berbew | 2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50

Analysis

max time kernel
95s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Size

90KB
MD5

8aa6aab7493062075c4575f8c4bc7f82
SHA1

b13e690b6049298611071814298a2917b191bef1
SHA256

2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50
SHA512

8a2531ae69000feabcc176e235205fca4204dbfb28fbeb9c4589fae9b0b4155a0bfb7f4105111974ae75f68cfab6b9b4e1f405979781800aa41d35c130e2c151
SSDEEP

1536:7G5TVSyqWTqJHwoy6FHru2c8+KAssJXcqOxL8ZTzbcJ+7zNjSKOhYXYnLyVDMRSy:iPcJQZ2c8+KYsEXNjShi6eQKNDVM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnojho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglbhhga.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1752	Mcelpggq.exe
4848	Mfchlbfd.exe
2956	Mnjqmpgg.exe
3520	Mokmdh32.exe
4892	Mfeeabda.exe
64	Mnmmboed.exe
624	Mqkiok32.exe
1040	Mcifkf32.exe
1592	Mfhbga32.exe
4048	Nnojho32.exe
2944	Nmbjcljl.exe
1904	Nopfpgip.exe
1492	Nggnadib.exe
5064	Nqpcjj32.exe
2276	Ngjkfd32.exe
244	Njhgbp32.exe
2772	Npepkf32.exe
3544	Ncqlkemc.exe
4532	Nnfpinmi.exe
1096	Nadleilm.exe
3960	Ncchae32.exe
1824	Nnhmnn32.exe
3772	Npiiffqe.exe
3852	Ngqagcag.exe
2584	Onkidm32.exe
4016	Oaifpi32.exe
896	Ogcnmc32.exe
3932	Onmfimga.exe
3364	Oakbehfe.exe
4260	Opnbae32.exe
4540	Ombcji32.exe
4548	Oanokhdb.exe
516	Ofkgcobj.exe
4008	Omdppiif.exe
4812	Opclldhj.exe
4820	Ogjdmbil.exe
1128	Ojhpimhp.exe
636	Ondljl32.exe
4204	Opeiadfg.exe
2424	Pfoann32.exe
4864	Pnfiplog.exe
1688	Paeelgnj.exe
4232	Phonha32.exe
2320	Pnifekmd.exe
3172	Pagbaglh.exe
2452	Pfdjinjo.exe
564	Paiogf32.exe
1280	Pdhkcb32.exe
1784	Pjbcplpe.exe
4272	Pnmopk32.exe
2724	Pdjgha32.exe
4288	Phfcipoo.exe
592	Pjdpelnc.exe
4132	Panhbfep.exe
1152	Pdmdnadc.exe
2384	Qfkqjmdg.exe
1308	Qjfmkk32.exe
4856	Qmeigg32.exe
4796	Qaqegecm.exe
800	Qdoacabq.exe
2396	Qjiipk32.exe
4492	Qpeahb32.exe
4256	Ahmjjoig.exe
4416	Afpjel32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Bkibgh32.exe	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Mcelpggq.exe	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Pjdpelnc.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	Pjdpelnc.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Klbjgbff.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Fmbgla32.dll	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Nnojho32.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Oakbehfe.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Fbjieo32.dll	Bpdnjple.exe
File created	C:\Windows\SysWOW64\Bknlbhhe.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Ldpnmg32.dll	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nopfpgip.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Npiiffqe.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Jnifpf32.dll	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Onmfimga.exe
File opened for modification	C:\Windows\SysWOW64\Pjbcplpe.exe	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Phfcipoo.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bknlbhhe.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Opclldhj.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Ncchae32.exe	Nadleilm.exe
File created	C:\Windows\SysWOW64\Bogkmgba.exe	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nggnadib.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Opclldhj.exe
File created	C:\Windows\SysWOW64\Nmocfo32.dll	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Kajimagp.dll	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Ahdpjn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5200	5984	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfchlbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqkiok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfeeabda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahmfpap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggnadib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcifkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcelpggq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnojho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfoann32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Dhphmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll"	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll"	Onmfimga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkpbaea.dll"	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgni32.dll"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 1752	4448	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	85
PID 4448 wrote to memory of 1752	4448	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	85
PID 4448 wrote to memory of 1752	4448	2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe	85
PID 1752 wrote to memory of 4848	1752	Mcelpggq.exe	86
PID 1752 wrote to memory of 4848	1752	Mcelpggq.exe	86
PID 1752 wrote to memory of 4848	1752	Mcelpggq.exe	86
PID 4848 wrote to memory of 2956	4848	Mfchlbfd.exe	87
PID 4848 wrote to memory of 2956	4848	Mfchlbfd.exe	87
PID 4848 wrote to memory of 2956	4848	Mfchlbfd.exe	87
PID 2956 wrote to memory of 3520	2956	Mnjqmpgg.exe	88
PID 2956 wrote to memory of 3520	2956	Mnjqmpgg.exe	88
PID 2956 wrote to memory of 3520	2956	Mnjqmpgg.exe	88
PID 3520 wrote to memory of 4892	3520	Mokmdh32.exe	89
PID 3520 wrote to memory of 4892	3520	Mokmdh32.exe	89
PID 3520 wrote to memory of 4892	3520	Mokmdh32.exe	89
PID 4892 wrote to memory of 64	4892	Mfeeabda.exe	90
PID 4892 wrote to memory of 64	4892	Mfeeabda.exe	90
PID 4892 wrote to memory of 64	4892	Mfeeabda.exe	90
PID 64 wrote to memory of 624	64	Mnmmboed.exe	91
PID 64 wrote to memory of 624	64	Mnmmboed.exe	91
PID 64 wrote to memory of 624	64	Mnmmboed.exe	91
PID 624 wrote to memory of 1040	624	Mqkiok32.exe	92
PID 624 wrote to memory of 1040	624	Mqkiok32.exe	92
PID 624 wrote to memory of 1040	624	Mqkiok32.exe	92
PID 1040 wrote to memory of 1592	1040	Mcifkf32.exe	93
PID 1040 wrote to memory of 1592	1040	Mcifkf32.exe	93
PID 1040 wrote to memory of 1592	1040	Mcifkf32.exe	93
PID 1592 wrote to memory of 4048	1592	Mfhbga32.exe	95
PID 1592 wrote to memory of 4048	1592	Mfhbga32.exe	95
PID 1592 wrote to memory of 4048	1592	Mfhbga32.exe	95
PID 4048 wrote to memory of 2944	4048	Nnojho32.exe	96
PID 4048 wrote to memory of 2944	4048	Nnojho32.exe	96
PID 4048 wrote to memory of 2944	4048	Nnojho32.exe	96
PID 2944 wrote to memory of 1904	2944	Nmbjcljl.exe	97
PID 2944 wrote to memory of 1904	2944	Nmbjcljl.exe	97
PID 2944 wrote to memory of 1904	2944	Nmbjcljl.exe	97
PID 1904 wrote to memory of 1492	1904	Nopfpgip.exe	98
PID 1904 wrote to memory of 1492	1904	Nopfpgip.exe	98
PID 1904 wrote to memory of 1492	1904	Nopfpgip.exe	98
PID 1492 wrote to memory of 5064	1492	Nggnadib.exe	99
PID 1492 wrote to memory of 5064	1492	Nggnadib.exe	99
PID 1492 wrote to memory of 5064	1492	Nggnadib.exe	99
PID 5064 wrote to memory of 2276	5064	Nqpcjj32.exe	100
PID 5064 wrote to memory of 2276	5064	Nqpcjj32.exe	100
PID 5064 wrote to memory of 2276	5064	Nqpcjj32.exe	100
PID 2276 wrote to memory of 244	2276	Ngjkfd32.exe	101
PID 2276 wrote to memory of 244	2276	Ngjkfd32.exe	101
PID 2276 wrote to memory of 244	2276	Ngjkfd32.exe	101
PID 244 wrote to memory of 2772	244	Njhgbp32.exe	102
PID 244 wrote to memory of 2772	244	Njhgbp32.exe	102
PID 244 wrote to memory of 2772	244	Njhgbp32.exe	102
PID 2772 wrote to memory of 3544	2772	Npepkf32.exe	103
PID 2772 wrote to memory of 3544	2772	Npepkf32.exe	103
PID 2772 wrote to memory of 3544	2772	Npepkf32.exe	103
PID 3544 wrote to memory of 4532	3544	Ncqlkemc.exe	104
PID 3544 wrote to memory of 4532	3544	Ncqlkemc.exe	104
PID 3544 wrote to memory of 4532	3544	Ncqlkemc.exe	104
PID 4532 wrote to memory of 1096	4532	Nnfpinmi.exe	105
PID 4532 wrote to memory of 1096	4532	Nnfpinmi.exe	105
PID 4532 wrote to memory of 1096	4532	Nnfpinmi.exe	105
PID 1096 wrote to memory of 3960	1096	Nadleilm.exe	106
PID 1096 wrote to memory of 3960	1096	Nadleilm.exe	106
PID 1096 wrote to memory of 3960	1096	Nadleilm.exe	106
PID 3960 wrote to memory of 1824	3960	Ncchae32.exe	107

C:\Users\Admin\AppData\Local\Temp\2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe
"C:\Users\Admin\AppData\Local\Temp\2cc72542a8d61c65f97eb56baebb7689a8a60c71d9582c417ae8eb2240268f50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SysWOW64\Mcelpggq.exe
  C:\Windows\system32\Mcelpggq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\Mfchlbfd.exe
    C:\Windows\system32\Mfchlbfd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\Mnjqmpgg.exe
      C:\Windows\system32\Mnjqmpgg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        43⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        56⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        58⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        65⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        66⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        67⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        68⤵
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5000
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        72⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        76⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        79⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        80⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        82⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        87⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        88⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        90⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        98⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        106⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        107⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        110⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        121⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        128⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        133⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 412
        134⤵
        Program crash
        
        PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5984 -ip 5984
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akpoaj32.exe

Filesize
90KB

MD5
739c0c72c55c31ea229ddc665f3aed2a

SHA1
9697dd73855f14491239aa38cf2c0193d682937f

SHA256
e80283fa8c48296f92b088cf7b7e8dcb7e996b8e1400678eefdb132f2737c347

SHA512
66048fd815f9cb30727ddd6ae31072c169187ea2816f243ab0007e4ecf30ea6e048176e7d78d43d7b3f1fa2759c4df50112327cc6013b017d063fc502e231611

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
90KB

MD5
33e9b9fcb856feb52fde9b221b3adc5b

SHA1
1570ad5a32b1874bad707a9126329c1e5f72dc7a

SHA256
c5049a0206bd1a36f85f35eea72f8fe19173b632289b1ea120a5dc0c546f96ba

SHA512
72669e3c145892166cef5cf3ee91d417525ad6b3c0522f8c570d3c815fbd5e06d6368b613ded5067c26c82b563e53040bd632544f5423d63f37ee0b407b14d7d

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
90KB

MD5
8be6a871d0e64466b405349a18ce5445

SHA1
04c601876a7e5ae2be18eccf6350f3a60fc887af

SHA256
1569b4cd6766ccd1a61dc6cb37ca7fc9976f60bab8851f597a6cfbcf3ef21fc8

SHA512
fbf373222213ebaeefcde85a40fedcc1a4e05a3f898f0e6cd5feb514e15ed09d59ec65aa7dd54397dc765ca96fa9c155e1788f801e7ed5d42f003b40a2590ab3

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
90KB

MD5
38d1f74608194f1c5c1993da865ae2b6

SHA1
3d5b678ffd57e6d60662d3b22cd7b76dc86af28f

SHA256
06d21086c483995401c1eb593456c343355dab50c133f96943c9e20a8414ffdd

SHA512
b058eb3cc9873f8f946153a3cb8597bc2e28ba9389d140d52c790019347a44db7184ee7600f45597696192a26e942d9ddd43d0c0dc51b78dfe6782f7a3da4a1a

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
90KB

MD5
fe27d2af1724ca129c53ac01c9b79192

SHA1
e736b48b0bfd53164eb8814b6a1d2501addfde8d

SHA256
c2a77f9d65f2ca777379728e182d81a8f3abff9cba783faac8097a0c97ed20ec

SHA512
18550b97d678c9c68014589c496ae1fd50d03751311167a98fc5b1d25fcee550b581228d828c618b8777b4dd51a17cfef6c4a1190c361bcd63fff1d238988cdd

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
90KB

MD5
046354f13c91599088b933a20706051f

SHA1
8392696cc6fabcccc7c5952ed96fab93cea39581

SHA256
9644a3b0e22d419a33095871a6d12851baf39f687b515c8ad17b07828a1e7b25

SHA512
47bd9c2483311fb9c19cf05f3bd87b4f1c0449aec60d9968bbfa9f59f7f0c9eb6005052a50c7b4210eb47b742bb207760138bc8d652e3e4ef3ff8c2a6d68a0c9

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
90KB

MD5
b78e378a07cae9f7d41afa27d9c8ffb2

SHA1
7e49092f955c4f6d5f75d7c7008ea1ca923b656b

SHA256
075f27f0018669eda01e3666e8634f0d23a900f6af364c1130ad3c069a9495f3

SHA512
a0c96fb9221cd77080fc8aa08a534380d52f3ff147affb41aedeab0e5fd1d97693084bec9ce0536e47363300b10a231629b030022bbce0291d4611727c549389

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
90KB

MD5
0ac48026e2566359b6aac455b0977a54

SHA1
ff0916c8a07dc2e328465abf01daff9dd8e28970

SHA256
f5d121b8157c313ebb35700cf16bc25f8c278a79af14ba20c34378b3676553e2

SHA512
9d4b3659a39dd24af9c0ee63055ff4f4413464a72aa19b16aa2b06631ca27b9aa32b1170e26bac36321dea1af4d6b7a270fe59ed8d3f6abd44ba380b78e3811e

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
90KB

MD5
696a49ad8d5b8095c0675351cf66e7bd

SHA1
31fb835201ebe212d6fcf6b5d8a245d73f894685

SHA256
bb112e72ac73b76813cbfac4b13b3f0c94721dcd2a87b416b813b0af9e446142

SHA512
4d72bac23aa23cee718994cdd863ec140b21f5f50fd03ab5c218a0f16f25d64e13f6263cb06747dab1c3c01eaba832f68f9a01a064fa5b472dd59da45e7d0811

Download Submit
C:\Windows\SysWOW64\Ghkogl32.dll

Filesize
7KB

MD5
4b7154a455b64f3eea2c4c3ed9a47925

SHA1
9ba4a17826b075fd3928c2852a740498f3023f05

SHA256
8575c6a1ac783629f794ff5452d6f1c462f858d0009c36e570291ccd33206e81

SHA512
d734d8ac0854594564271bdde7fb690bcf14cdea5865a01faae5e5632f80cf51e94a71da2e2811702aea361269e989191058652719c76c9bad134adbce0ea1ea

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
90KB

MD5
0f203ce3b119b2c764e25578fc65cf1d

SHA1
1a037401aaf2f5773de24151df3bc1aeff9dcd56

SHA256
7da41c8dcf2cc107df100e951add465c825819f012674cf9ecb1a49bfabc369c

SHA512
ad52cb18f9dc38042270628659161d6389cb8ab0dc460ee5b3f19c51714f1aaa794cfa48b57f3bc5e24d1745132a70b81f3c6b9960b421e035e99a5bd44e890c

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
90KB

MD5
dffafb821c822b3e934902958b4f4bd0

SHA1
d981614c53023bfb3c8293d44874844a6ef196e5

SHA256
52a6464102b06b0882924c4f57a8ce923075aaea74237f4970a06db0478ed234

SHA512
c8a93b78eb5b0dcd1568948b5180f7695c1ee05fa3a780681cc080b27ce07ce3b21c3d925133ee521e2a5f61c7a6493c7f587376685ff67a45dc3b69bfc94123

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
90KB

MD5
6cb2fd18761c9aa4eae69c0bf3c8faf0

SHA1
da959c1ce650d2bd7dade82b6220874b5279bb2c

SHA256
d96cd4a412cfa74f53348c85957376eb0fb7c99e5593dc47f8d8ff0a4d136f67

SHA512
4b48fdbc4cda4d0ecfe374f3c8badfb7d3fa6f05520e276a2cc76d92bdf3dd79e697a181c8826477bf5fe1bdeaa50431cf287eb0bccde9cddf33d16e383ba2fb

Download Submit
C:\Windows\SysWOW64\Mfeeabda.exe

Filesize
90KB

MD5
426239745164cb2ee345b3ba56f725bc

SHA1
7d17c19335693219c06f49a4e3ff4c4d41fbb9af

SHA256
27fc8e7a7f4ef190874eb4b96d5eaaefc4ac3f1fba717c3403aefe0a964c2f3a

SHA512
a42b84de7d42748500f912f4df90c4af1c3dc845a4628fc01cd5f9469e838087d37c885dbd9b97077dee8b16fc8f1ad2dfac55d559ce4ef996ac1fbf2dddacc2

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
90KB

MD5
3405b8abfbd5fac0011e257ce11c12a8

SHA1
2c861ce4367bf97e2b206114727507b004c7d6fc

SHA256
65afe6b57db5e01906d1a45f45b9fb5a72698be470a7fd330c62ba974c1028b7

SHA512
f3f469598e93b69c12469b6f3365afb0a6e8f5eff2b6144e73610762384afdec050fa304204ce30c067b6540c7a9f01ea7cf606b32b847d385b9471508bc8073

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
90KB

MD5
fe2968f980eed7da997ac40bc0604a8e

SHA1
73874443c79a0a57410a9c5ee13389fc934e197d

SHA256
af763540cab5dfe1516660515cfc98ef3a88dd2f045bcd32b68463e800b2c71f

SHA512
4ad9f19c017ce8f7caf70d612ab2479b96098356ff93e381efbc2cf6092c58210b92fa2237e3b01cb5b9d49c6978656e12455c9474691482c878fde5f2b22d0a

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
90KB

MD5
7dee5623ac8c7edc9715e0d9de03d078

SHA1
1ea4eabb8035706b94cb1d186c92395d459bae9f

SHA256
bd1eb1e4daf9a791342f80d594f250e687a5479a4569832be63f2278958605e4

SHA512
f89b800609d661861f6b77bc08f15dfb74fbebfc1e7f4a719b21391a665cf44c6c6a3a14861f735d3421e052d6962f11427732f655eb75407e08cdce2a613ee3

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
90KB

MD5
e31c0315e4f382cd9a74aa033ad622ff

SHA1
ff7e610e64ef1e8a4aca4d25b2698cb9d3a86f9a

SHA256
461635d7259d361a69906301a33841221e74d02fd68b433c7b23549fb6962823

SHA512
59492c4647630a2c541215246abd9d49a0865786f80f81c4c0c935efdb00f7da52856e9e52e5b1c865059ab22918ed64c8be4338873f4537e0c0d22464f41906

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
90KB

MD5
3c995712e053e6ba1ab00cb76c7ae518

SHA1
331758a5f7d98b33357fffa5d5d89b3410f9ec86

SHA256
f4e41fcea4e37656b4849aae897e23cdbd233245fab62eb889d0ab30b8930bf3

SHA512
85a8614913317cea200426b751ebe8ddc768ab4f185c46caa0b34ed4297f44f695ab0e82055cc7cc538f9269ada7694a9ec22e0b778df110af98cfda8bfe6e88

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
90KB

MD5
e35221ddd457f85cb8af067530f18de2

SHA1
124467225ed020c05cce31dcdd3f2aab9ebb9f92

SHA256
746de28a8e403da77afac1bc2a383027bd60eba546a7f775c0fdca6eef72a12c

SHA512
6f8573cc231219db67eb414a0dab1eed18b0b8a3278d175357a0c4ee5f3691301e3488f4fcf2fa0f13395877420e5b9dac3fb492fad5b2e9317053ded31e0f6e

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
90KB

MD5
355ad04f8c0b3fead301255e23d2acce

SHA1
bcf347409a8e166fd7e10b3a736786f399e9cc49

SHA256
1bef900626abd919b92aaa7855f94083f633401864a22ae5eddd77ba1569aa02

SHA512
4de074887046db9fcb9f8b59beedbdb74c291958d32837b637686c008cc729f205857b4dd85da857f652b90033642e66f457a403472fe5b7c1d4c202dcd8c87c

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
90KB

MD5
904b14b1892d5fde9d91ab0907f5bd9b

SHA1
84d33e536bf4c23075564e05a3428ff9c4b3ab58

SHA256
433eefd13a5821f1e722ccf3e4b4b199d019265862f6996a48fc7e887f49efad

SHA512
8265893c52dcc4eb46a1594e35feb214cc4bb2e5f2e5aee2322d93f9cc52e1b0a3f6b0a22a40873cca1adac243a9382ef72c46ad45d1f5e957193a7cf97687fe

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
90KB

MD5
4fcff03eeb25eb815809b93932b579c7

SHA1
abb8a54336d421837764468e3b16ca5326eccd71

SHA256
1774c1bd6ca16d2c4534c9fc88fef3091f3353826442886c4e1ce5b80a431cb0

SHA512
26734a31935b1a3c172c53f95fa6a11a20dec50030be25623f66f8abb1d24c9a25441e5272f3ec1f08dffaa6e306a8559438b49779ce1cbdbfb9f307ea6af458

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
90KB

MD5
6bd1182424dfa7f98047f3d1e16e2135

SHA1
999dc907f39c5ef1040a39003faf41f830b36beb

SHA256
c83bd3b4dfc1b1e01eb8e1df68f5996aad50b60d3472958ad499a8830f8b06ec

SHA512
81f0591362d4f2045514cc927c1408e571ab9e774127c0653b3ecb93ed3509f716781d504c8daea59951b7f593632591b7179d6a44961368220d7c86e983c3cf

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
90KB

MD5
94f532ca96995dc314f13a3f5e9787d8

SHA1
84f649682b75ecef64d53f79fc5feec97d0bb578

SHA256
105d5b0498cffb017f0b821c70e1eb49c4a0ee1d71bae6c68836d2bd43b5ce40

SHA512
7f7fa297bc97014208e67ec368f387a88f8328a6bee534a12255e229b200434f9afe2364a051a7f6e6299d09c80ed59d93a4b823b23cf68b8f7499d433612d80

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
90KB

MD5
d90c80f7613f353801b804fe5e7bfedd

SHA1
5736749b7b3014b874c30dc8cbcd0cba5f48605f

SHA256
d96b4def568b41f7ccbad2dba9d50e9c5062e305a338633bc151eb556860aca9

SHA512
40f1a1ee623235a69d1c4651a670deb0fc95c3d3c8e5f33ea05420e1464c7daacbd7cb3634e5e7a89623b3378c3a4ff36d9c32550338d2195e0dcc57d1f10e7a

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
90KB

MD5
0e381d9c578fcf7f3c6f62784d7f34a5

SHA1
d351fda9982706813a67dae79038b3c0705532a7

SHA256
8dc2d7b808698cc3d30ffa3df2d46d68e245c8d9d395166fb4e7db3119f27012

SHA512
6081d95d661c533b8f4be569af5732cf43280f573e9fca83d1020b3da12b3c217f0386ee61b0e12240dee5a77751784259fc31c71db14e8e037ca890c0ad6d57

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
90KB

MD5
50689ab4452d6c325a7c210d0e3c7eea

SHA1
43a9e6c59663b4cfe8ff2cd6217d67b26cc2f87b

SHA256
f5740084f7b6a1f589fc1f8831bc86cd97bb2f8673f6e0fb96f98a4ee214389a

SHA512
1867ddc7a47c398d31369a6530c0f300e394ad6ff11cc40d144f1da403ca93a3224a9a951fbe53cbd4f9cad04a6c7806d535019c14c01153c71ae85051ba1d8b

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
90KB

MD5
496489e62c9fe6dd5755ea47daea6314

SHA1
fd9dabc2adb0d124a05df09774a0fd86c140f753

SHA256
4c2497f6957f6a008ae0663a851f3dca77b650c408f9eed0d4c28d7e4e1a67bb

SHA512
1e24768428fe5722fbab89751aa4fbe6ff878a304d92273a7ffe4511258a6a2ed06db8cf16950ca284f7b66f8e2945e186987a15a2a04ab84ae28c996d676aea

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
90KB

MD5
fdc0e7b39dff0a80831d839880432cc6

SHA1
e4af177f02b675e55967698ac87c30566bf69130

SHA256
190b58cb7bad7439c54ef1b34e0b75d658b44815acea64db7d0452816de1a4c7

SHA512
895da6326b744af80f0d047660468da4241624f89722a4394c7eab49198d7f93baf0ad09438a3540276084c6a2b3b6e28ab041d9c29e74be7331b29ebc3fa9bd

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
90KB

MD5
32fa825ab766b4b73046c3a66f1fee0c

SHA1
86c65fff14b0e2b7c884fb2b7412d6b0492557e8

SHA256
6f331bad37bdeb7169d948b56da853a0bc0f2bbe54aaef89200069db2be1fbd0

SHA512
7b5b0d2a6c2051bc7dc8746d03469e2378f9714dddfca827b4d561775ab5c046152fc029c6285dac5a08d8fefeae7be03b740d978760ee9e920be7928be38802

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
90KB

MD5
138b29be27a82c7b2bcb9d68efffe276

SHA1
0a0b5c669cd0c19790d4f8d4fef340d2df0db8a0

SHA256
ce7523b68ac02e2db9dd0d033b7692c23d0e6f6b232ddbfb37dfb5d8b27494f4

SHA512
e750736fc41c6214b8522aed200744fc8cb6463d9da2d5b2b619757719b1544af23e021bc88074a2d7cb147d81fcbd8a9bed877caef9a8ace3a8fc5b62d90165

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
90KB

MD5
803d0bd99524e9922f35d5150c4cddb1

SHA1
82ea36241343c7017f7c9b5e52c9428de22baf90

SHA256
51bb665112a1450136c57c27224920be0973b08be6d753ae5f7994cb2f6dd678

SHA512
7369aa9ecf6b445e06a6460cdc7f098e28e0edef339ae668be62ae0c6f07224769b85306e04d4bc271a8f2d1407e588547dcbd1b44e78b14e6f41bf26ab28ed6

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
90KB

MD5
8060c14ad2cda47335cb3db51fb0dcc7

SHA1
be2b9eaebae5cabb303e05627c8174230f82139a

SHA256
513854060c8904d3ac9f8d1e4c0b17db820c76019eb3527c26b6fc39cd3ba6d0

SHA512
e55920e2acad11d03cec389b810fe36cb64c4b7c7bdbed37468b95bf8d037370ae2d90f46be50ff95da3d1bd0ce7c4d543414ce325663904793c35a89c54048d

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
90KB

MD5
9889af37380e1f7c6a87afbcc8567d48

SHA1
001f05ef4ff583186247fc82dbaa6c5aa4174242

SHA256
0c12b1fedc29090cc07d6e761c5317bed9bebbda9a6e290d74a33d72b63e9e47

SHA512
2406b7d5236872a6f0fe7160dfd39bf9d57a7cb5a0e919fde892df640ad929f6116261bc3372e96f634178b9ea66237c4a1629e3a712946b417e69462fe40cff

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
90KB

MD5
e3db52ddcd6c36e252061f6658533ac1

SHA1
e42dfe3a3c736b402838c430679897285b360232

SHA256
e09e89afe08a42742bbae6d282990de1423c381b6e04f94827086d86b02025f3

SHA512
f8044925f683ab8822882762534c5458a031f5a8338b2182da4e8194a975c01689871b6d211b6ccd7467bb1c0da0200dcd4e0c6fd78292e3953c5cac38f3fa47

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
90KB

MD5
088f02d103221a60bbdef29970f15599

SHA1
20db2836c371385279de0a8c2302199dca917f14

SHA256
eb9d963c20ad55cef5bb8e778781b8830d6396ff26cda2879bf2dfa71d9e5890

SHA512
2a3901c8b26489cafb0b1a5dc8ac000916c1ba88bcefa6ccbe1957f5da53131ec6ad5aa34a86ae2e6612b394ddd91b5f3261f569567254f5e2aa4916443c8342

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
90KB

MD5
e5481ed7c6f133da0d6310ad5a4d31c1

SHA1
95f5ccf5c9536fb00544f5ab0ebd05ebd4d82034

SHA256
e8bba00156e91886d2f43bc598520979836276b48dc78dc3d52e1c20ba17d316

SHA512
c6cecdfe77dd5588a9c1ac844f757242ee01c3e9fc05ff8146db1035d16f4974dc726757b13ab0d0882fd1979ce5c6d6f163ae1cde3becf3c7e1330f2fa1fbc0

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
90KB

MD5
6d0d8956a0192d234ec84df0011bdd27

SHA1
1b2bd23e88b25d326a1a3e63198972373a9905ba

SHA256
d12cbd9c934347482d99f7b3b1425439b100a02248086bd43b81e8cb2a324745

SHA512
b05b04ff8905e0bb67103b1806bb11d20b8e7a62f3a8aa94050fd67457d6663e10f78211fa4b5106f6664a1833f17492add2a4a971076f4c4491bb43a1644503

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
90KB

MD5
5bed0558b58289cf0a5eeef400b0c600

SHA1
19f03eaf4ec42d274508a31bd059e2d8bc9adcba

SHA256
0ab9a1023394a388a22c19009f552ccb6451b0e8804f1eef502b8f81172526f7

SHA512
c7b76adaa73c88f6409ac5f46dd015d50456fccf3a4275bdc5f3d8a45ca4c036a7e7aa1de61731ffabfc06386eaf4f160c4f2d5667724cac4f5d260125981de0

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
90KB

MD5
a17b593689b1dcfaa347f37c7265bca1

SHA1
6f2ce8ed4a44948b1c52e0409105d2521be9adae

SHA256
dca77bcf5cd2c254dcd5661ebc2b1c996b8a2ccd4653b7c6a4bf4cbae9a62562

SHA512
fbdef83996765b2c502b8de77ae87ebef9b8a5fcae43334564911545a6feefbc01f96dbe32afad67311dd4c2af901e8ff2b8222cd94a46ac27ff4f063db6fd41

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
90KB

MD5
b204c639b2011bac0b13004bf642ccdc

SHA1
33df362c6c16a1c8edbbf3b9884ed747471822b3

SHA256
7ac26d3f28b1ecc0fbbd41f2ab9c1619906dc87da12c1f1f734bbbb84c394440

SHA512
1390bef2fc7e93479d698a970da92fabc9f21f9702eb6bc42c9f1733b6a2c10b6aeb4ac6303fe479ed8c77e0e0e6d2004b633dff5c9b027069944cabb7f0a45b

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
90KB

MD5
68aaa860bbde80b4ce291efb48c63fdd

SHA1
57bc4b7a50ab3a875496b9680a67ed429efc4c4e

SHA256
9ba31548c605a9bd7f7e060851caa08fdda3328ad0f1e764a861d90793a3acc3

SHA512
720c7721e047f1767e7a276c342efe11edf4d0a3108757d5280d9727df68fa9fbdf06a9bfadd56a0ff8b6f6e9810e1c4d554c0f356f055e0a57a7df9dd2eab97

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
90KB

MD5
49f63575031789a0de3943b95abbc836

SHA1
82a4f073aff2b75a6327878bf596152742cc47e0

SHA256
78b0966b2cb2c700b081f7d6262ca8f546db2a21a83fec4c071a7786ea5716b1

SHA512
81f0db6a0fb3ddc53605d6911ea40cabda319e115d8496392d8ae24bb4ed71074760bf89f6d06f7635689b3d8effbbc12593d2fc70c15e8a7d96776b5a09a393

Download Submit
memory/64-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/64-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/244-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/244-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/516-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/564-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/592-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/636-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/636-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-313-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1280-390-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1492-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1592-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1824-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1904-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2452-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2584-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2584-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2724-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2772-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3172-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3364-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3772-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3772-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3852-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3932-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3960-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4008-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4204-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4204-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4288-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4448-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4448-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4540-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4540-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4548-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4812-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-306-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4864-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads