48243

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
95KB

MD5
b54b5742198263fed65aaf325ae65e7e

SHA1
9808fd9402b7559256edfbf4e93db0f66752a555

SHA256
683aca0d18e57d8b87d661960aa0d090a4f2d2a97f1de7541a2e4d2bced82004

SHA512
54b0ae66bacc1000f0f7fb4a39c5abc9513448f696ae08ce864c5daac8352bac6c6a9214003807a3cd09af416f3b9bca368760943c3b8fcc422a325a4352b9e6

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
95KB

MD5
cf3c708ae7d8bb827ce051a601b2cf05

SHA1
a050fb71e8be02e8d215429f6a416720bf5970a7

SHA256
bc52d1d6387e6d3a617a8cce8936e381e54d8ff7073874f8ca6991c974c3a9a4

SHA512
3f32d72c5c8806a2d729460b6d4b445411ecd2ec7a376131f5309af66a0ac3f0ca7dde71fd246d93bf73d16dd0dce253860b5c12cffec004091cc70df351cc37

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
95KB

MD5
4c371607913cd140ff53322f87940d8f

SHA1
c7bb80f86d166c6b7f512895b6a37f3c1bb70093

SHA256
b2e15046bc3b5a8da2ca0aa6bfd19a842775a54c017cb0fb9c1be7169dd48b34

SHA512
474f30c46415bf76695cdcb5f5041f05c4425da22019075574f4934f44687708351ee19ae6461bde8f1557ea2f4b9d6130e14ba0656581da4e68edce1ee2b0fc

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
95KB

MD5
e72e401661d23ee366394cd624e04213

SHA1
1c8632c9a9f6fd729f3015526093b396fd55c049

SHA256
ea19a64e1aab56e6c897163bbc66d293c2175b106b408a3a4fe8085d9da1c38d

SHA512
907072ce88c5256c33bdfe72abe5de42cb81c3165dbad6d0b86b80f9648fb16aeeacac43b18dfbb789af5912e81523f597b51f376ea94ebd92a59f428459563b

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
95KB

MD5
8e8981afd4d7df000831765135dcbd19

SHA1
c6902f4742c81e1927cdf31aab7ac79c9fb223c2

SHA256
95355618409b4b4b40eaf1e53c246e98714ff459d1c2cd846f3528c2eda38eed

SHA512
d1038f7ce721b30cd0bffe5cfb518e88e699dba4ddde9fcdb271a9eb265e11e283fa624b0bb5de7d4ffd7289e8a0a05916351ca1ae8bd56878239ae370c7bf6f

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
95KB

MD5
a4ecc6a69a4de47f19ecf00ed3dd8a4e

SHA1
ce5b81b75693aeab9ccdf17b0b9f7007ed5f160b

SHA256
91904300f1cd61c290ee83084252cfc14efc84f47bde108cba362c4e102a9594

SHA512
273ccd76585c5c34a34403f58e288a3f5ac75f2f4866fe4b7be8081884d59a5e323c562363b978990eeb7ed35c18111cc8d80f6539e52d0afbe452aa05a625a5

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
95KB

MD5
329a2a079878ebe86f97313fa0370ca3

SHA1
f5a557a1a29970df509d2b62155d274fb3b0d98f

SHA256
660bea12f7fc75b86b9b23de443c9d5b4aca32176df0b98fd1483202424a94a0

SHA512
43419d5645a3e613dcb1c8bb886535599e8bdce97bf8873e889ad6465393971d0a5e4b098275bbc5509650e9d39f6461ad3bace87dd4ce53c904fa9e90426a18

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
95KB

MD5
c18cf90f1d56f37af05038a7daef1ee6

SHA1
891fa3e2e7e9c01f7c376e8fe85c20c8f68be88e

SHA256
ead9214ead7654662af4a5f89ba88441fab6d673433c099859e14165cf95c8a7

SHA512
452cf88c9b4f81ea9563dbd0a9c535b051ec406dd4b642898da84b1e9a990229552cef133eda0f877a90f9db29d38ec4da4aec533e954cfcf87ac7dd71f7c7b7

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
95KB

MD5
c6db11e625481f456cdd72ca3a06c10f

SHA1
0a8bf6433ac9d5771cd3308f8ce7edbc8c934ad0

SHA256
b2f9ed634b4c973832e8cfba98f695b608ed5829a01ac7d3effa4d75b1be6916

SHA512
471244dd0de879d931894c8236951cdc7fab59f25b8ce791aadaf24f94feb8cec8b2a4d5abf684ee3cbef57f6328bcbf16120a8af473bbd8b2b287f0bce835f6

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
95KB

MD5
91d0726d188d1f504174eff6ece115cf

SHA1
a50829fada18a497b9af5eccb70c1a1179cbd807

SHA256
23f6494b3734bb2e0fd46059a27780035b291f3bffcae763349267d7d03e220a

SHA512
177308c732d9ec9c85b9ba90390149258e0b5adc0e4fd775915050a8dc4197a09655f73b7e3fc1802d756382ef1152acfd2574465a8e6ee03c92f5f65f66da2b

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
95KB

MD5
ba54a2bcec721c95386ac1339089cffc

SHA1
905b681863e965f29960747be98f611ab9257522

SHA256
71e0aec75038f89fa2961bea53147503a6407de406378eac94dfa8385e1b2cee

SHA512
750e61885024600dade10991447b65c5b43eedce56d79a2e2471dc29651d50260dc73ed7233cf56bb7360e2716c6d7ec25c201735d3220df02c5b88dc6a7bb4a

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
95KB

MD5
5282d809ae1e64e2e3e3a1ae22c57bb3

SHA1
4d17e6e84de8e14096fa19bbfdddafc8f3ebf749

SHA256
152553dd6c9f3dc64661935a61b4e7dd672fab6f55097f65ed0fb049e1bd1d7f

SHA512
89b31cdf45a87d1ede3bdac3961c35d72c7c21bc3cb14a5e70f1bb3d8e1799c62e39f4fb95ab6bc523734bd09143de4d5d02e1f04ce2170cc05260d95bc16515

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
95KB

MD5
0ea0f5abbad4c15acccb2afdd6f2f979

SHA1
56c75a0a9094b1d9ab21efbcd85990409145cb5e

SHA256
cba9c43ef780dae58a30ebeb9c2ace96ca804230e56217d00e7f552e156a67e0

SHA512
33fd860f212ddec2a2990d36cc1a64ec0a8b98f6499eec8a8ac92ec900d930fdd02123a33922e043087bbc31956999fb9818ee17517347195011ec602fbd0153

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
95KB

MD5
6f212b7709f8c674c196755dc3537db2

SHA1
5981b4925639704823343d005bd53280ad9a4234

SHA256
e6124e9497afeb356ef0456c09fbddbb621770a6f8b92594a1638627004f016a

SHA512
ca666ddafcfc705d349e6b97a668b329d764d5bcb37979e4c3daafd7bd9ad53b8793cb5c611207b6fd63982e41c570f312b63df1dfad351cce946b19830bc2fb

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
95KB

MD5
6435b8a3a1815e3d710684ae76d10cc2

SHA1
805553969ff9646a3f23b37817642a5546087086

SHA256
5df9d728f622e2353569db3f4d7d08c069a0b0890bcdab6272765a0426362ca2

SHA512
b1df3ce3df05570fe1998a16f047254d53c98b75a2c33a1672ba05895a49c8b09ace7891e0bcac9fed880ae70c46c14be8dbfb6f011001a1e584082c656495cd

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
95KB

MD5
f15828de90c103cfd4fa8e5e074922fc

SHA1
98cb519362d1b2c0eb26963afc45aad36a09496a

SHA256
74f8f34260299220097936a1621a367242e616130d91de9d95f26e1be8ff2bf6

SHA512
4cd899d3eb495e7792e1da2b3f5a333b0267c7b8df48a5a408f68217300637a6454b90a43d072cf1650c815347ba5e255fd7f610085046682030c8234cd6b5cf

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
95KB

MD5
2903de8c35ab08544b5ea27158e31a2a

SHA1
fd74451a4bb97ffb551830835c30df6623a7fed3

SHA256
9eee9155e75825aa9226d3f0a4a9e736d17979d27b20d4691c04fc944063fcd6

SHA512
490a125adaa72c473d14afb3d3350a6836318acaf70253c1220dd61b942ad780ec5c738599a8d12665fa47e1421863487afd18288ebc6d77abab91fea557ddbf

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
95KB

MD5
6c87b7f6d07e414404b3ce9e34b5c12d

SHA1
f5e63e1a531f6827c324ecc37fde61dbaa9de816

SHA256
d8117360659c9f18fb6e0a105a58ba282b27a20f82ad126aa14a20420e4a1aba

SHA512
d2201a29dc95ef3d35f1115856c27a755f46b5a224da5a8ea75d48f1f9f1c78aaa18949b19549ef746274fa0f667b3a66e3299e9f1bb50332d820d2fe774e8e9

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
95KB

MD5
b2257cbc6975ba04311d42579eb69302

SHA1
9c4869f1c9e9403e5dd6755eef7b19acc782c5ba

SHA256
8421e60be93bbf63fa0f66884f0ff586d2f6956aa22b553d3afd209adeda2398

SHA512
f0cb20b25f785fe5a095314a30f665a816f645be1702fd294aca2b82dc6f4c925d904b8e38114dd978c16f247a701b18d2176a4b6d636794adea0bacbf17ecff

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
95KB

MD5
763f20398c33cb0d1cb533c24ee8a601

SHA1
ecb7b63aa89bee8571163da5172d1d39c1809686

SHA256
2d46406682430353d10c766b75634291936e920f3678e639482691f8c5b03302

SHA512
d324c513271ab4fc16da50561c8ac6a8ed3fd6011a9a612c501d9b860724a90095b1495946fd713a49a2b6be2e9fed28e0a8503fc9cd34e7c94f31f9351b5460

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
95KB

MD5
b1470f4cc240062e6d4a3f2597ccb486

SHA1
b345e24734812b07d3051145b7cc22e5d3e39312

SHA256
11f74a539ae9c10df535f2fa7a815ffde7ad0f00ee845a14d889289b176e8083

SHA512
d5362244926c2b7fb3dd3fd5c74d4560a29af97152b65ccdeb1cb961898180f04d1e59af9b4a2ce12a79b2dccfdfb344d36dfe1490749dd78ad45baf8806dc7a

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
95KB

MD5
2316fe93ec4739c8713d14553ca9b1b5

SHA1
08409da4b23e5b7b6cbc2af409cba562f4750ecc

SHA256
dfba731224564ee16b8ee2a04af14a56c328d1afe7fe0d9a9c5af326d32cdb31

SHA512
2583d0609003547aac9f6375bd33dbf7fde6da9d009110e3f971936d53b262ec1c64f1cc70b2658980241fb580c332408b927fd3d36fb5578e6d70152db0bf48

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
95KB

MD5
e439a219984c396316febb2453f91155

SHA1
0abca45061b4d3a9cade5aaab9b0ed7873dd48f3

SHA256
bb05ab3be1b83ddaff21882ae7bad39a32aadbc4322a4c20a051f7be8b06e276

SHA512
cac670b788f1e418f1a8b1604e3419d0bcde0b063de37e5cf917d136bad26f128cc1e12292f18e3a6fed083f8b8ed2008d7898451aef61a85d76c0a2e555c418

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
95KB

MD5
e77638759a35e49edba47fcd41bb0a9f

SHA1
fbb9d779a2d11ecd94376d7eb79a9331915557c6

SHA256
5ead130b480dd016246576dded2a5d89954ac98e7fb1deed5d43c4072d144148

SHA512
80d17fee28fd4b845be2c73b0997340cdf07505676e3b79671680d633d5527ab33fb40efcd440c7ebc9a4cb2a4720f9f8f63572ccbd8ad81e518b8ae6b7e4190

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
95KB

MD5
a365527f1dad7048bc4c6c407cae1593

SHA1
5181f2f78495c00cd5db05cd5c2f252a31a5e965

SHA256
d8926fc34470310859540bf1a39cb99c4f8ff955ae56047c98f562fa7faf52ea

SHA512
1f44c0415d011e4a7ea7025a8627fa09ee4072e928ba0b2cb75c6266f0b5abaa093e129b58a8f34a29b06b5c9d6e70a16053c729251a2f02c976b1907c01072c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
95KB

MD5
98fa6754bd1baf5b7476034e4d393a9b

SHA1
31a18ec27331fbaa16d5b91affe63e58cf145b5a

SHA256
af01fd224e0cef2d21da4c2a71aafbff387307af535ecd6e83c084b2fd6be722

SHA512
3ed6d6b6ef08644764a444e80a143b1fbb48d4dd36b847318b8f94fe782aa867a251091f75e405f83b712fb6d4a4c2aa2b5251d94fe7478ae6b0193fff9f3298

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
95KB

MD5
b4cac4567136ae62dde8ffff4dc41c42

SHA1
7b46064176816aa6ec3bd588357f5a3179b5b45b

SHA256
fc51f59848c238bf4159c99cb1a3eed2d5198b1ed2ea38d3fbac312fd11c5603

SHA512
a1f952a102f8889f043ae75e30151a3711ad93b0dfdb246c2878e9fbf71be13da89a962b3fbb958c00ede2e98b53fcc2300913f3086190296390a0fbc8a065af

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
95KB

MD5
c3fff8c6eb62be5efcd91a1a44805219

SHA1
5f267c059ffffc7d75878ecffad02119523eb0f6

SHA256
b36a941c703d427665e1d166a02bb14c4a6b456a097b7d18f40e6efd4730bc2a

SHA512
5255ed1f99b3261fb59dd5fd8e26e95e6ec2d7cba588dbda809e0d9ca5841a96cce249615a8c0c32bb7f3c33a22a358ff5c3a8b18ec626ce0a15386612b5d75e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
95KB

MD5
b2d96d0a69f1559e6548a38ad313a79e

SHA1
03891a735c78cdbea7af743d6f4d79f9a10d3715

SHA256
e2a61d24c243261310feb7d1d34b0aadf5c66ce645fd1415dfea631f70f694ce

SHA512
812c6ed0959b9f56c571bead1cc360c2e2db86c413db1e96649f50703f47b86b3e82ac0838cce7e3f22eb4a30d5dd2412bb4a6db85284db63937de3cb0b9f4cc

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
95KB

MD5
60eec9221df934ee1758a7c71354702f

SHA1
e3679afd482f1542a59e88e90dda47487ab44e2f

SHA256
fcb736634e222edb3ef2fd43dc43586551ae7b016944fe94b6612200dba4b6f0

SHA512
05de1f203beefd70e1c3b0043abefa36017b501d0d8adb5339eaaa254643323ec922eed13980b76b8e39df6a5c784e91e719d22572cb80faa338c9e9624118b8

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
95KB

MD5
e65f141a657bfa7dd0e3f37abe4a45e8

SHA1
f63149ea0709df33d8ed22c12b421b738d42ab6e

SHA256
0afecbd189a8cb385dbecb2affdd8eff4d3deb88858c3af394e961237da8105e

SHA512
4430719c6fbb40db1fae025da818576b925b9f8f7daeb774bba50eb184621b9e6b0d83fc2d7c0ed69d465865f6111808de7e5542b18a2323c4f977469b17e0be

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
95KB

MD5
33245f989a323f6354dff5f49efc566c

SHA1
fe95f333e90300b8fbc3b362f184500c3fea80b3

SHA256
6c584a4baa00e654634226de8e2485f150bcff3590f6153c94360f6d3ba77873

SHA512
04ed24f9816ddc37713094e81951fd6893763ff63c6bcf0711b72d9ec2701745231f99701794b3d67df435e6e3cb9c6c14ab64f2e84d55a08fca33db43b6a1f9

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
95KB

MD5
4640d340d88da997057c9a20cc1fba70

SHA1
8c5dda8a65ebdc58df360acab8319fce2e2e981f

SHA256
7cc106318f6b78914fa8d83144faff6667c99fe48557c7c08280b32382cc2393

SHA512
8be1acc860a41dcb06519acc15f04451b009ede084ae152cf089dedd7377145f487af57022e48a5c350bd5222da0b1de45a80e2cbbe8dc81a76e32168876e7e5

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
95KB

MD5
21c905e93155d0b0ff73b4f9c832adc0

SHA1
42432afbe2031c6334f9a3e677361330ff34dc28

SHA256
ab6e3fa6d79985e7420ef837d2b7bbb1743887514b4dbdd178a0c6cc4f66694b

SHA512
5f165a633501af35803ab1cbdf11409207b4f968561e1cc515986e0f7ef8af1849b89292a235edeac3dc203090e2d21c858012ba0fa203b94a8db41727df76da

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
95KB

MD5
92bff7740a98065e8f6143cd3c75ab31

SHA1
c085a5b90ec894c71a4b551ffba01250eda2795b

SHA256
307585b4376e6ae76aac74eab16fe9ff820c267ab9be61346c33915a0e4277c0

SHA512
cb80a90c331b9a8d879178c7701349db5bcf1f6cee92fb6aef45188e513eee9e61217dc32b1439beb40d20a6cf4b8dee0d235e9878badcdcaf5cb914023b6403

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
95KB

MD5
e1887220425ade89cb2b76dcd733920e

SHA1
032a9b53360cab3cd19b853684ebda213a237930

SHA256
fa957e1340cb41b80a4270847016b46fbd6770bd26d130ee3c95b575c7fcbe06

SHA512
d499f9b504d3dadc021e2a233271548c80b6cc39c5320e6399b2a9153784fe1d4c03e8b6d775b3f09f61d815ec2d6bd023acb2c49d426ed0a62addb6e5ee1630

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
95KB

MD5
e663a5d23b2f512e638a43aec62dc4c3

SHA1
48ed18882d6a6a75287530fe4be66bef50d3b0fe

SHA256
e8fce80c8188a2e6e7a843a890dc868eab1eb8e6fcc2ae40e736e1f2815bbd1c

SHA512
634c1db883df73e87d7a4fbca880a0210d1f28e04daa2c19eaad8658d62eff7ed303622ebbada46bd6b07530b035d2f15c02be21dc34f7029df0f98e91a6ad37

Download Submit
memory/384-526-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/668-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1032-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1268-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1408-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1488-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-551-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2380-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2828-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2860-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3180-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3268-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3272-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-534-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-484-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3432-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-580-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3648-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-594-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4048-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4156-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4208-593-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4216-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4264-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4280-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4344-520-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4604-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5096-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads