berbew | ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe
Size

96KB
MD5

67a0e9fc39f3ffd0d0d04e2d8c1bb560
SHA1

c353512465c998fa922360bf3eb8da13714f46a3
SHA256

ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74
SHA512

c172352041fa95c1a9a649380042583864f2ccd521c30929c97261b2d852d802c898320efd133bceca6728fb26c746b2a200b8648d0c824567840d100bd7e61b
SSDEEP

1536:0AjhXdYH2DRxfa4OjE6gh+F04se3zMLuUs2LmxsBMu/HCmiDcg3MZRP3cEW3Ac:/TgyVajjlgyhvz8uqmxa6miEo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1800	Mmnldp32.exe
3124	Mlampmdo.exe
3700	Mckemg32.exe
3980	Meiaib32.exe
2012	Mlcifmbl.exe
3196	Mpoefk32.exe
1524	Mgimcebb.exe
1708	Mmbfpp32.exe
3520	Mdmnlj32.exe
600	Menjdbgj.exe
2940	Mnebeogl.exe
4940	Npcoakfp.exe
220	Ngmgne32.exe
4340	Nngokoej.exe
3020	Ndaggimg.exe
4772	Ngpccdlj.exe
232	Njnpppkn.exe
3512	Nphhmj32.exe
3584	Ngbpidjh.exe
1196	Njqmepik.exe
1864	Npjebj32.exe
988	Ngdmod32.exe
1532	Njciko32.exe
4660	Nfjjppmm.exe
5076	Olcbmj32.exe
1552	Oponmilc.exe
2900	Ocnjidkf.exe
1748	Ogifjcdp.exe
2368	Ocpgod32.exe
548	Ojjolnaq.exe
380	Opdghh32.exe
3636	Ofqpqo32.exe
1652	Onhhamgg.exe
4888	Ogpmjb32.exe
4392	Onjegled.exe
3748	Oqhacgdh.exe
408	Ocgmpccl.exe
4844	Pnlaml32.exe
4856	Pdfjifjo.exe
4624	Pnonbk32.exe
2424	Pdifoehl.exe
4860	Pfjcgn32.exe
816	Pqpgdfnp.exe
3472	Pgioqq32.exe
2136	Pqbdjfln.exe
3080	Pgllfp32.exe
2688	Pnfdcjkg.exe
2128	Pdpmpdbd.exe
3940	Pjmehkqk.exe
2024	Qceiaa32.exe
952	Qjoankoi.exe
4632	Qcgffqei.exe
4212	Ajanck32.exe
3104	Acjclpcf.exe
3688	Anogiicl.exe
1064	Aqncedbp.exe
524	Agglboim.exe
2776	Amddjegd.exe
2920	Aeklkchg.exe
2432	Afmhck32.exe
3416	Andqdh32.exe
1960	Acqimo32.exe
1124	Afoeiklb.exe
4124	Anfmjhmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Eonefj32.dll	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fmijnn32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ogifjcdp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5392	5304	WerFault.exe	191

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1800	1980	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe	82
PID 1980 wrote to memory of 1800	1980	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe	82
PID 1980 wrote to memory of 1800	1980	ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe	82
PID 1800 wrote to memory of 3124	1800	Mmnldp32.exe	83
PID 1800 wrote to memory of 3124	1800	Mmnldp32.exe	83
PID 1800 wrote to memory of 3124	1800	Mmnldp32.exe	83
PID 3124 wrote to memory of 3700	3124	Mlampmdo.exe	84
PID 3124 wrote to memory of 3700	3124	Mlampmdo.exe	84
PID 3124 wrote to memory of 3700	3124	Mlampmdo.exe	84
PID 3700 wrote to memory of 3980	3700	Mckemg32.exe	85
PID 3700 wrote to memory of 3980	3700	Mckemg32.exe	85
PID 3700 wrote to memory of 3980	3700	Mckemg32.exe	85
PID 3980 wrote to memory of 2012	3980	Meiaib32.exe	86
PID 3980 wrote to memory of 2012	3980	Meiaib32.exe	86
PID 3980 wrote to memory of 2012	3980	Meiaib32.exe	86
PID 2012 wrote to memory of 3196	2012	Mlcifmbl.exe	87
PID 2012 wrote to memory of 3196	2012	Mlcifmbl.exe	87
PID 2012 wrote to memory of 3196	2012	Mlcifmbl.exe	87
PID 3196 wrote to memory of 1524	3196	Mpoefk32.exe	88
PID 3196 wrote to memory of 1524	3196	Mpoefk32.exe	88
PID 3196 wrote to memory of 1524	3196	Mpoefk32.exe	88
PID 1524 wrote to memory of 1708	1524	Mgimcebb.exe	89
PID 1524 wrote to memory of 1708	1524	Mgimcebb.exe	89
PID 1524 wrote to memory of 1708	1524	Mgimcebb.exe	89
PID 1708 wrote to memory of 3520	1708	Mmbfpp32.exe	90
PID 1708 wrote to memory of 3520	1708	Mmbfpp32.exe	90
PID 1708 wrote to memory of 3520	1708	Mmbfpp32.exe	90
PID 3520 wrote to memory of 600	3520	Mdmnlj32.exe	91
PID 3520 wrote to memory of 600	3520	Mdmnlj32.exe	91
PID 3520 wrote to memory of 600	3520	Mdmnlj32.exe	91
PID 600 wrote to memory of 2940	600	Menjdbgj.exe	92
PID 600 wrote to memory of 2940	600	Menjdbgj.exe	92
PID 600 wrote to memory of 2940	600	Menjdbgj.exe	92
PID 2940 wrote to memory of 4940	2940	Mnebeogl.exe	93
PID 2940 wrote to memory of 4940	2940	Mnebeogl.exe	93
PID 2940 wrote to memory of 4940	2940	Mnebeogl.exe	93
PID 4940 wrote to memory of 220	4940	Npcoakfp.exe	94
PID 4940 wrote to memory of 220	4940	Npcoakfp.exe	94
PID 4940 wrote to memory of 220	4940	Npcoakfp.exe	94
PID 220 wrote to memory of 4340	220	Ngmgne32.exe	95
PID 220 wrote to memory of 4340	220	Ngmgne32.exe	95
PID 220 wrote to memory of 4340	220	Ngmgne32.exe	95
PID 4340 wrote to memory of 3020	4340	Nngokoej.exe	96
PID 4340 wrote to memory of 3020	4340	Nngokoej.exe	96
PID 4340 wrote to memory of 3020	4340	Nngokoej.exe	96
PID 3020 wrote to memory of 4772	3020	Ndaggimg.exe	97
PID 3020 wrote to memory of 4772	3020	Ndaggimg.exe	97
PID 3020 wrote to memory of 4772	3020	Ndaggimg.exe	97
PID 4772 wrote to memory of 232	4772	Ngpccdlj.exe	98
PID 4772 wrote to memory of 232	4772	Ngpccdlj.exe	98
PID 4772 wrote to memory of 232	4772	Ngpccdlj.exe	98
PID 232 wrote to memory of 3512	232	Njnpppkn.exe	99
PID 232 wrote to memory of 3512	232	Njnpppkn.exe	99
PID 232 wrote to memory of 3512	232	Njnpppkn.exe	99
PID 3512 wrote to memory of 3584	3512	Nphhmj32.exe	100
PID 3512 wrote to memory of 3584	3512	Nphhmj32.exe	100
PID 3512 wrote to memory of 3584	3512	Nphhmj32.exe	100
PID 3584 wrote to memory of 1196	3584	Ngbpidjh.exe	101
PID 3584 wrote to memory of 1196	3584	Ngbpidjh.exe	101
PID 3584 wrote to memory of 1196	3584	Ngbpidjh.exe	101
PID 1196 wrote to memory of 1864	1196	Njqmepik.exe	102
PID 1196 wrote to memory of 1864	1196	Njqmepik.exe	102
PID 1196 wrote to memory of 1864	1196	Njqmepik.exe	102
PID 1864 wrote to memory of 988	1864	Npjebj32.exe	103

C:\Users\Admin\AppData\Local\Temp\ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe
"C:\Users\Admin\AppData\Local\Temp\ef080aef45c003f2cee5f94bf5ab864f01aba2ed8a1afbe9a52a0b4e06e8af74N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Mmnldp32.exe
  C:\Windows\system32\Mmnldp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\Mlampmdo.exe
    C:\Windows\system32\Mlampmdo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\Mckemg32.exe
      C:\Windows\system32\Mckemg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        27⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1984
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        76⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4128
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        89⤵
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        93⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        95⤵
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        104⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 212
        112⤵
        Program crash
        
        PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5304 -ip 5304
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
3dd1343c0489df138feae37e2b989d74

SHA1
2cf5605ba567b0e553f5287edf939b8b81ac5bc4

SHA256
120b489f9d6cb0716f7d5ff0308b57ac3953b1f8312cb58443759b60542bd68e

SHA512
f7bdd84b01abc110119907a9e1791f30cd8ee6fcd4ff14bd8f8d568e6dfec8caa4b55d0ac4cc935ca63646c35488d58d34c96185cce1da8e03c463cd1dd3b32b

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
64KB

MD5
fd5030f098cbab5e73553af186defcab

SHA1
fc522437707aab40784e414d19ebde2318783310

SHA256
3763d6f6d15c0cb8ebc6c940274895d0017eab1e1c6d776c3b8fb369b73a8a40

SHA512
f7629828876d15c5440e00e75ed48eb3213c50efc5cf0ed84a00af088d84a203700b287d3eda76837986e0a5bad603e543bdad133e6e7f9b160c7d14b1572fae

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
64KB

MD5
6d9eb63656a112fb9250196312fc843a

SHA1
7d13a51dcf6821da6e26d27a2649aa8d8c5b9ed7

SHA256
a9cc3356c9ad8572ef6c6bde7fba406450d4e988dd95655e78742ac70e60e97f

SHA512
5704eebfad187d52a926bb115d992f99360249b28b63520a18f62dfa851ef294ab01d51950ad4a91ff063d5b322fe8fdcf307692a05de39a71b8957edab47306

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
fb2c590c8125d415fe4a57a6d050d70a

SHA1
6b952cbd3f8297354b693c2ca9a8308d1c4e54e0

SHA256
3de87aaafbce4fb8da19845793d752d7e1ead38cd0b7350a00e2ff3b97cb1b6a

SHA512
a4a21dd11d523900d59ef8afa3ebf5e2d8ed849bfaa853b919ba098e70547f3ae7423be97c121236daf4499022835ac540a553064d8756cd0d47ccd0d83545d0

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
27287d79614722747f9e9c501437d0d7

SHA1
ad79f488faa2e194526c8c0f053f530d7bdf84be

SHA256
8250f36a6bd5c75f3324f630132f9d0462159f251a4dec5366ac7bc9b88e1320

SHA512
6d9448fd7d2213ae509b45233b51c495a08c0c331427dcfc2ebfb41c4b79e448e773e541415ebf88b3be99fb365f5ef6f29be53f3fb424cc85353aa503d817c1

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
b574720a362f6e67e9d94f0c6c38dfef

SHA1
69a13cc06b0c169430cd8b61e6f264914bedd707

SHA256
c167069c8505331d7b72f9d43656867f353238eb01d5b56bca5bdfdc2d305f39

SHA512
59fbe53559d9af9b3b3bfefe2995d52f9513788fc347da3c73775ecdee9a3e8de61e85fe81cdf4d9742d1bcecb5dfa8f3ca7812cfcf82d59fd2cfd7637865467

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
0dbe87070fc723904dd495f16965cb5d

SHA1
006e3b3bc50d6a45498734e2d2a39d4d43fc1cb3

SHA256
114cc8871f2e14c0874d1ad4d2b56f9c44ce0d7e693d821e26f15650ab9631fa

SHA512
4a0ec11b23a2f7b50d90b07f122bdd97b02ca30e9c77014eb50825c3bf49da499245518073b1638c947b21ab6dbd787984a20a34fac0a686cb76fd9c186587e1

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
1437c86d0a81cc6fb82fe504a15a7898

SHA1
821515dbb7c9d2737baaf3bdd145c1200e6efa95

SHA256
9d1a0e1be3dbf5423fcb5fc9d01a05cd8162be43fa28e539861bc2bd3dafa549

SHA512
badb655d0bf67f279396524fa17d1a72359b86d488064983390ac1e1fd509ba606cde8d36cdca5cfabf918337f7aa6c842a468f90b5196b4ac386f7cb25064b3

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
96KB

MD5
fbb4f03a01c973941705beee7daa2696

SHA1
761c8a6e10dc586acacf82f272433acd4128a140

SHA256
a45f04da230b44267e3f047b73050750419efc17cfc5af804e95e418c752d889

SHA512
8719421b36e5339c82ab868065173791b6baf988ab2738e3d1944447c2cbbde37ad0e1a233f225231e58ebce7113dc85f0cef84b46fbaa89344b5f8e08bcf71d

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
0d89c72312f78ff8a3e95c9ccd0943a1

SHA1
d198125261a48ec6de1a8a75945b4e82bfa97391

SHA256
4605ec0ee862ad38969e70a6704427254edb99163be84cfcf1df2fa519fd1587

SHA512
2131d9bbc56e1eefb9fe7eea1974ac5ba32f187db1db19c756b407a1454bd6f98466c1d3548c5120a1b950e103d0baf9dfffd72e4a178cec884a7b9a6f7801ed

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
1664aa3d28fc2dc0ef9ce41d1305d058

SHA1
504fb18a9d0736a873d493be926b5c91be150567

SHA256
e372a1a377d791dd99428b6a64185f8fe263a915840e3cfe57d8272568d734e9

SHA512
3d32178e3e2a33555536d9c47fc12b5c5d5a187580a5c30c35b1490e9134f785cd3e51b6c4eaac9e9e95eea8810ad88b5d3a1ef21f9515d7f6756a720d1e6c8e

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
96KB

MD5
6c09254191f961379e579305a27cbf80

SHA1
9ff04bb2af6fb69646bcc95ba04f46ae007083b5

SHA256
8fa02683a8584b1c26712f8f4460a429d862a894a8eb819bad65122bb488a917

SHA512
c1d54d1134293a773cec3ae44cf748b3d4cee8eb644fb05101e13b8cd8043be4c201a815127e344aac33d9b517b4b26cd80a3f2bc2df8cc559b60193674bc31d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
8d133222f9e63cc36924d0efc2cd883c

SHA1
606e9ad63b0816430baa3302c789bab53d866e9d

SHA256
b3ef4905c5dd020cc1ba5149547670f8600419eba691d1db161f9fed10168cd6

SHA512
7aa3f1375db6eac71a9eb9e4bfea4f93d78940ebdb70aef3496f096ab46e76e933db5bf4b5c651a66e4f536feb43b3322db98b423c47ffcb0228f0d57b8da4ad

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
5d267882fd51e42695baf34981b14840

SHA1
38459e58bc4fb265c27499950f464bfae721792a

SHA256
20bd576c52a8cfe2f5b97ddb750223955180f878ab0e30d62737cf8c6062d655

SHA512
572f732e5294c300763bc047c30b42cdcff2c97af55412734bedd0362b1a7fab8d0441db9a9999122327fc80d4bb4f153e457bd73ca67411d0c53fa9b575d8c3

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
657401a8e967036484c90bba31fd868d

SHA1
4fd5e14cc1f82866d55ed2719e8a3a2df3cde9d7

SHA256
23a263ad30976d82e48b2cca194cc47e39bee3370987db30e6e85aa67d48060d

SHA512
5d69e8274f5bb6f69531b6355962b413fe2bdc1cd7356959b4179427215e7a04e44d1acaec192a4ac5d5e86205108e79ab5f9640ec21e0d9968fc46dddd3161b

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
d493e4401cfd220e7b20c1ea18747be6

SHA1
55229e9f08e4d5a5b851aaf24c7c0923ea842807

SHA256
9d4d2f6d3b6a4aaee701f52af3b34dc8afd0e624fe32e181174ebe2153a6dcec

SHA512
b9839c7180e160136fb8fed80220948f78036f7026c3a34fb2b0c34ff415525218263c98b1b0c998563cc4afbfc5bf85168752d87a1b5718b3cc176c0729ce1f

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
40c9a6ae30cb9c4ab96892133fb3a544

SHA1
c774086111c3c2891c359f3cc4d53ded21750d7d

SHA256
1770c3a99a2aa5e1744495902fa0335d3d7593c3d6dd6cc2fe891cbc17d06d81

SHA512
a2175a47b1b66faf5d24aa1ce6e033b113d869c174b68de3cbd70921891a22ea1563830434f38d9a9db6ec877bc40089a3900e6d4dcfd24b23dd7014784495ae

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
96KB

MD5
c723cf484f6ef98f714a5014314fec05

SHA1
de3699667a2964eae5e7957204190fb16c6dfdee

SHA256
4d96a29bed49067fa51d20030b0c4e9d83d1b2af29b134e0bfad4ab121db56cc

SHA512
fcd9d7ca0307db54b3e7b16799d4bc98af358952ae09c75d9259d5d77c8644b7d9b85cfa78a71d12f95c62a084b145035d5970707c35836e6874e27bb15fa524

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
bde2d638d86c7e7543233692551e15f1

SHA1
cd083a9a4bf4dc570d9a3b06c103d522bfb0ff1e

SHA256
89ab4f4d741582ffd6dcb197572029fbc052defefa787d298fdbc47a72669cfa

SHA512
94abf1ac125dc4322250f07c282ba656f2edaa67f152f7639860e032047de2c04ca9c0c4e7097b848b8370fbdb56e2a82de5a6a72ba6d533b61d379cdbada2d2

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
159950b04deeb84b9106be9c93d63777

SHA1
f0a9ec476d22e7dd63d8f4a943ae4bbfb838636a

SHA256
b12ac61c05a14189e8c6d5e7533783b430abc5e0acf5b34744e45c1d79e5b489

SHA512
16df464d8f80f084f22831aee8c8cfe68d624c019d9de968e8acf67eabf319386a895ad7d252118f2237f01bc97b94f2d63117144b9308c73be566fc2b5bb50b

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
27a442f4af638dc7ad6ef023772beb5f

SHA1
8cc3fe8660f3dd8484d6cdb2deaccc37d4f596da

SHA256
4e1264503eb4c2000046dbefbd7224eb56c3c9073a2d3227807021a3d26039ff

SHA512
a4d977ec0a861c661913602d9c55d8439fbb630ef9ddb273ae9128bbd2016cd18c99dc12add1531dcfde183defa34e83f60156e176f9422395c39fdb61463dd4

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
6ff19311e12e2d9709f66558b36d4671

SHA1
a0fbb4a19b8ce3c0eea31dbf052f785c36f4c686

SHA256
d8789c2a6b41451200afb34be3c618ea5d16daba86a5aadb55944426f4736c72

SHA512
407cdf141a92e156430d439a8362696c164a3e1831cfe612d88aee0bb519062d48047849aaab239e9697a2300bcf160dda50e937c65f74d5bc6db68be130aa8f

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
309e90cc9cc57f3c58641494ed7b7928

SHA1
9e393dafb617c0f53a2a6bfe54c728c6336d0a7d

SHA256
7b87b44f1b2130a806e541df397378f23d77a027aad446e14c487d465747e7c1

SHA512
16519e30306301a5a28128c96f2152709f0589122490a8a05fe1cbc957ff3b565c4af75f9f2a7d7313830baaf132ddf3a277ab442ba009486f42553b527883de

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
ae0a1c08d080b714ce4a8b4d3e050875

SHA1
ed942b1a2c628f848e5052fba23bf63f56b0e385

SHA256
38ce3ff42db9c43e3265f1e19cb9cbd5f23b2195039f466395fa24774b9ac5d6

SHA512
72a4a566eb80612f12ad34bb7633ab0b98ca4315ad1fa502c5b2d93211496e974c6f1761aabfa6113bbede7c5e280013faa340cffa6dd323f591af19b2105d44

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
4443aeceb8d12ca0ba1f8656cd4b2059

SHA1
53e117ecc1eed191569090c393041a6579b82d21

SHA256
a0039e589d9af337cb6fd0b83bf8cf7fa34166cc3086ca095a8fe418b39a9627

SHA512
8e45284cb17434a36dfbadc48a540c136f1e3e1b1ee24a6f2d52d669beb116d34541655d11b888dfec43c5aaa837b23cbd031dd084b4fa6666c6f2a508f98ea6

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
96KB

MD5
179df25b75c7093545e153917e2aaa94

SHA1
64d835232c3945875a0b6828ff5ab15da5ac7d1e

SHA256
263ab8d72cde107869ca3a12448743314aef388bae12e6255a25f5652e6b6080

SHA512
b2b9c9de11f41699dbf8902d7a8607a0f9d21ff183fdd5175694d7b097751c89f318cb60f6da216c91e70faf732a1cd82120bdf95315bfb10546e594624fb6d5

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
51452d497f7644f17f406b602d6aee4c

SHA1
15cce5d6ea097f03a949cc933b8992ce12ca3153

SHA256
3df645c6e0d44be3a78c348cc5da88c63d97e895bf66c1b7f0741fe408083072

SHA512
2dc51c196e6171ec56bfa85cfa391a3300a13d772e5f3a210171b7b8a9a6111b6119980768c72d838780baba36c1fa8b6d5d1c6d44c84e62367c349b43a1a97b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
96KB

MD5
948b8c98061040771ef0f5558b4e941c

SHA1
c57dfa29a7214558d37164e7723b508c34164e87

SHA256
3f898fb68e95162a5e059d05d64628dfcec47446d10e2958fa95f0cf39650f51

SHA512
cb38fd9129c28a368e9b08646d8735ced4ebf4fbf268cddbaf7e0b868dd3d746644ca4d4e8860fe57d142accd5fda2ba8f3e41caee4d8de018a13ca0b18b4ed5

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
fc11ade0188bdf2bc8ac3dc6487d3929

SHA1
b43839c7a47a22259d076e63b7cce8ba388f438b

SHA256
8c1147d95b55a994452258b13923ff94cdd967975a17e1d11a826a2ad0d2d427

SHA512
3035a8ef0cfcc31d45fd1227c02378202758bf69e009c09e8f31f752b35a0d284b7ac09fadd1bf9492666a6203969d942bc3c746a97e98555a16f92849a4fc65

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
6d7f2983041fadfbf9ba56b694bc7128

SHA1
d4b0fb17bf355e0f61237f61d808e4e559febcc5

SHA256
ba2450991e1e5dd30bd659b89cea3478816cda178932baafc83bf57eb75151b2

SHA512
9427b959c32bf08ac443331f2e5512e52d81bbb1809d778fe671a120c421645810156f5dc13cc1fbf4047f6ae09dde6e2666500305e16225a80bbd0e922d87d8

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
96KB

MD5
5791e811b96710be002a03ce0847dfc9

SHA1
fcdb08e8e6a5b8dd5c37f9fc0631ec5dba263034

SHA256
607726586b8345d070718c34cbeb70e4db4dce444363cc67e2c245bd53263c14

SHA512
ad487896c2891106c568abe7c9c6f14c7f9dc2e7a645bc299d3ffd1c2f4b49fe9f62fe777e4c188539d3f90a10ac19b0807f5c8e6975cddb76fd37f24680cc74

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
1e286740d283c771d86871c941541db9

SHA1
eeae1c0a9324b5706b272105a5392fd01d70e84a

SHA256
86766d67c13cd25158db8a586c9e61bade3bf219c87e198e9a74b043df5f64f5

SHA512
13eb0fe7719bcdd0960abc5dea8ed91751a09748cda4370c939748fa5c31e06f24bbd4a458593518b0ac9ed6aeb705967465be49e933762b32dd5d2f8dba790f

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
b271ac62c10f9bd9832b644c326c672c

SHA1
3a7fb33d699988999ca463d3d73f85f5bb62b4e3

SHA256
a5be2ea557f78010098a470af97034d85547f5dca27e27fb05c5fa0f3896d28e

SHA512
8d021365149aa69d1a1c54a38260565b7205fde2a809085c46680015c5fd4e390ab1985393e2537429c728ceebf3c4cb05219491e3e8cb6bd76907b31f460f26

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
9849d2124a7e04a74b4b25b8e20b6ba1

SHA1
c348b2e7de7455a0f067b6d23a930522d59fb547

SHA256
35ac6a1cd31a9151392b9517707cc0a04f3d6c5bd12ff2f971a60a8b69e30a38

SHA512
82d2e8afd962eef76e8cfdc61d9feb754fbd47e325fb973ac8a7cc69dc3f0391a53c67407f98891366d95659f353068a30f4f654c352d17f13a6cc5ab3faba07

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
9225d4cc359ce22c98ee9fb41668926f

SHA1
d2bcd3372f121a9a9dfabae0afdb9d2703587a30

SHA256
361dc2b3c0fa9cf81c9708cf702a7838678f41cb9c7eb27d0b16c7faad06f8b8

SHA512
547b34a64a606f5bae3a8326727d0dd2b05e96679fcd223a08a58b958817fb0aeaa2adbea789243a6f72699d2cb49f89ee6cae295a8e1905dd47ca96a22bdc5f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
6603a99309695a710853d8980868d7d1

SHA1
97dfa86b7363d27acfc30d9dbe9c6c9e9f7f1749

SHA256
e7287fa065830ac0b5198b06e67eec09e4d425c15a1287914998ea1320a72112

SHA512
4a5c2a437b0becd852763334329058c2134073bb77769a8fc3618ff106ee3bc5821301de8983343284c6890e3f09bfbc225c5126145ee497838cb7c1ae5a4120

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
35b256694b610bf072b0f5720ad54aca

SHA1
d18acbaaa038c559658051ff324e93d94e0539f0

SHA256
78dc70d00e66298bc132a1cc7e75d4b0a1d32e80e78caafcbcc0444c85f000ef

SHA512
2db57007619421fcde8a7a7fc434154c5e96d838d0d39528cd9758540826d46d6de0b76f22d309f964260164287170a1da4d2f6b7a8af580cbb315fbf8b83714

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
fe03eb24d88b5f62946c8e8ac42651e6

SHA1
c85a8212eb4d3de1e00bb2dbf8ff2de3549fa746

SHA256
a31a93ccb8dc66b7d76adc03be533ac523f50994c7e02ed92cdca730b182ec0d

SHA512
f65230ea6cb95629c42d977614e025e1e70e339adf882dcdf8dcbc0f140fa536a64929567f9b5b752b6b723740bf42ca371005d194fde2ede58305548d30653f

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
0305682edfffcfdc98a35f7e43da953a

SHA1
2d7f1e1f467b415d7a736f66df24d16c9f5afd89

SHA256
10e76a15d39c60153d744ffa0a2ce141aa4c3628250e81dde50219aa871644de

SHA512
f3025ae3dd9b1af31e62f6f6fc1353268a683ce6b04eb598e901e4b2adb9f4526fcd80c087b64c9f5c479223e355edda59a0c1b23cec894ba8a397389b8f1842

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
96KB

MD5
8d4ec6558e68d3cc5cd0d0ac8517e21e

SHA1
3e9f4a9f3b48f9bc089072324412c48d5f2a1ee6

SHA256
0438a034e58c84af2bd6e12fea9618794b76442dfea8d49b747008eac41434c3

SHA512
808280e213bc60b8e45d8bbe4879cb7dbda7e59f4f1ee8e7a3e4f33d738c4b5e47f5692c53a8f0482d68ec707558019cb9072141a63ed7cca3ea0d2abeec59a0

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
a515fe40e8df0c4900875d97f82c447f

SHA1
78fa6edc3433863e362aa7242b2461fc8b17eb7a

SHA256
0d364354d64299cfa78df1b3a169ce8baa84d03328f689a24c81c60e5460eb2b

SHA512
69c7403ab2c0a0c1112feb838c6c2ff377359244f3ee37ca335f596ff7b610a7f2b6f83fde91e1c777deb0a66d997138e6309e94cf0e8f1063ba250e02bc2a87

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
c7be47c80239d359259c59779f7f07cf

SHA1
d81f4519e07de5fc1beedcfeaf449047caa70eab

SHA256
ad241bb2c88903fcc7b25bb0a2b8ded50a4267a2d72e4513d8315e8d8c677f14

SHA512
e2024545b98499f1cc4d4ecee094b5cfd1436ec4bf0ec7d16befb59749cacd018d4271742b0b108271234bb0ddfd07d0ddc1c85c749d01d65fca0ae2ea967251

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
63d9a1e43448b9ff2a4b62d6feb9da61

SHA1
96da2d6514d5b59e8644bbc9e4228eaeb90337ae

SHA256
84d55d2ed1921ef378d9cc73cee47700b1534318132e721873a43003ad3663a0

SHA512
12ef5fe09a18a0d3a55d4590b15dbcd3a6341e53bacd611f7d8784d4f70272748ec9c7080a989316cb8dfc0790277a8fee4f47fafc1bc867f5d2656195d85214

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
a90a26bdfff5d968871eb078fd875830

SHA1
bbde32053a8a6f4efdb81ef75e91ec00af176e39

SHA256
f1bded62bfb1b19b6e9ac1b340f4431c8b39edd2638d52da3840ea44d932a710

SHA512
0c4435f2a34e7f75408a46046d4cbe3f099d56d06f352b7b9c63be0c3b8393d98f1100feea26902548c41ea340e4c348d612d6270e1e506dda9900256efc7eb3

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
d4f7f2f8b9a0860b21974d8b8d866321

SHA1
cd0e49be7543ed26a54932a1aec72a74629d7d47

SHA256
7316a647937b88df19a8a9ba76a8f761f91ea63195a9f3e173ba52c9e89e4cc6

SHA512
e54c91d5d31989c6ab249f59e63a0af2603a4684ec74a146bb0c449932680d1418e6ccdf32708a74c48431fd071bb1fdff61386295bf8dadf07e3c89adc5ea65

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
96KB

MD5
75eb0346350c8ce34bb4f386c86e866b

SHA1
2033c477ac045ad360d0e726bd3f6c08889fce43

SHA256
562af5f92dad5ffc7492901497a05621a75d418e9b893c32eedefaa2a8cc94d9

SHA512
e085c93b1a59ab657ebf0dafb7e9141cde592ddccc02ef14ebac273076b56c704c0011c0d9dc9fdb918637d6d841f4c66f55e0c428f147b9726d3048db020602

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
bdcfdc1754328409d86befec7fdc8ca3

SHA1
9c7164226696f71f2bb32d879897fbc26ca12f29

SHA256
3b02e41f048bd0370af31598db74806be0fc51c7b0f9ec0868c94b859f4cad12

SHA512
44bc6733ec7adc17c78cd2a671bc8d96c4b62c74745645708fc0de306d573b3a2f8285c2598784addc6147d6fc6bfb86413e8eac5d92caa905edac08d3f2c3f6

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
35d79971c652d6628bd02f96996b4e04

SHA1
dbe2d35aed1626b8231cf0c3bbeba0ee874defb1

SHA256
8937792608a1160b6db2c112e454604bfe3a7bf3b649a372e36a343d0c015bad

SHA512
281f16dee16bc51b6e6935ab7687665ec02070f6da69ff68ae2edec68f2b359bf6d27091a5cb3f5e1259b5a84d2759dcc460e435d959f9d77a32aa3966fac54d

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
40ca7706b1c48501ab942998bf94f52b

SHA1
7fcf9c82d2e6add42c03a538a173ceb2af0b4bca

SHA256
4eb33263bb944977ed473fa339a88ae0c4af7a0c26186344c051f567d3c26116

SHA512
97b9d2fa3b8998fd96ceb875a2de3d61890e7478244b12053a254d63106245a33cef842ec17c56c03b4e2825401e578ddfb383e30dca55b88f162bd1764937dd

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
5f14a2ba43d2afc955a4c37a181b0af4

SHA1
327c6d85c01ba71c923b09b7dfd8bcbb08dbe08c

SHA256
2451f4106318ebe1f4dc08b98c649348f48a294ed07002a04f85a0ae1a36b0fb

SHA512
925c3f64d4682620cf1b9bcbc4bd6c5598239b7e61092a413eda36a51ad6643f57892d7be41fd439123a314c53f56b249871ba5cd6660b080504c0f5fb44a8f3

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
c71fd30e9bed4a1be6b8db605cc91a04

SHA1
ca334d957870557f4566c041d157fed20e46fe96

SHA256
1d99eaf2d5947fc376b5da7c26f7e3e47f9d259c0eb447bbd1277d3963b54bc2

SHA512
9489d16a0c83c72c54cecbc74eab2a855b4ddea695105ede5365a2063eada2e0a519f7552d6f840ae232999c80893f654ecedebb3d25e1ff15e49f7bb2aa0acc

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
3f7637da02364e05c1b2f7d62077570f

SHA1
8e487532d1f1d158fc7c29c31c8b6bb86a4e469a

SHA256
9d13370ef7bad87de066c5cd3f28825ad228071c6575ca541f45d0c6022c4abe

SHA512
4a58c7863b3da2ff478b28c9cc95b787406c202258fea735b6613fe6772cca2cc7d7336a601d5436401f2201ad602c9f278dfe8bce15f3cbc333df149ad96a93

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
f68e3660d1cbddd9a0bff8c60922be4b

SHA1
f51884f59f13df26b237b26115961681a27275a6

SHA256
436ea91aba7d59fad78a21943067792354f6a37c845707e293585569c6281d35

SHA512
a9e6f79d00c005f562ae7e8f5d868626abc7d81e1ce66351ff50609aaadca2ca86155d62b6ce813d6fc56df1ed24ad1cb5b287934fe1d369cfde99d889daf1e5

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
d3bca723f3f92e7d16409e1b1258f61e

SHA1
296910ffd156fbdefc167d8199836dc6da3d5241

SHA256
0a0941a2ae56e2d9a0f30e68e249fe3bbdce428c64d82d19cd751737ad777a54

SHA512
f14ee0f23f38159afdbed6d959758550af553b83d90f55c2225af94969312dd94de03496095aea0befc70f3300e0282e6c4de8b21aa733963c0072335eaff56e

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
521106afdf69093cd0a3595c01b84b68

SHA1
f44155851235ef367942a511ef61bb1cdcf90169

SHA256
db4915c4bc447d647aa60d8f69c8cfdcb273b3e651c286609f9128e4ad0a39ae

SHA512
0a58dd7b3f7be066c4f7088304d18d29fbfcd440868bb21c4794e567f72d4db42970a781cdb6b62efa5400a7133d7c5f5b9343f6c95ab99ec2596f7b66902749

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
f7d745163cbd22c764c2589dde4824a8

SHA1
094ea9fc26dff8bc64e9adb7a3ab3f77d08a5bac

SHA256
713c6b6748de81be9b59d67b6c018c1b1c12bbc2f47aadae91a2b56c404c0afd

SHA512
bf019a7e1369899d67b9fe201932995c2ea44b4372c3bde94a84f6c43735c724cd714742ac3cf0dee0c1fd07686bf556c5b1d98aab5a6d93db66e2ededa80812

Download Submit
memory/220-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/600-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1980-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-874-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-853-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-854-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-863-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads