berbew | 77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe
Size

96KB
MD5

5e4fa78429c5792e57b42266d0c17389
SHA1

52fd30e45109ab2503cf9545da4d97c385b2e096
SHA256

77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331
SHA512

8f51a015ca701902c6dd21497ccd37dc7b9ffb19f34309204d4824d07f82a7e5f12bb9c39277ff4037ffd0da245974e57e8d64b939eb321dbd49770a2344cf8b
SSDEEP

1536:G/qQjG+wWpEl0cYN4iP3F37HK2Lm7RZObZUUWaegPYAy:2qQjGHWSDYtfFr3mClUUWaev

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4044	Nljofl32.exe
3364	Ndaggimg.exe
3984	Ncdgcf32.exe
636	Nebdoa32.exe
4912	Njnpppkn.exe
2864	Nlmllkja.exe
5060	Ndcdmikd.exe
3760	Ngbpidjh.exe
2336	Njqmepik.exe
2908	Nloiakho.exe
1128	Ndfqbhia.exe
4452	Nfgmjqop.exe
4768	Njciko32.exe
3568	Nlaegk32.exe
3292	Nckndeni.exe
4520	Nfjjppmm.exe
1948	Nnqbanmo.exe
1088	Oponmilc.exe
2748	Ocnjidkf.exe
3432	Oncofm32.exe
1628	Ocpgod32.exe
1840	Ojjolnaq.exe
4128	Opdghh32.exe
1240	Ognpebpj.exe
1524	Ojllan32.exe
2060	Odapnf32.exe
740	Ogpmjb32.exe
4656	Ojoign32.exe
2280	Oqhacgdh.exe
4456	Ofeilobp.exe
5104	Pmoahijl.exe
2696	Pdfjifjo.exe
5080	Pfhfan32.exe
244	Pnonbk32.exe
4332	Pqmjog32.exe
3280	Pdifoehl.exe
3992	Pggbkagp.exe
4780	Pfjcgn32.exe
4640	Pnakhkol.exe
4468	Pdkcde32.exe
5044	Pgioqq32.exe
4464	Pflplnlg.exe
1720	Pmfhig32.exe
3076	Pqbdjfln.exe
4968	Pcppfaka.exe
2848	Pgllfp32.exe
4756	Pjjhbl32.exe
3536	Pmidog32.exe
3296	Pqdqof32.exe
4944	Pgnilpah.exe
2092	Pjmehkqk.exe
4932	Qmkadgpo.exe
3668	Qdbiedpa.exe
4292	Qgqeappe.exe
4360	Qfcfml32.exe
2804	Qnjnnj32.exe
388	Qqijje32.exe
4020	Qddfkd32.exe
1048	Qgcbgo32.exe
2516	Ajanck32.exe
4248	Ampkof32.exe
3460	Aqkgpedc.exe
1160	Adgbpc32.exe
3552	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bnmcjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	5872	WerFault.exe	232

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4044	1316	77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe	83
PID 1316 wrote to memory of 4044	1316	77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe	83
PID 1316 wrote to memory of 4044	1316	77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe	83
PID 4044 wrote to memory of 3364	4044	Nljofl32.exe	84
PID 4044 wrote to memory of 3364	4044	Nljofl32.exe	84
PID 4044 wrote to memory of 3364	4044	Nljofl32.exe	84
PID 3364 wrote to memory of 3984	3364	Ndaggimg.exe	85
PID 3364 wrote to memory of 3984	3364	Ndaggimg.exe	85
PID 3364 wrote to memory of 3984	3364	Ndaggimg.exe	85
PID 3984 wrote to memory of 636	3984	Ncdgcf32.exe	86
PID 3984 wrote to memory of 636	3984	Ncdgcf32.exe	86
PID 3984 wrote to memory of 636	3984	Ncdgcf32.exe	86
PID 636 wrote to memory of 4912	636	Nebdoa32.exe	87
PID 636 wrote to memory of 4912	636	Nebdoa32.exe	87
PID 636 wrote to memory of 4912	636	Nebdoa32.exe	87
PID 4912 wrote to memory of 2864	4912	Njnpppkn.exe	88
PID 4912 wrote to memory of 2864	4912	Njnpppkn.exe	88
PID 4912 wrote to memory of 2864	4912	Njnpppkn.exe	88
PID 2864 wrote to memory of 5060	2864	Nlmllkja.exe	89
PID 2864 wrote to memory of 5060	2864	Nlmllkja.exe	89
PID 2864 wrote to memory of 5060	2864	Nlmllkja.exe	89
PID 5060 wrote to memory of 3760	5060	Ndcdmikd.exe	90
PID 5060 wrote to memory of 3760	5060	Ndcdmikd.exe	90
PID 5060 wrote to memory of 3760	5060	Ndcdmikd.exe	90
PID 3760 wrote to memory of 2336	3760	Ngbpidjh.exe	91
PID 3760 wrote to memory of 2336	3760	Ngbpidjh.exe	91
PID 3760 wrote to memory of 2336	3760	Ngbpidjh.exe	91
PID 2336 wrote to memory of 2908	2336	Njqmepik.exe	92
PID 2336 wrote to memory of 2908	2336	Njqmepik.exe	92
PID 2336 wrote to memory of 2908	2336	Njqmepik.exe	92
PID 2908 wrote to memory of 1128	2908	Nloiakho.exe	93
PID 2908 wrote to memory of 1128	2908	Nloiakho.exe	93
PID 2908 wrote to memory of 1128	2908	Nloiakho.exe	93
PID 1128 wrote to memory of 4452	1128	Ndfqbhia.exe	94
PID 1128 wrote to memory of 4452	1128	Ndfqbhia.exe	94
PID 1128 wrote to memory of 4452	1128	Ndfqbhia.exe	94
PID 4452 wrote to memory of 4768	4452	Nfgmjqop.exe	95
PID 4452 wrote to memory of 4768	4452	Nfgmjqop.exe	95
PID 4452 wrote to memory of 4768	4452	Nfgmjqop.exe	95
PID 4768 wrote to memory of 3568	4768	Njciko32.exe	96
PID 4768 wrote to memory of 3568	4768	Njciko32.exe	96
PID 4768 wrote to memory of 3568	4768	Njciko32.exe	96
PID 3568 wrote to memory of 3292	3568	Nlaegk32.exe	97
PID 3568 wrote to memory of 3292	3568	Nlaegk32.exe	97
PID 3568 wrote to memory of 3292	3568	Nlaegk32.exe	97
PID 3292 wrote to memory of 4520	3292	Nckndeni.exe	98
PID 3292 wrote to memory of 4520	3292	Nckndeni.exe	98
PID 3292 wrote to memory of 4520	3292	Nckndeni.exe	98
PID 4520 wrote to memory of 1948	4520	Nfjjppmm.exe	99
PID 4520 wrote to memory of 1948	4520	Nfjjppmm.exe	99
PID 4520 wrote to memory of 1948	4520	Nfjjppmm.exe	99
PID 1948 wrote to memory of 1088	1948	Nnqbanmo.exe	100
PID 1948 wrote to memory of 1088	1948	Nnqbanmo.exe	100
PID 1948 wrote to memory of 1088	1948	Nnqbanmo.exe	100
PID 1088 wrote to memory of 2748	1088	Oponmilc.exe	101
PID 1088 wrote to memory of 2748	1088	Oponmilc.exe	101
PID 1088 wrote to memory of 2748	1088	Oponmilc.exe	101
PID 2748 wrote to memory of 3432	2748	Ocnjidkf.exe	102
PID 2748 wrote to memory of 3432	2748	Ocnjidkf.exe	102
PID 2748 wrote to memory of 3432	2748	Ocnjidkf.exe	102
PID 3432 wrote to memory of 1628	3432	Oncofm32.exe	103
PID 3432 wrote to memory of 1628	3432	Oncofm32.exe	103
PID 3432 wrote to memory of 1628	3432	Oncofm32.exe	103
PID 1628 wrote to memory of 1840	1628	Ocpgod32.exe	104

C:\Users\Admin\AppData\Local\Temp\77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe
"C:\Users\Admin\AppData\Local\Temp\77e0a8d49c34418c7601620610c1ddcb8d2d45d04dbeaa4cdd96e9c93e739331.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Nljofl32.exe
  C:\Windows\system32\Nljofl32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\Ndaggimg.exe
    C:\Windows\system32\Ndaggimg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\SysWOW64\Ncdgcf32.exe
      C:\Windows\system32\Ncdgcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        48⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        68⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        72⤵
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        73⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4724
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:116
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        79⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4080
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1460
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        88⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4412
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        98⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        100⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        104⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        107⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        108⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        115⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        118⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        119⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        122⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        123⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        124⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        131⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        134⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        138⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        141⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        142⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        144⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        145⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 396
        148⤵
        Program crash
        
        PID:2852

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5872 -ip 5872
1⤵
PID:2488

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
9d7412bd8fc492d0d4cdee1afc17ea5d

SHA1
93f782ad4d6271192e8eb8bd2f63a4d0191c0a40

SHA256
1e8ad07d54af502a36bedeba3d444f1d30d2c0551872e2063cfa3d0dc60facc7

SHA512
a0d2b0da734f9403908af03ee7ce5efd3daf47a3815923caeef071bc528d26cd13a402a1c72f85b3a3c27129ef9731b38c2c94aa63a2dd021e03c260d5b7a58b

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
845b8cc5410adc8f2ed0b36d811730e5

SHA1
5b2194213af64d30e9310bb23d2186216d634880

SHA256
fb3ff44c981bff622d2a8e391fa5584171fee3f7842ab0595c8820415275fa7e

SHA512
b29913ef91554276ffae960598b96f13f227c5561a4a504500e7e3ef1c67cacf51b3c681cb773c92f740e6c14c5a3b41c09f9d040be290ab7c06c4e75fb34b22

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
fb2dc3965031cc195ac290ac5d5ee2b3

SHA1
53d9aca6389b1e70477bb121ebf042d461df1076

SHA256
548572cbb397a62ad89327f7fe6fe70a1c59f6b040cc9d7817961dafb89e97b3

SHA512
11b43177ed7d9c320eb66dec9e456d185b59a85422e2305b95dc5fad6b25f7fdb24757bcc2dfa2294b206b53ca831d33dbce3de6a2b549f607edbc2b35b7ecc1

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
96KB

MD5
f4a4231b3c2f3797afc6d2d80a9d6399

SHA1
7d4977aa506fa4f4f5b59f412e267a33ae6444bc

SHA256
98ddd5d3f64028d8f40af3c7c5b6d42653977c61f81b377c0bb4b18fd3df9218

SHA512
fd26ac8cb99a9d9dbf957ea77dd259f2833984f891b5eebe1ac44b0e2df52e1557d45194c8400cc1a2f9b3be040ab8983b5b61ea921c8102afc9267ac829b92c

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
733dc6b4cf16a06f42986498fb2d61b0

SHA1
552ecb735bf1a9ffbb006de3e747dbc227220e38

SHA256
e9491b2befad8c237e564d260c8c1a5f1fc0f49c1a4c019cd80a7ebb98aeb3a2

SHA512
7f475e410bc60f065cff9968a20878f651d56804ba9298be5656f13e9815869cb002c1db8e5a6c64f12f3273a87b8ffb2041a226f655175e7ceea28e867fa2e1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
210f61cb7730c7e1cba5858d15818580

SHA1
aa651277f1bf631fec809396ac61564bb7563752

SHA256
104382b18eee93cc97b7b42f13427e92cf831e30b3f3c01eea5fc6b45304d45c

SHA512
97adf09cd83e43a881e385c5eca2e0b18e3e13df3b0b75e25d8ecccf87f60844599cc1ce9ec210e72401d8d8dc1c8c72b0521502b8ecb671d04f4e1af779950c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
96KB

MD5
8a3e2672d9146356e7ecda2b3c3722cf

SHA1
10fa3a12e393f74d058b292ee75ec366010714cc

SHA256
c3411336f7a531cf74478164a0beed3707f63ceb4f2107a98dcdd3566f8fe2a0

SHA512
082b15ca3cf6e7214e8b24b333883f45b464170e6d6833d2949a303c1b5e73984a5232e218b5a3a76b780d97c280b32cc4200b7e60034f3b72e316f9b33b68da

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
d1eb0d16a6d426dcfd10386500230dd5

SHA1
1f63359f1936a3e7dc5e3ecf2dd95fe12a87d8f7

SHA256
5577adf7f8d7d3ccf3aa00a9e99a304eccf6ff9ed6571e4410d68a2f3acdb557

SHA512
e189581b5482e04ad9ab7b78b7a37ba4b2e4077bab53e8ecf18e2e63e2e5d2d782ddbf4d7f2f30d9386a256f5662ed49b898406b30f857a5c898e3c4f879731a

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
df9afa13b81e49e625c07f4ade5a7d08

SHA1
526c344c018a846af377c72e52932be9e84107a6

SHA256
bbf971ef72bde1aed3bda3ef1bb218255437bea8ac0feea26f54634816f8cfa0

SHA512
bfbba331c941bd177e421e4eaf194c5759091860656c1d405f2a3d1a9b2ea3f7a17121d866255b835fb6cdb3c8a49bcca60d9d48eb2a0d154ee6ee0a8072720f

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
df8a233c1bf8205d9f5cf4e60e4bcb54

SHA1
29e68e8eee7168549111cc4c565a9df88e7018b3

SHA256
1308097c3671ec671b12c277b79087b354a307905afcc46923c090383c99d711

SHA512
61e7637f37ef0bf7de1a1ef5d1a33b8544113b451d3cb688aa81b8e3f80620a2a1b0e8cf6198afa505545220aead6ad7898084b06abf1c68098113cfc237b903

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
fb43a94beda98601d6f2310211d5eda3

SHA1
75b53f6823a58f5d4a55b20af2a37e4e4f378afa

SHA256
5829fc6d8837ee8e11f1361de4a13495eeff2ecc957fc749a64d254cb0f805d4

SHA512
ec372094a41c4fd77d74753f2869ec54dabde2999f0b17f588536f51fca19c4e7f10a0c8bb8e3e29117206ba990c38375c6c9b02f3df52d548a7fb41f5afe78d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
cbfc93a6d5f81ae357a1d4cdb295849b

SHA1
6c58db9db19d923d32247195ff92a062851de7fa

SHA256
2329bd470b63dc221128cfb04316ace6b00ab8f692e5f7bd0934a4489a5cc08b

SHA512
e890ba96db4560dbcc4cf651a4fe11efc271ad8dfda652f77eca134cabc556a915c6d8d4e83c6b42cc0ca7644e1a7062cafbfd7b1d4e1ba561eccedb4287f0fd

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
96KB

MD5
4d3b1ff9ac0cec63013968f729105782

SHA1
c3804ab0c1cbefe338d7c74847055e0a8fb6a4b4

SHA256
b60b0c1a0ab38fbd9889dbc30b26285aa45c30cd96d4a135255bf4fb1a946f4b

SHA512
ad0a50b6877f00493bb4f373c78f1116e5359ca93eca3f591e35d01f0b29f2bcbc8c98e4d1042f87e4bf0bb7c94c4dc473cd5946ea7f6c6624582d6fe278507a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
3c04f045bf291891a79c5eeb6dff2d39

SHA1
6a664e41ad6fefd8ba586b7ab530c2bcc6ec35db

SHA256
8a3b0cb960d5699833aaed77ddb162624af15dadca3f8f76564df50ff6680f7b

SHA512
06943b67a01377128c779003c0e74ea133962a4fe665d8bd94064a81405614738acf8dc465ffc9cde5e9df045edfee0fbea85c2b8524b17cdcb5e94c682d2417

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
eed5847334c08914379f8bb668940c1c

SHA1
c8080539a998351ee5695356096988de94e85dea

SHA256
0f15941bfbf0e7167e2ce9105fd075da040d3bafc2688aed1a5aadc969c5aa08

SHA512
549b329aaabfd8c8ace9062d18f25400c815232de015f540c73d627dd8ff7f2861bfaa807ada1ec06e31c4724b901e03b9dc2736452b937943a3a479f7a72a0d

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
96KB

MD5
bb6e794c7ec303f743b4cc7d45c719bd

SHA1
3e1258f78159e1de5bdfe5fac401f6a8bca19f67

SHA256
fa458e3e5715d26b4c440be2421ab46c4d23336b005bd58f359f1c84ba632da8

SHA512
11efe0141c4061d181c63700e28c6c3c8501e4a043c6248247de27338773152baa6561a867ba541c885ef731dc85705dd34f900e787a12c426b2e732b2f55220

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
0666cb22d7ee20460b6ae760e7498deb

SHA1
3bc9eb2c68e9a4b724a42ab114dcf19edc0d7d59

SHA256
fa91eabc3b77af364f20d995e91ba81c0b0498f2fd0f7d8ed89009a9369b22bf

SHA512
8cb478d7caa43d88c12e6dd45d41e9de90e91f8e4ea5c5eef536552504431293081b75c859756fb6349fb837780da6584ce6858a40be4461ea11cb06f7290688

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
288a9ec557b185bc58ec7c0716cc7283

SHA1
9c3db591e319d4f101edf2fb423b8eb054132946

SHA256
4be2e1fe8c9f050ede9750ea2c3c91c533b9b14061b18b968dfd63198e946bbf

SHA512
2f1a4eac5511da1b1b848f9a28ac8af6ab2bccd93e6e5db7b06ebfe4af510f1f411bd5175529ceb3ef800b7fdd40babb99e2591abf2deea65841470ca893cbb2

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
1cc1dd7a36dd2c0415d6a1778a1df86f

SHA1
7db3bf912f16252a61121029ae5669a5809dc6ae

SHA256
3bcb057016d6011ee43156496959f12f945bf0ec20b1219d27a52cac7faa1398

SHA512
cf4ef698e1fe18dd203741961a0a8c389d6ca5db525b8d1b59737ef669d0ce31f682131b4e4e378268a15d7738e359ce01e0a193aca7ee6ab9dba9c846f08a74

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
96KB

MD5
c3d7ce23654b71bd79554a9a2e4d77f9

SHA1
86ca191b59e5a7c9ada6284a4b8d5d553b8780ff

SHA256
bf70001503267c1463b5e020eb482702b145c00cead33b5893df98e1bfe8d8ea

SHA512
887df4f38fe6242070540a9679da78c8b3cb9b5db10ce62bbc10362d14435e94bdf2d362d416af66632d18793be5672ad7d2eadd37576634defd191bdc9985ab

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
c0e8169480c1f62c772a0ff3e0ff2752

SHA1
019aa95517e8d90166d31e744b5c001460d4e676

SHA256
4a4ea11a6dba6d557d2a853d4d135074e4bee9668af3d4d6bf4e33b7da7fec70

SHA512
8b7c359c3e785ead5e4127520e5ae0b77b85a576193edbecd76b41c852cb021ab794891bc530b5b3ca02f1200f184f03c6216d2210932dd20eb5d2132c2b0dd8

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
1857c8bc9aa3d40d7ac42dbc2298abe3

SHA1
af047f3a22a7e33b33939fbc212ce54b02fa44f2

SHA256
8f56c33ac89cca077a302d5ca5cd3d7a176c20b0d806fe935d0b03aecfeef84c

SHA512
e2f2082ebb68e4003c931da27684b817bf2aabf04a9a2e99164732dc4fbd2879c285e24725d6889c8f7f699ad85f8c6408d18c07c327fc7b128ea6249a67eeb9

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
feffbcf52ae93987b61b2528c45db8d9

SHA1
9dde88cb72e0a104b4744a24a822251f9b4f1d5f

SHA256
ce2e37c8bcf54e9512b735903130bded8e73dfe67390fd04bdb6b788b05b4a3b

SHA512
f14268ff77efcf1489dabd114ebefab18ffbffa2c221a95cbf38be7e0cc409ffe26381d572f17a695383640865f342d233055cf3afc180d41ca30ba87dd51433

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
3ce6c43c239cfd8c24d5a31502e27b08

SHA1
75af09c635a2dd147041da47ddce08e43207f843

SHA256
695e064ee6d0b4c249a6bcb6c3e504d72be79b735d00156567a040677643737a

SHA512
cd968a1eb63b8f5fca4a92c4cc22ea3f9b1bed5de870dc91fcfe77ad6c009bf2cfb99f3ac33a6c21f208c3f12435877d3a66fa7182c905f1d8a59317c1a56a72

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
96KB

MD5
88de385200f19707ecbf7b18a282a2db

SHA1
5729d77c307828e20068144b979c85f18e4ef991

SHA256
1c3fb1470291988383eafe0974790889a4da4cdd6dbd3128ebaadb23a686d9b2

SHA512
cebc1f2727d044454a29b88c8d310e95867c3e1e85b51b8ded6160e06d9176f7f04437ec9f57cf5f69452cd03b9c51622966a9d1bc9d717f6b910f3a8e3701b5

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
c355c59c01abc6eacac1982de1490681

SHA1
69c12b2ce4f358f709a538ce48c7d9db6ba94a3a

SHA256
8fee9f80c7166a32bf046f53087be2d83af56bf9c2ae210d9569f01324b50d4d

SHA512
c8086c78c39ae86e37126bc7ecce907008cd2ee0e0a45eb775d85e1558027de58f8c18fafbca23e75e0b50535aeb3c386dddd8bc777e136d69ec4d022ecbde1f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
80ccb4bcb2f91573d694eae0650ed3ea

SHA1
beadd022856f3647a6f90d0e8b4e956cb0d701dc

SHA256
fa5bbca6363d9b8e3b9e9e1f6fe229bffad75e1ed16d09bf5fbc5786164a92f7

SHA512
2ee51e374639ec3a94af9e1a41430c042be3190f57019ba3124874329c64cb43d411f9bb0e5766ae8e425f2a43cf2e525096def720b0507e045943cad0441baa

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
1fb2b39f162bcb8689a60370930c6549

SHA1
567d81f2438e075c5bd4008ee9e4ae7f519f88db

SHA256
f75849088fe2a6cf9aa80e1088fa4729012769efa96a5da0ee6830bbb79fbc27

SHA512
3cb5e3222f7dd1e5fac5a9e6287dc0291a27aabddb598d96dc7744e3f3b723c3d8a74aada82a12f0b2ce41472513c10f34a4336070ae007e59c6984cf0a1c892

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
bdfd45b9e09b13de44aa56dee7890e42

SHA1
08c25be893fd3a3cb03b9550f6fe2025ac85528a

SHA256
6fae97239fac707e68e056547a4821ed3b5092c8267ce0024fa60d40bb3a4ed2

SHA512
f4acee5ccbb6521abb9e052a47ca14356c2121a90ed24dcd4faf5fbdbb31f748b3673340c6b5f58ecee71e72e1a873eb94b4f62b1c1fd68d97ea2d09c6b48713

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
a8f659dfebe9af3bd230e1557e668ae8

SHA1
664e9cd1b1ec27c2080e68d3f58f2dc91b764149

SHA256
6d34a57c481440fe35369c9560b586ec37e8cc46982ec44f3d64832e81bce2b2

SHA512
41ab16d71f299b4d4dc9391871b31c39d02485c3f2a8544216ff2ce9e3d5fa2f3762107ab04d39ca4c2a6de006c9f14f8c53cbe0e1344faf9aab5d2b4bbf33ab

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
e4d6454a4000f16925f271fc83f337eb

SHA1
8e57eb45eabc23c4f3ebf5b06d9385cfc1b76923

SHA256
99c9083165c68e2d40196fa9beab4949b51124116fa78dfc48f159704dd8e766

SHA512
6014522517a75c20515c2b50612be0bcfda126a7e92c2f1d551d08799156df7c32dd03525e122e1c7f8f8fdaa34807abd419fd62077eecc519fc9877e102a0db

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
26495203ebc58894763b29fadd42e88e

SHA1
1c85f4d2c2af3541fd14cb8cb66e22976805cf6b

SHA256
0d52611a6d7fd96cea0b1dc4a9edcbf5f26d8f7a5fbca95397573aa338ab05ee

SHA512
777e5c7d6c01acd982f89c85f8e99c85cf5371c5933164c0c297cb7226b9138fe276cd1f4e2f0f6a93529b820bcf6c0e20fcc801ac5f53bd78809cae9f5e1e7f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
96KB

MD5
bd6cab51a193bb1611c2724a7a6bbbd0

SHA1
c0befbc93f52a618a42a836906f1baaaecd87f97

SHA256
2be5f1eed34775de757bafa4bd492e2cf3832b11c24b47a5834ed6c78674e1f4

SHA512
dc3c323b602191ca569d5ee1d6c74ffb8afd632b7de8ef04a45905d3d4b3db4fb4d1020dba3e8a9b61dc1dc7aebcb63284f463d07796ffb7feb840be5fda2208

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
73e338ae36a0d4e0360fc49fa0d8e9e2

SHA1
4cf3a431a50766836bc9509bb5259d55ee3876da

SHA256
31333d01fe8bcf3f8367b84355f2b96a040344214aa38b3e852e10c2a0ef547f

SHA512
3e7da9476563133bb00e8f1f4e7f30057d2e48a9ee51dfe688425c59aa8c036abdf3460a696469ea60a4ae491e704d371717ba9dd3398a6f13f891ae0df1ee46

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
dea267b3e4ac25b08d76c3ca6c03284d

SHA1
c8a2ec3633226ed18e740ebf75bfbc765fcdfa9c

SHA256
572bc3721aaedc041d41e0a67bf777d2831c0863905621eb271e65a085e82cf9

SHA512
0bfbb54da10d16aded435e2c27f4587c3808a9008ec6f5a0a0f637223d2b67439ff59f22cb4e791d48ec3fbc02ac6d3f0f13301db71d37944a092ba0258fbd0b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
96KB

MD5
c8877d0b2fe7bb19230c05f94728b442

SHA1
dbdf45d9aced4a75ac1dc60dff5b89492eebec21

SHA256
4ebbac75a2f465165a85769ad76309f995ceb206f6d633b489548cfd42351e70

SHA512
34ae763098a5e23af2adef9e7d105d58a611600d9d46932f699eac54fbaa5a8a482d4c4c9db91d39babea129933c5c4f79621bf090b79c108b6450fb84cfd8f6

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
a1954321b8dfe067668c17e3c63e4c5d

SHA1
dc318d7609d8ab7f94ba456ee131a63b7c5f3eaf

SHA256
bcb6d1769466a54374e1800e5fd54f628a762408ef53359cdc63e91afe4b4922

SHA512
45babc7c96791dc8a7f5c3dfb1ffef09a8e5719d9377400a344f6f54329159d6745d4b4939f76240292f6f33c57cb75cd7f0e5e6d0f4995cb7aad0596e971e23

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
d9cb1085bcbfd5423eda2c095c474dfc

SHA1
95e7baae434e8bcb67530a60db4f32c04212669a

SHA256
43db4cb26d493144dc3b7c2ae96084d0b95d7ec2702b996b564a0bde59d9be85

SHA512
f22cf9cfdc94f295f7ad806117f3c8ba0dbfd48d2a5de0fb9ac9a48d2418a40ca1ddf987d58606fddcd6dcc99012ab480042654e3e4b3615429d9155837f94ce

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
73e702fd4677e13344c1d9b9c10222e0

SHA1
d18916f56bd995de6075d2d6bd9f7ab8091ed891

SHA256
899180a4edec8b91affe7f158c7606b357bb1180a8f9d5c9fc990cb50bf18d3d

SHA512
b9b25e77b78531a777dde5f54d03ba6e3eb67514edd46ee174e227484e1faac0719982f12a99e583929de6bcb95a1c2b4d6b50b55b4c9b92dada93f54cf6dea6

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
ad0a54b1cd035daff21f5e54fa09efbc

SHA1
9caebe611ceddf935b1e65c20164de984422ad93

SHA256
637b5cc0bb70e1e97aed6e58bed01afba2e0ee27fca3168c678aaebdacde890a

SHA512
eb3576cd1d576cebba38ad9badb7bbb0975a0b8199360a24c76e2b687fb25ccfa186ddc918cdbbbcbbdca09c9815be0d25143b0c04c3c91251f5f34b89490cab

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
c1250208061ad07fd757589057afd819

SHA1
afe1d3933894670618e1e43ac40b80a9cff3e135

SHA256
17c11ba73cc031d9b1afc19e87efdaedc0fcc2d5322a975eb6b56bf2314e0258

SHA512
656a6845c06f46cef58e56ba0d64f701e754d57a0bbef8fd477f5b9311e54b8b2cdc837e07c09f0cfe847ace59de4bab4e2524875b46e1c2e6e7c02271b600cb

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
7d6f89a746cb7c3eb1e269b8fa234c5c

SHA1
98cd5160a0ba8b22a670464f42507897964cfa30

SHA256
540d45428e93706a9a9aeda2de5a0f84656975738092cf901ffa38d104af6187

SHA512
007cc423b4f91967a9ba48b2b7a0dff83b9cae1c8c87c40914fb31f8997d3810071e97720202422fe3007d1061b878e3aead86cdb43bbfb84e189ee56bc74d6e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
212f6faaff485bbbc1f232b6e60fbdb9

SHA1
1273c9f279dcb4d18519ae5c042d42bda993057c

SHA256
b82c6cf4e0046fe7ae4b8f31a6766c0bfbad1f777326f50c0c59e51c955f123f

SHA512
c573ea08a15cf375fcd2942480a2cddfd75ed68df1690ac1e50bde0cb09761de6a2446904a8632906cb803c24f4b45f21058363f73254549c21468370fb51990

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
8be0c5c171af98ab6faf816a72dc54fd

SHA1
7a3478c5ea887e1f5642359e1d68dcf4aaf17d58

SHA256
2ba4c0baa3b1935e8a2a926fa99c04561fef92488688f7bde4cb66c3e5940ce5

SHA512
b8e857865fa41200f3c070c9aa0b18cbbd904b58fdafd1bd374fd6f59050e5275bafafffc13453d86a2824dc5ede7aa97868599537718451cd876f5ffe2515f6

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
f35f6f4942162e378ab351af1de17943

SHA1
cf533ce37f392655cbc73d53f538e1bf45b6b91c

SHA256
c99c571c88abda12e8e35fda5782ae45c658a4f504c1bd9f0ad7c68996c988e7

SHA512
1cbc5f6d42ded80f8578787d829698e93a6aa25c757d3a665a00d75f1b8f586300d9f63bb69bc5c6393f7806cbc5453b0c4e4ec777c835d0a91939bac88e1333

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
a374a4bfed5082866eea7419b060200f

SHA1
a7abbf80edc92877dd47073d437d8e9f46be616b

SHA256
71bc0bbb6bf62a903bcfddda73adc52dacd6780527412d0d77f61a4f4b29b838

SHA512
6cc29ccfeb62058cecf254c0f9ed827a02ed4684449db8c06bbb332c7eab6da47d1564d4bbffdf252054aca74e8a501a2a5166dbab2c9db4ee30549c5d56891f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
94e5f2ebdab0b22ec35c871ee718d9f0

SHA1
68b28eedd418c8398dd8610af88ee9bade770474

SHA256
3fa580d65ad8b55ba33acc0a30b4cfae52311543fd2bd67a73ebfcf991f4d55a

SHA512
d2507c9058040504feebf66e4ba40f8dab72076c696a488a52c4df5a26d175ff4c068a9a15b38705738b1ad3648baba2a596fe55e8a6c1c4b639884720e173c7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
0c4ea400a4b76cf2a2bf7a2ccf6a992f

SHA1
91ed35a96c4f92d7750f1ccd54dc0365640bc434

SHA256
e1f2620470d0f120cc3405eb33038411e491008f1de850f6b11b51181a64f958

SHA512
e5e7289390d3e8480d4ebfa054abcae642c0d87a52acd3e5225fd0cf0902e472c674772a6e0ad4583b4707c778cbcec631f3005d1c2e6900fcf35941e0203144

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
fcd7878a8ee5b11c3a08de8352ffa289

SHA1
7f2c62a54885dd4dce3821080033ccff0b074c76

SHA256
933cc72d43147d5191b5512c1737ccfa505130d7b7831e86888ed16fb9310e1b

SHA512
591751f4f1cc1bca9960d547eb36ef023671f2e6bd5d4b9fc5d3bffc188e947873e204b2951837e9d60451bd256d0a64e164d59b1a174ae0bcda795e28c15e86

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
127f50117defcb19185f98fa6bd9897f

SHA1
1c9c78e21b661783ec63556679d6d3f3d5b7fd20

SHA256
5e24ccd60acaaebaf2609c6012339eb5407b7e0e42a9c586bc092340ff1bd192

SHA512
baa0130ccd6e16b42431dbd12bd3f94dfc67e2bbd6e20e326a620ce53b0886eb6e2f5af7edf46d1793b06129cc7726ff0b696826c60703e58b3e157ead3e1992

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
744849ff6aca928e5919a48d51d5fc13

SHA1
b6edd3d22f79ad8cfd4cea3b3006d787d3b74fde

SHA256
43859677dcd097b6be5954886c45a453eb7eb365937eb3d2b762b0e92ae2237d

SHA512
ad74309ae38005c7e0786520f0be032057c3f1f3f884d49f53c1edfe6239c4aa306ce33a0913f4fef8535d6aad59c3d6dfcbdf8fc3910ebf573889084934bfc1

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
9930fc35dae873c342e86ef34cb27d89

SHA1
eace13595a3d9c55f82e4a1ba375e5984dfe68ad

SHA256
a75b778e376dddf73a98b98394b254f9cbc6b0bc98ee315138d4111381cb51bc

SHA512
d36345a011c86967929e0646957fba6691d7c08caa4d0ae672a6dd56c6f3dffce762edfe5cf548cc279fbf9de14f7d56a1b017b27a0a98ff51adfc84c48ef100

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
7d2b48577a3136bf466fed54949add5b

SHA1
2fcf108f9b021e205d0211d4fac5c25a7622414a

SHA256
55ab8f93293b5845b30cc9fb77f6c371544cef3df09c98a617f9ed5acffa2c49

SHA512
2bb240b303b3275f5cc3e3f61accdec6db85cbebbc1ee754804b3c314a794a27fc6f38c0b25c7f67d473c35d7161c87b249856d73ae7137faede77658ea548bb

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
0e0ebde5f278b6f955690f7464d4923b

SHA1
2727e6a6b47d8edc8d370088f29b216cae386b92

SHA256
d024605507008c2316d36da28e173a8c720b862c4f2bd330d2aa21b1f37a6c16

SHA512
cd052dca598336b9b10da5104ff3296d14ed21ef7599779ca0b04e55d9b9e94563e5d70d3fc8439525edad824a87b31e521d842c80290249301d8f25172096d6

Download Submit
memory/116-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/244-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1316-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-1093-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-1010-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5244-1038-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5376-1005-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5612-1065-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-1062-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6036-1047-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6124-1044-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads