berbew | d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363

Analysis

max time kernel
95s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
Size

59KB
MD5

3551f0f63d8bd5c4ec943c57dde7f228
SHA1

4330330e10df1b957a5ca2869987ac8fce2d6ee7
SHA256

d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363
SHA512

f42e90404b18f19e64ce6e46978fafb98131635e91818ffba8c8a61885f3803e69896f7d3dd0cd946f9b4e4cdd3350ef9497189a9f45af2aeb3f8611afdefb31
SSDEEP

1536:3g5cwiS0IZw2SMNGXGjtSnWw9XyS2jw79NCyVs:3APYIZxNJjtSRF2kSes

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcgiefen.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npbceggm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4504	Mgphpe32.exe
1364	Mnjqmpgg.exe
5012	Mmmqhl32.exe
1064	Mcgiefen.exe
680	Mjaabq32.exe
5040	Mmpmnl32.exe
2620	Monjjgkb.exe
1072	Mfhbga32.exe
3272	Mjcngpjh.exe
3576	Nmbjcljl.exe
1956	Nopfpgip.exe
1960	Nfjola32.exe
4820	Nnafno32.exe
2316	Npbceggm.exe
2628	Ngjkfd32.exe
4328	Njhgbp32.exe
2980	Nmfcok32.exe
4556	Npepkf32.exe
2424	Nfohgqlg.exe
3064	Nadleilm.exe
4660	Ngndaccj.exe
4756	Nnhmnn32.exe
2400	Npiiffqe.exe
3284	Ngqagcag.exe
3852	Onkidm32.exe
3152	Oplfkeob.exe
3512	Ogcnmc32.exe
4160	Ojajin32.exe
2012	Oakbehfe.exe
412	Opnbae32.exe
4380	Ofhknodl.exe
2572	Onocomdo.exe
4288	Oanokhdb.exe
2388	Opqofe32.exe
920	Oghghb32.exe
3080	Ojfcdnjc.exe
1468	Omdppiif.exe
1388	Opclldhj.exe
1904	Ogjdmbil.exe
1396	Ojhpimhp.exe
1764	Omgmeigd.exe
4136	Ocaebc32.exe
228	Ohlqcagj.exe
4856	Pnfiplog.exe
1096	Paeelgnj.exe
2416	Phonha32.exe
3464	Pfandnla.exe
3548	Pmlfqh32.exe
3832	Pagbaglh.exe
3088	Phajna32.exe
3864	Pjpfjl32.exe
896	Pjpfjl32.exe
4268	Paiogf32.exe
540	Pplobcpp.exe
1212	Pffgom32.exe
4964	Pnmopk32.exe
4844	Palklf32.exe
3256	Phfcipoo.exe
4412	Pfiddm32.exe
4608	Pmblagmf.exe
636	Panhbfep.exe
5008	Pdmdnadc.exe
4352	Qhhpop32.exe
4216	Qjfmkk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gadiippo.dll	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bahdob32.exe
File created	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Mgphpe32.exe	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
File opened for modification	C:\Windows\SysWOW64\Onocomdo.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Aogbfi32.exe	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Ojajin32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlfqh32.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Apodoq32.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Cocjiehd.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mgphpe32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Apjkcadp.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Hilpobpd.dll	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Nnafno32.exe	Nfjola32.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Adfnba32.dll	Nadleilm.exe
File created	C:\Windows\SysWOW64\Omdppiif.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Ogakfe32.dll	Pffgom32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	Bpfkpp32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Dgeenfog.exe	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Mcgiefen.exe	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Leilnmkp.dll	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Nadleilm.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Dbdjofbi.dll	Pagbaglh.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Adcjop32.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mfhbga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6060	5764	WerFault.exe	218

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oakbehfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpmnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onocomdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfkpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcgiefen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npbceggm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgphpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiffqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqnma32.dll"	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckbcpc32.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difebl32.dll"	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfhbga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 4504	2916	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe	85
PID 2916 wrote to memory of 4504	2916	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe	85
PID 2916 wrote to memory of 4504	2916	d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe	85
PID 4504 wrote to memory of 1364	4504	Mgphpe32.exe	86
PID 4504 wrote to memory of 1364	4504	Mgphpe32.exe	86
PID 4504 wrote to memory of 1364	4504	Mgphpe32.exe	86
PID 1364 wrote to memory of 5012	1364	Mnjqmpgg.exe	87
PID 1364 wrote to memory of 5012	1364	Mnjqmpgg.exe	87
PID 1364 wrote to memory of 5012	1364	Mnjqmpgg.exe	87
PID 5012 wrote to memory of 1064	5012	Mmmqhl32.exe	88
PID 5012 wrote to memory of 1064	5012	Mmmqhl32.exe	88
PID 5012 wrote to memory of 1064	5012	Mmmqhl32.exe	88
PID 1064 wrote to memory of 680	1064	Mcgiefen.exe	89
PID 1064 wrote to memory of 680	1064	Mcgiefen.exe	89
PID 1064 wrote to memory of 680	1064	Mcgiefen.exe	89
PID 680 wrote to memory of 5040	680	Mjaabq32.exe	90
PID 680 wrote to memory of 5040	680	Mjaabq32.exe	90
PID 680 wrote to memory of 5040	680	Mjaabq32.exe	90
PID 5040 wrote to memory of 2620	5040	Mmpmnl32.exe	91
PID 5040 wrote to memory of 2620	5040	Mmpmnl32.exe	91
PID 5040 wrote to memory of 2620	5040	Mmpmnl32.exe	91
PID 2620 wrote to memory of 1072	2620	Monjjgkb.exe	92
PID 2620 wrote to memory of 1072	2620	Monjjgkb.exe	92
PID 2620 wrote to memory of 1072	2620	Monjjgkb.exe	92
PID 1072 wrote to memory of 3272	1072	Mfhbga32.exe	93
PID 1072 wrote to memory of 3272	1072	Mfhbga32.exe	93
PID 1072 wrote to memory of 3272	1072	Mfhbga32.exe	93
PID 3272 wrote to memory of 3576	3272	Mjcngpjh.exe	94
PID 3272 wrote to memory of 3576	3272	Mjcngpjh.exe	94
PID 3272 wrote to memory of 3576	3272	Mjcngpjh.exe	94
PID 3576 wrote to memory of 1956	3576	Nmbjcljl.exe	95
PID 3576 wrote to memory of 1956	3576	Nmbjcljl.exe	95
PID 3576 wrote to memory of 1956	3576	Nmbjcljl.exe	95
PID 1956 wrote to memory of 1960	1956	Nopfpgip.exe	96
PID 1956 wrote to memory of 1960	1956	Nopfpgip.exe	96
PID 1956 wrote to memory of 1960	1956	Nopfpgip.exe	96
PID 1960 wrote to memory of 4820	1960	Nfjola32.exe	97
PID 1960 wrote to memory of 4820	1960	Nfjola32.exe	97
PID 1960 wrote to memory of 4820	1960	Nfjola32.exe	97
PID 4820 wrote to memory of 2316	4820	Nnafno32.exe	98
PID 4820 wrote to memory of 2316	4820	Nnafno32.exe	98
PID 4820 wrote to memory of 2316	4820	Nnafno32.exe	98
PID 2316 wrote to memory of 2628	2316	Npbceggm.exe	99
PID 2316 wrote to memory of 2628	2316	Npbceggm.exe	99
PID 2316 wrote to memory of 2628	2316	Npbceggm.exe	99
PID 2628 wrote to memory of 4328	2628	Ngjkfd32.exe	100
PID 2628 wrote to memory of 4328	2628	Ngjkfd32.exe	100
PID 2628 wrote to memory of 4328	2628	Ngjkfd32.exe	100
PID 4328 wrote to memory of 2980	4328	Njhgbp32.exe	101
PID 4328 wrote to memory of 2980	4328	Njhgbp32.exe	101
PID 4328 wrote to memory of 2980	4328	Njhgbp32.exe	101
PID 2980 wrote to memory of 4556	2980	Nmfcok32.exe	103
PID 2980 wrote to memory of 4556	2980	Nmfcok32.exe	103
PID 2980 wrote to memory of 4556	2980	Nmfcok32.exe	103
PID 4556 wrote to memory of 2424	4556	Npepkf32.exe	104
PID 4556 wrote to memory of 2424	4556	Npepkf32.exe	104
PID 4556 wrote to memory of 2424	4556	Npepkf32.exe	104
PID 2424 wrote to memory of 3064	2424	Nfohgqlg.exe	105
PID 2424 wrote to memory of 3064	2424	Nfohgqlg.exe	105
PID 2424 wrote to memory of 3064	2424	Nfohgqlg.exe	105
PID 3064 wrote to memory of 4660	3064	Nadleilm.exe	106
PID 3064 wrote to memory of 4660	3064	Nadleilm.exe	106
PID 3064 wrote to memory of 4660	3064	Nadleilm.exe	106
PID 4660 wrote to memory of 4756	4660	Ngndaccj.exe	107

C:\Users\Admin\AppData\Local\Temp\d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe
"C:\Users\Admin\AppData\Local\Temp\d9efd5a6e257b2eaf4032aa04b349888a1b32e48a91f327129780eea1ba58363.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\Mgphpe32.exe
  C:\Windows\system32\Mgphpe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\Mnjqmpgg.exe
    C:\Windows\system32\Mnjqmpgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\Mmmqhl32.exe
      C:\Windows\system32\Mmmqhl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        38⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        44⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        47⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        57⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        61⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        66⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        70⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        71⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:408
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        96⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        98⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        108⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        111⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        112⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        117⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        120⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        123⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        130⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 400
        132⤵
        Program crash
        
        PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5764 -ip 5764
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
59KB

MD5
0fb625e97743fab69526ae2fa6a72ee1

SHA1
3c7eb3f3df3614cb677cad9c96e137a1eea536fd

SHA256
fd37159316adf30bac8387998c13720810acf3813d47f616c46733790247ce4e

SHA512
6daf0353ae8d15b225c84e30494e6a03873883eacbbc6de71dcdbf11e3e37e4fc97898a5c6e7ad75a3fd9fcff723ffd17e6c733914a501dab3026281065e8923

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
59KB

MD5
b3e9280cda94bb1f454a017a8b4b3f93

SHA1
b20dfca2a39eb75a009e35314228264230001b29

SHA256
8e5e73b0a89f2e9fa1fb6c3e2d716ebb08ad3488d177dc0cd805e04bb3558eff

SHA512
2b299f554627cd2747ccf3944ae323ea2638b152bc9589c357eca33ce8efecba1d1921f8feff1ffc1b87a51b679e272b2501b2b8cd8a54570ba4891755c00c0f

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
59KB

MD5
e231039910d516737f20404ed4c47d9b

SHA1
5feebf6ed4c506483106484158d20f50f31cda77

SHA256
a4db7d7beca7e46ba68d1d1b501ecde210d493aa58668bae52424580200e8fd9

SHA512
a227ec9cc24baae1e31c2ead4807799b3a6480501e33493dcb0042600c00c7ce7478b6f42718f4808d39c0bd3ef7280756918b4b7944d51c82029ed03aed91aa

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
59KB

MD5
91e3d49688ae8340902b0bb2e307223f

SHA1
510c8b3ab689a5eb84ce47bc33994d10f90596a6

SHA256
091e9116350149f48cd564c9e110b5a185d0006f4d4048cf05d0e685978752cf

SHA512
8cfd3f245bb4bac596f805c058404aaf389169e9b98279d19b569a388e9048d351422b23422471a79916e1a1853a57fc5e72c9c8cbd2facb42d7c03a8b969a1f

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
59KB

MD5
9c502732f9c5f44eebc971c824a30c05

SHA1
91ba6f218fbae51a31d6272e313d61c22ecb46a2

SHA256
bbd5a67f9efe89d184c7d1a474d6c432c44c30e714aaa67a7ad7390da362fba9

SHA512
55a9f3bccd628aab3f53f16725422206efc65bb7e37559c2dc07a3cff345bae9ea772c02f70ab61d12423119bfb5e52be34a172755ed01e7543d908aab67ddca

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
59KB

MD5
b0372a5e0ee2e75204ed644c395a544e

SHA1
b2c56285409e971893332029cea13d35f55332b1

SHA256
fe825191dd422f1d6e84487c724b912fac59752659b00ad6797c036737bfc12a

SHA512
3e89712e5af8dc4160ac31810e857782bf029283ce15b7a227267f01a3a2fe9675a3b79cac82d8bf60fcccfe387ce26158fd589f5934522223cde4d3c0cf3c1c

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
59KB

MD5
3047b81cd598f18fa1f646ac535c658a

SHA1
b87f29cca8c683e29ff80361590602134f5f4753

SHA256
a6d0ce4bde501631419c9aea66499d58b557b2d13b5f8437e141d49b50b95355

SHA512
0aa63310f2bcd2dd36c735e93e9198ba6cb814c4cd5369c7204a504cf71c5efcc9c7e1a7a368a44dc9c01c312f1d6c46031833768d0b20aa277fb33ebf2841aa

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
59KB

MD5
145a4f7adab89acb5d4815d8b209c7da

SHA1
5a89eddf36835735fcfdba1ab7a48dac1cf6eb7c

SHA256
6a0bcd87fc8f381a5d5ac9d015690c45663da256924398863f7f0eefe884833a

SHA512
c05b17129f4b512e1e7181300227af3655b1b73e60bb2e87a5baa4d9eac0e1187348b930d171d210f38591b499ee4b133b34930bb8f1eb0f0c8d3b766c55dbca

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
59KB

MD5
ea6d075b44d3edaa2d1409815f216014

SHA1
abae9a89f5e5c137861bbcaddce5c2e8a3244b5b

SHA256
14495452be42071cfb3bd439f966b345c5e2b763695c21b0baa12f64c24d6251

SHA512
88fb1b22a9ef8b8a2ad8a3dcd4a8b97fc108ef9ef993022c07c7325709a867adc36ea8bcf2d93bb5139b294ddd786e3c91159bca2b4eb7c69970a3d88e2d9622

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
59KB

MD5
b6b429249ede656099aba190547dddb6

SHA1
54e7b5bfe2d2e1639fc4f7579103cd0c50fd7f63

SHA256
946dc9662e7746412e8dc991dd1a0d42e889a2dc84747848937dada06457a4de

SHA512
9997f806999050636c05813d506926f03474e8ba7a91a2609ff3955991165cf895948fc7820606724cdc236152b56a42354275d438219f2e5022e25ea039aaca

Download Submit
C:\Windows\SysWOW64\Mgphpe32.exe

Filesize
59KB

MD5
437ba8f4b6b8cea3ac3e6b1918a28054

SHA1
76b76788c87ac64549b0bd3339f305d6eac42812

SHA256
9231718387024cde30c0f2839b528f0358f0c53c6ccf40e235c35b76162deba3

SHA512
ecddb669131a9e41cfce4d5335caafac681bfba607c3d600a3618eb48026c6487656a27a98a9263ae5fc4f231d44495b81017995835fd26245d0310e0194ed9f

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
59KB

MD5
473240742f5bcf553131cb1a4cc60b20

SHA1
29a880e1dd7ad2fad35b7a26a8ae048b2a5a9201

SHA256
5d9820a216b83a7fa5c2a766d77a2d60f217b2f4b9024dd68960b36e4b26df4e

SHA512
bb23279a85756a7c1e8ee957ad9dd4f3e9aaddee054971b052e4a858077e287e3d468a8d48973e89ac37f414ef8ec0892676bc303e97e35318d5ffbe395c2777

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
59KB

MD5
528d1b8f03c27325c4229eb67c86ad0b

SHA1
79d05c4f9d4fa51824dde2de2c9bb53f998aa607

SHA256
d7b3a6b5a8830ea7259be661a7f9111552d7523f1d292ca233c14da909a5f887

SHA512
cfc2db156262309ed2e86f55272ad4ef9c070c2497dd81cfc66b080641569e950a2e365bd7009758ab143669bef4c57d11c58a9adb47a19767b9cf3767f30fe6

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
59KB

MD5
c4ff0d91a60bc668c372f279c1914749

SHA1
8608305a5347816e81b2b8d9f0cebd3dab9b9e36

SHA256
02d89f844f84c2f6c10e6d380ce6419e1029170241535434a1a7eeb1cc034224

SHA512
11ed7c243b8b3f3149f7f90fba98f1789497626261e0f94938b799d600fea433dc4a4a2c9c268842a0817efbd9c671a545f53ed307836ae284b9473a5aeb22e3

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
59KB

MD5
2ecc5de123be425adb39c614d337fc15

SHA1
3e62821c15d1fbb664faeb2ab9563a8c47f394e6

SHA256
105d144d170b5a50f2d21e6ff25f2e641da7a77a137a256c406638d73922b9fc

SHA512
c2acb4a8bba1f6b4707459bc71285521e00e9ac6204d9ff36bae34cead2ed68f554b296e9325da60432ee2065731ffa54cb41cd9e01ab765e0a365c73b40dde4

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
59KB

MD5
c38968345c3f18b92f60dd3045ef8478

SHA1
72c69ee6dc9381bb39f2f2998c5fc16a51bf4f1c

SHA256
b5c8e62f10ade5f8c21c30347072743f0202aad4d999738bfd0da5406a4546a7

SHA512
722c6f2ea37721e081acdc4ac51eb903d8a807c36a9784d32a2f6fb11b076b8255a9ba5fbfae3f63096437398df83ca97fe7eee1f304d5d5df3de072dbf8d023

Download Submit
C:\Windows\SysWOW64\Monjjgkb.exe

Filesize
59KB

MD5
a9b03536044c7a2563f31c9f73dda6bf

SHA1
f8b408751a24f07793c9246310cd388ca6c725bb

SHA256
2e839f41ad469bc56709c9d5d934950bd1ae38c545d6524bafa378d20c32fc80

SHA512
d72bb6eaa99186c23c52ab92bb19f516294f2de5e6fdc8846595308f0529cb350cc0f5af3e0c5a9b5565ff1f3555eeefcea13787f34b878f5c856a4e2aaea95d

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
59KB

MD5
bdf5380f4f67a29f4b898b2120ba832b

SHA1
de7aaa8999cde053beb7c171f14332719e769cb4

SHA256
e19d3de12f89036f8059469283f1eb219d8143c2a5b7e36e4e36315f6b33babb

SHA512
ea61daf96c7785a7d039f72f6ef34314a7688c27164a12f0ec609a721de2538b972636294a489c011a314f6caa9a83e1fb9838b46c2e4bc9da3cf48cea9e650f

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
59KB

MD5
35c6fbc14e8ef47efbd9457609ebfa92

SHA1
fd374bb819e0601c8651be18e85e5b35c46e72f7

SHA256
af1332d085a7b8a5d16f89970bd8685798f3fd829c4ede97e60e067247658634

SHA512
2ee3c415f9e240852240f3814a21c331ec8330f8952e5dab933637b68315d0a10cb04fa8ba58df936725ab5ca8680f033416085a5a65d1ab31518390a62c576e

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
59KB

MD5
939be91e8c844c1e58fab9eface083e8

SHA1
1a29502e7eeaf6750fd050b5588fce31a1dd3fba

SHA256
b0552994392076c61d274bab2cd25ea8a5b56a40522a13680feb988b1bc71dc8

SHA512
9a1f70f7a256d3265ce35aa5966e44692ee7d583977f44d4134d1bf89d07b571fbff5658955c73b5ff1b21fa2764b692a84a8d75f74670f9da9ad43837a0183b

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
59KB

MD5
0254a82ccc300e1274b50d566f2ffdcf

SHA1
800394c7359550bc1af27b4507f37ac5975fbf1b

SHA256
56dc8b5cd48957b6f65116ff7e2e03d6be8776c9844a49776bd68a84d66eae16

SHA512
6203765f443bb9c6fa3b4046a83f7ae10afa407cebca328af48ec500b2472efb619985fc876bb1fa71eb690d7a62e14f10aee6da9cd332a48a9441c856faea54

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
59KB

MD5
38f1c3bf4db9e7c2b0574d8e4e0444f9

SHA1
9372504a3ac690b1b5cdd3a54581b289ac0f2f1a

SHA256
a1c26c6b03d5399cfc9bb927f145992782d6e6ce4a4b27363c4c08a6cd67b0f7

SHA512
eee6434ac06003c0b36f92a74f7c3c7e2d11aed60fbfa06bee755e54e023a5f477ef0cbfbf06207b5110f4a7180b1e3c74fd04dcd3beeabcb7e9e413aef0dc1a

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
59KB

MD5
6175d054df5aff75186dd23e0c7e3169

SHA1
8db2739ec3db117200b36d09b39236a9df28fa9b

SHA256
1a7aa1a5194305879d908d7775647c653af5b83216e359becd436696c8d59985

SHA512
7c3b35c0131fcc4374aab4d8ec7db38a0206cdb3f7499fbd690b8b5339c72a9ce1975c13c7e553acddb1b7517ab51498d8ee305b261a12994b3a6932fba7dc98

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
59KB

MD5
1b94abdc1a8172b22d0a07afe2985057

SHA1
a023bf08bf9eff90aded30d6399c15db3762a5a3

SHA256
06e9f067b23a58260d7e677203f65f8209db557dc5668371119d7714326066bc

SHA512
ecae2f6a29a7ba79a1986e6fa35d5cc0d458fc186e4cc76823f590049bd6bc09be26ffb6caaf527a6c5e786f352cbaa0a46c8253269d8d57f76f0cf5cb13f8ba

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
59KB

MD5
c46ac271d9d1eb2d94981a41f774b60c

SHA1
5c4cebf60a580ac8bad26ffd93d8634179944780

SHA256
01f17471e09c6cbc6f9cfca6bfb5f3b9417d856affec5790a89ab0ce8a363628

SHA512
92344d37113504a24992aa3b1f1226305fae92c40238126c3c31f39f3fcc66aacfe5b34da21717b64834b34232041e296e7cc3256fd1cf2dcabdb84bd9c9f2c5

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
59KB

MD5
e03e779d382c58ddf9d78d038c35afb9

SHA1
76f8d5e5020ff7f68e5f1d2aeb5c3b66d15a2061

SHA256
19ed92e53a1d7bb9467b6523a8a47da8a766dfe672a8ad102c60e52c0ca22611

SHA512
a667fc86c46440ed08f46d7c4712bcf9aca3be81cffa136d1a5753cbac45c30103508715d949ac1a6988bad0cc3abffdd4284a521fe0941e413e202233a17b98

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
59KB

MD5
15b740a39d273faf5a2e46e8a0ce5e40

SHA1
6a59650e1f3cc3961c0ac0491080c28a0e1c5629

SHA256
ca979cc75c709a2b919f1f9db888941f1614407885ab2c1fc4de377f36b67b3f

SHA512
4bce3e2353547460c261dbe35dd506bd6ab77202ef98af6b641ee3a1c5f09a8b658f83ad4da18077d3d1151fefe80e7df70ce7f159a7587673fab646cedd98a6

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
59KB

MD5
fe0a06bb2fb3dc6152cb5b0ecdef7388

SHA1
5fea40603eb8e470d0399a6185de14664ad7ae2d

SHA256
6b56b9a70958819944a83eaa292791691fc0a4821aeeb60ec872edc9bf6d2296

SHA512
ac29416806861134cd0bcfde15c8deb8afc716e1dbec80cc7cbceb40613147be40c508dcb002d909d7d881c2e61c98d16e65cae9baceaef81640fa75eaf506f1

Download Submit
C:\Windows\SysWOW64\Nopfpgip.exe

Filesize
59KB

MD5
ffd9181c4dca51d85c55156687e55d86

SHA1
7f514f671ef869ddec6f6ca28ed2ec655f1ccd8d

SHA256
0ae98c1678c9cd1527a2351c2169f73f566dfa3231058097fa638713ec88a97d

SHA512
357fcad8e80c9450edbdf636fa426c6d530a9f58b8b7ff482ebb7f199fcf7e3999b3bab36de3049cc9425bf44e5d8f377e4212569b4255c7569191644649eb88

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
59KB

MD5
a849b78dcb26ad2df04807d79b49f283

SHA1
5eafb6f8b1480957fbad951956d6f5294ec1c812

SHA256
feea6639d3e246d1af2f5ae0458c0f1c92a5964fcb517028358097cfdb892c65

SHA512
9ef60cf056494d5b00f159bd736716a2f9ec3716ad3284512acc5831584f3f9e0e7d00ec5e587dfdc2685ac3cc7b1a620c9027ef33eb0d3e8ef168211b95501b

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
59KB

MD5
4d98ec525f6507b6c4bb1c154a924a63

SHA1
dd3ef8253ffd1f4fdcf39c93e9c7fdc7e256eef3

SHA256
9c9710f359998ddf1d6e2fd7704fbf443283511c240dd83e359e21f02c81b8ae

SHA512
907d4bc52b230ba96df9a16027f99c0faf808c23e7ad48ab8e945589fee78c81d06a084f2a2eda3d123306fc00f0fb4b69e22d83fc114a2f4e212080f50a06e1

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
59KB

MD5
8b310ffacde85a45a4a4ca6b69444c66

SHA1
3fd51972d6b854b95b3fdf008804082e45834edb

SHA256
87582235d9fba33e64db52263270bdab08deb5f93c355502264da681360923cc

SHA512
875681303f1bece0f3fa2e386f3c815763b97ad3af7498b11272eb6a6b6fc7042b12da5d62b5bd37451d5894103417c252d1e8419afb4d52f9aa8fa813f213f7

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
59KB

MD5
792e0eaa0c3aac9254b10c7c59ba8b25

SHA1
c72b153e8fc57c8313252d1afdc7264bc894ba7e

SHA256
6e0fac83061bfd8c7b29bfa67855dba2e93f6f868c800002dcbfeb463ea6d340

SHA512
a20112a7e0eda1398669d5ac1c5ca854d747becd3795ac8b5f8c4da10eacdcf6eaca2de2a1edc75acd49c7bfa4df86fc26b2ae54aef2ad6942b7e187dedf72ea

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
59KB

MD5
4fda614cccd0b9bbdff62a72f9d4d3a2

SHA1
a1cce95173c80fa040c934148e861222adb8784d

SHA256
1f6a1c9b4a6964ce9bfc6f1b0ca293d20c62fe8649924ab0bc6f7d2ecb31728e

SHA512
e18b3686fa13465e35c6f3d8ba1a590a2f36899c1f1dcdb0ae416c059beed678d381a84a27fef68d4176f8a6649ab4439bfc960da1d3d87354b639040d3c6e62

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
59KB

MD5
df1de5f286aa1ff52a8bd98f53532245

SHA1
652880b53980b4897c7ab9d48424f7049248f972

SHA256
14e4d16338455eb143a42ea612b15370d0bdbbdcc5e5705d4661785521986080

SHA512
a1a2f078b154418ab78e284991f69b6d691a769a557fd839398fb212b724bba9c1fe3f94df254203e9338fb6c7c264aaea13291a3ceb59cd940069bc5a27b993

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
59KB

MD5
38a23feabd4415d2362b717db0934119

SHA1
165e50da4bece9edee71d667087cdc8f2f11cb96

SHA256
7124a43518a001d5a0b8fe1de272e61747115a9ece71ff524aaccf1cabadb0f4

SHA512
790d1cc00c3aedcc7646883d637589fc492a9c52cc9004d7367fcc05b4e467af92f25474d3626192d8734de63d239016bb33640be758b6babfce42d4753f10dc

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
59KB

MD5
806ec8a7d9cc593ef6bcd38d98ee5b5f

SHA1
1f5854d761347238ce64191c117448d7734389fc

SHA256
69249142092accb8adcc6cc96e6eaa4ebcb93d1e19e647ff5ae859821c6ea90a

SHA512
f78bd55aad2ff0761cbb8a812169102ab8e0bbb4f68adfa692a265667e514e5dd590436a7d3c81bde4188ace01de057f86d7803846b697eb3224ddb0a3e98c97

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
59KB

MD5
2eb8a479cb8a1af2c5a31e049d1b6bd4

SHA1
80358f29808a0f684e03ad941b0106677c97d60d

SHA256
6249e6e6768c1a35d76597cf7b545d10af69e2d7e7d94a3893cc5c4e9afe9f45

SHA512
cc08bcb281b2e7d901d331ee9bc8fefd49ff55708137b25df669ae6f8698074d3c08c36ddef22b1996933c3fff59de9235d5585089ab673ea3a1fca8d66c9a5b

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
59KB

MD5
a625dd7aae5a39705059ecc2a760735d

SHA1
91f14e1cf3cc2060da363d7eca23578d72fb094e

SHA256
373ca4cc6722dd2f5d78c28564753596bc939834fd50402556dfa5b9ec82b212

SHA512
f06a156c0e885c7080ab0ef235b5c0634f0e85da5a658c2582db2adcc06cae797fb5d06a85053449a6681691c31bd5991ef6857684a4a86a8bfa0837efe2ecd0

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
59KB

MD5
f46b68ef2f6db97901e4f28dd6d373ed

SHA1
a9b5399cfe666f04b7bccec700b6983ec2dec073

SHA256
de420a4bb75554dde7f6c8c135be225222757a8cf4b8f5b21c1ac600d5688fad

SHA512
b0efd4e97f0904a06cc81753a4d622fcb9b378f384f3799d292d7c92c7afc4021952a4c9988bc5e0fe8a7322af6a0e0af86f621b5ed66997fa48cd26227e57e5

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
59KB

MD5
81468a77a6fc358ec4934dfbde00bc00

SHA1
c2a422303bee657641c237168fe349a72a72a76c

SHA256
88a3cfb4fcb8a1fc62fefaaa74bc71b4595a96660a27cfe217795f3c575ddd57

SHA512
c65eb50afb8d10440aeeb7b9365b8fb79a56a1d79c74d4c49415cfbb0c24d62a4909cf6bd897cf9515e0031eaa577137ff14d43d48715f3c811ccdb29f06896e

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
59KB

MD5
11abd4a0ac0663ab59b5979667fec55d

SHA1
3e277fdcde2df30c9396b9630aac03cc70623a06

SHA256
3657b410bf800e7ebff23f785f8a3781d089907c478b6ba94c2ca1850f87d574

SHA512
236d2951631d6c98a6f50ed39b5c6c3bfb2fe7943227e011995910344481a06a2807c32de5f16f6a34cca8c7ee25f4daf3bba627a1bda6eb56db182f6ce1d03c

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
59KB

MD5
b37f069a0ddf646b059746369d1af5f7

SHA1
a511a0c36ccd73e19093d88157f55274e1ef5079

SHA256
fe664403cd218fe5ba02dae87ba87b31c47bd0665af8f2be559d621fe1eefd87

SHA512
13dcbc2de0073801abd400fa0303c2979f25f93075286b14732233c06d39039891b37efcdc77e2afb29243e1f1a0c942969810c4e27c4e83125dd1e9784bad7e

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
59KB

MD5
dfd1381717b9b6dda0132a0b7961f3df

SHA1
35f4b88390993808af0f858f57d5c88e973b4810

SHA256
1f67f5713c282abbff2a834e5c70c781470888eac66cde87be221509db068126

SHA512
2d77bff1de8f81a3e47b062624faf3527f9cf1b99ec75638d79f83cbd9f02c0dd4846c43b079237cd235436ae43b59a4141375517a2f8450b290805e7df2ea41

Download Submit
memory/228-322-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/408-561-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/412-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/468-540-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/540-384-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-426-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/680-574-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/680-39-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/896-372-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/920-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1064-567-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-595-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1072-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1096-334-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1172-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1204-509-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1212-390-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-553-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-296-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1396-304-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1468-286-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1764-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1904-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1956-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1960-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2012-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-582-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2164-547-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2316-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2344-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2400-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2416-340-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2424-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2572-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-588-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2624-491-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-533-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-539-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2980-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2996-575-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3064-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3080-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-364-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3152-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3228-568-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-408-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3312-589-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3464-346-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3512-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-352-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3576-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3580-527-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3776-479-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3816-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3832-358-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3852-199-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3864-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3956-554-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4128-497-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4136-316-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4216-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4268-378-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4288-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4308-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4328-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4352-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-414-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4504-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4504-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-521-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4556-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4608-424-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4656-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4660-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4756-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4820-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4844-402-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4856-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4964-396-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4996-515-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5012-560-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5012-23-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5040-581-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5040-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads