berbew | 3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230

Analysis

max time kernel
95s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe
Size

55KB
MD5

2a1e5c44446572337c167313f2c830ba
SHA1

2138ccaa306e40f5ba31bc814286c147183fc7dd
SHA256

3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230
SHA512

c7cad633d7786567d4fdccb13c0430be9e597d1c87ea1261266f5642760757a5218741d4db3e39c3367cca76cddf028948478f76a6ff062616f281d925e634e2
SSDEEP

768:MhwblCUVYUUa90NRpYFh0TLfAJgu7o7NAg3cJ2s9bK/1Pq3s2p/1H55Xdnh:YIVYUUHNRpnLf0B7wc/OJ2LR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3844	Mplhql32.exe
4708	Mckemg32.exe
624	Mgfqmfde.exe
1172	Miemjaci.exe
2256	Mmpijp32.exe
3296	Mlcifmbl.exe
3520	Mgimcebb.exe
1996	Mmbfpp32.exe
1880	Mpablkhc.exe
1032	Mgkjhe32.exe
2656	Miifeq32.exe
2728	Mlhbal32.exe
2144	Ndokbi32.exe
4496	Ngmgne32.exe
4144	Nngokoej.exe
4068	Nljofl32.exe
1916	Ncdgcf32.exe
2416	Nebdoa32.exe
1124	Nlmllkja.exe
4864	Ndcdmikd.exe
4904	Ngbpidjh.exe
3224	Njqmepik.exe
4668	Nloiakho.exe
4988	Ncianepl.exe
916	Nfgmjqop.exe
4060	Njciko32.exe
4544	Npmagine.exe
5052	Nckndeni.exe
4816	Njefqo32.exe
4428	Ogifjcdp.exe
4852	Ojgbfocc.exe
2112	Opakbi32.exe
2220	Ogkcpbam.exe
2348	Ojjolnaq.exe
3020	Opdghh32.exe
2772	Ocbddc32.exe
1680	Ofqpqo32.exe
1484	Onhhamgg.exe
4056	Odapnf32.exe
1532	Ogpmjb32.exe
1020	Ojoign32.exe
3628	Onjegled.exe
4316	Oddmdf32.exe
4664	Ogbipa32.exe
2928	Ojaelm32.exe
4472	Pmoahijl.exe
380	Pdfjifjo.exe
3068	Pgefeajb.exe
4092	Pfhfan32.exe
752	Pnonbk32.exe
5092	Pqmjog32.exe
3700	Pclgkb32.exe
3004	Pfjcgn32.exe
4700	Pnakhkol.exe
4260	Pqpgdfnp.exe
1684	Pflplnlg.exe
588	Pncgmkmj.exe
2968	Pcppfaka.exe
4528	Pfolbmje.exe
1724	Pnfdcjkg.exe
1636	Pdpmpdbd.exe
3248	Pfaigm32.exe
3504	Qnhahj32.exe
1844	Qqfmde32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6256	7144	WerFault.exe	248

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 3844	3980	3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe	84
PID 3980 wrote to memory of 3844	3980	3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe	84
PID 3980 wrote to memory of 3844	3980	3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe	84
PID 3844 wrote to memory of 4708	3844	Mplhql32.exe	85
PID 3844 wrote to memory of 4708	3844	Mplhql32.exe	85
PID 3844 wrote to memory of 4708	3844	Mplhql32.exe	85
PID 4708 wrote to memory of 624	4708	Mckemg32.exe	86
PID 4708 wrote to memory of 624	4708	Mckemg32.exe	86
PID 4708 wrote to memory of 624	4708	Mckemg32.exe	86
PID 624 wrote to memory of 1172	624	Mgfqmfde.exe	87
PID 624 wrote to memory of 1172	624	Mgfqmfde.exe	87
PID 624 wrote to memory of 1172	624	Mgfqmfde.exe	87
PID 1172 wrote to memory of 2256	1172	Miemjaci.exe	88
PID 1172 wrote to memory of 2256	1172	Miemjaci.exe	88
PID 1172 wrote to memory of 2256	1172	Miemjaci.exe	88
PID 2256 wrote to memory of 3296	2256	Mmpijp32.exe	89
PID 2256 wrote to memory of 3296	2256	Mmpijp32.exe	89
PID 2256 wrote to memory of 3296	2256	Mmpijp32.exe	89
PID 3296 wrote to memory of 3520	3296	Mlcifmbl.exe	90
PID 3296 wrote to memory of 3520	3296	Mlcifmbl.exe	90
PID 3296 wrote to memory of 3520	3296	Mlcifmbl.exe	90
PID 3520 wrote to memory of 1996	3520	Mgimcebb.exe	91
PID 3520 wrote to memory of 1996	3520	Mgimcebb.exe	91
PID 3520 wrote to memory of 1996	3520	Mgimcebb.exe	91
PID 1996 wrote to memory of 1880	1996	Mmbfpp32.exe	93
PID 1996 wrote to memory of 1880	1996	Mmbfpp32.exe	93
PID 1996 wrote to memory of 1880	1996	Mmbfpp32.exe	93
PID 1880 wrote to memory of 1032	1880	Mpablkhc.exe	94
PID 1880 wrote to memory of 1032	1880	Mpablkhc.exe	94
PID 1880 wrote to memory of 1032	1880	Mpablkhc.exe	94
PID 1032 wrote to memory of 2656	1032	Mgkjhe32.exe	95
PID 1032 wrote to memory of 2656	1032	Mgkjhe32.exe	95
PID 1032 wrote to memory of 2656	1032	Mgkjhe32.exe	95
PID 2656 wrote to memory of 2728	2656	Miifeq32.exe	96
PID 2656 wrote to memory of 2728	2656	Miifeq32.exe	96
PID 2656 wrote to memory of 2728	2656	Miifeq32.exe	96
PID 2728 wrote to memory of 2144	2728	Mlhbal32.exe	98
PID 2728 wrote to memory of 2144	2728	Mlhbal32.exe	98
PID 2728 wrote to memory of 2144	2728	Mlhbal32.exe	98
PID 2144 wrote to memory of 4496	2144	Ndokbi32.exe	99
PID 2144 wrote to memory of 4496	2144	Ndokbi32.exe	99
PID 2144 wrote to memory of 4496	2144	Ndokbi32.exe	99
PID 4496 wrote to memory of 4144	4496	Ngmgne32.exe	100
PID 4496 wrote to memory of 4144	4496	Ngmgne32.exe	100
PID 4496 wrote to memory of 4144	4496	Ngmgne32.exe	100
PID 4144 wrote to memory of 4068	4144	Nngokoej.exe	101
PID 4144 wrote to memory of 4068	4144	Nngokoej.exe	101
PID 4144 wrote to memory of 4068	4144	Nngokoej.exe	101
PID 4068 wrote to memory of 1916	4068	Nljofl32.exe	102
PID 4068 wrote to memory of 1916	4068	Nljofl32.exe	102
PID 4068 wrote to memory of 1916	4068	Nljofl32.exe	102
PID 1916 wrote to memory of 2416	1916	Ncdgcf32.exe	103
PID 1916 wrote to memory of 2416	1916	Ncdgcf32.exe	103
PID 1916 wrote to memory of 2416	1916	Ncdgcf32.exe	103
PID 2416 wrote to memory of 1124	2416	Nebdoa32.exe	104
PID 2416 wrote to memory of 1124	2416	Nebdoa32.exe	104
PID 2416 wrote to memory of 1124	2416	Nebdoa32.exe	104
PID 1124 wrote to memory of 4864	1124	Nlmllkja.exe	105
PID 1124 wrote to memory of 4864	1124	Nlmllkja.exe	105
PID 1124 wrote to memory of 4864	1124	Nlmllkja.exe	105
PID 4864 wrote to memory of 4904	4864	Ndcdmikd.exe	106
PID 4864 wrote to memory of 4904	4864	Ndcdmikd.exe	106
PID 4864 wrote to memory of 4904	4864	Ndcdmikd.exe	106
PID 4904 wrote to memory of 3224	4904	Ngbpidjh.exe	107

C:\Users\Admin\AppData\Local\Temp\3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe
"C:\Users\Admin\AppData\Local\Temp\3f724d9e667eed28736c3c2f48b3835205a9c575d72b40c29a6964f9818da230.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\SysWOW64\Mplhql32.exe
  C:\Windows\system32\Mplhql32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\Mgfqmfde.exe
      C:\Windows\system32\Mgfqmfde.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        23⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        28⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        37⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        38⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        48⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        59⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        66⤵
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        67⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:872
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        71⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:464
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        78⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        80⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        85⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        90⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        92⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        93⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        96⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        99⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        100⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3964
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        102⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        104⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        110⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        115⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        117⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        118⤵
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        122⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        124⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        129⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        132⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        134⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        136⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        137⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6528
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6704
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6748
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6836
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        150⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        152⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7012
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        156⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 396
        157⤵
        Program crash
        
        PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7144 -ip 7144
1⤵
PID:6160

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
55KB

MD5
628f151ef43ed8d9142b5e36b3ed40a2

SHA1
ddd223b457731495a3036e6d71cde2f4b7f0a0d5

SHA256
3e6792b0f5fea7c96d6b98270c52a9b3448dcb8ba037f6963cd5cdc03e8df181

SHA512
dd72a480aa6da460c0e6c3527ccb1780f246a147cddfa7026e7b3cef9e516ab0d4dec13db9588e76f06876e649e25700589b36b264af4ab4f7487a8f3245f165

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
55KB

MD5
66634c66be71554e9c29a12cf31db3df

SHA1
3d76b54bfa99b5761c8cf9d560d10bd8858b1ead

SHA256
73712b29a1ee198cd22dfa0a04768d213349fd5f9b83334eef803fc4442c0f41

SHA512
edff7f15a6e0cffa9789bca152c7525eb66e802f08d19b87943278864979c4abdaf7a37e98a1e41e4feef4f597f1a1af2f397f568d8775102b689bfc2e63852c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
55KB

MD5
737355f8b956708e8b7ef25b30673162

SHA1
d17fd725c3c80110c9fae18e39b02875947a6d02

SHA256
789e8feeadabe36be54b910ba22d32aa90d0895634f700d28108217cbae2c818

SHA512
83741eb6ffb3003a727c49dc9162e3e9114f2c4e7077d79af0306d9ec932875755f21ac353362f2ae71ad87e8e8f720c9794d53faa4b5d530ae6206412a11999

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
55KB

MD5
8f1ffdb482ddbdbeb8c652f99b3cbe02

SHA1
b64d70febaf63c0e172127ca75e2d6788ded24a6

SHA256
b7ba8a842d497bb765ce4f4969f4153bd05608ea7e43dc18d24f636933dd8e27

SHA512
54469341da2593756ed223de434ad642afb53f8163561d71ebf7b78d6a73edaf4bb5c92ccd2285daa53bb1bdd14bb32a2ff6cffccd5f15e8aae6b2b2873d0dbe

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
55KB

MD5
ccf208f4978ec7b3a15887be59dfd445

SHA1
560c9cc5414421ca2531aceddc3c4946eec6caca

SHA256
f36c4db057ed9053012b8644d27bd33b4180c02f2952dcfa1d012398d86646f8

SHA512
44a3a1139ffa58236dee556b650096f94ec4fd9174be07e028b26d5ec1a6f5895f30119d893614ec9e7ef1757433a9e4575d0b6242376d6c50a043e0307fab48

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
55KB

MD5
1c8029aea7f41338b544002da21e370d

SHA1
48b65f9164e27b5ccce6bead0bfb995a5cadf8cb

SHA256
523c4ad5ef81f751196eaa2d3660d4c4e65a502f9ceb257c6827b258a50fed1c

SHA512
5fad2b48b2afc1fbe0e1e84c8c42d4abd098a98fc5918b133e8dc06d8e5d250313e80b46501cfc35450a235015ae77743e6e99dc12586cf49a164e1c08e94fba

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
55KB

MD5
99e20b8950d9d043819e7de3c0d88ba3

SHA1
caccb54cd5985aa65cfab65bf77bf47d6a50f3a7

SHA256
183a6b8aefe139660321260516f7d555448f1059e2ca95f78293d0bfcb413cd0

SHA512
e42db4e3b0f8095f5edbe300633f517e604418ff14f7d6036b0082cee8b99574532c454df48f097f30453047f22c1e161498331a3a22151a0d4e015316288955

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
55KB

MD5
25a3761db40c4b8d1c7e3815104ea2ca

SHA1
7a8f140ebb139dcc651c9b9512b6000c356696dd

SHA256
6b4aa26910c330f05904f1895bfaa476e1d683018e5e82a3610a61a585eef9a1

SHA512
47fdf8f16bccd408aaabc313b418418d733b1ebad9a97cc4a3beeb57a81cbffc50ecb522cd32aa842cbc7bd3d88951bd01de2c382f0d24495b9aef8f02fb78d8

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
55KB

MD5
b082c5744c1fa394b762f8bcd801f2b4

SHA1
cd1bd785cfa9ed7e0c838f1a93b4141a39acc4d8

SHA256
9aec4aa1027f8bf6d28f1bd24686d829a66ec9997641da3416fd24901172b6c2

SHA512
f396244ad924a568ca809ea43e54981e2d70bd80578ab8a3143e9212404357a33eacfa1ba02f08f165e7eb3cb2cc8e6ebbf064bc4a7749c4955d46cff446e35e

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
55KB

MD5
322a9c3a59bf81205bb71285d38ef1d6

SHA1
782a4547fbb1d0bfae980d669a8a6d369d9da7d9

SHA256
6b0895855e180f8e5a2a1d38e66955a4e4c6023e862531331fd8b300aff012dd

SHA512
801f1e0887776c4f3fbd9f888c296584d6b99f6e3a3102256d06abee3a604f8b1d97c19815485781305f0f0de3fb4666e72d087b9fb944df2fea4d0b863e2ba1

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
55KB

MD5
a77b433e27d4b254fda536ba48b48706

SHA1
e5c0b6db685862697ccff8b906aad2dabdfee21b

SHA256
d98af72dc39eb0a9cccea4f11cab218c989035323876d41b56669be1a6159642

SHA512
2faf040ff1dad176eae7a21216b7e5c5d455d0b1622ad1e20854a75e4856c74dad2c79618a8eeb496b56609e7f862d91ea2e8116c27f36f810c6247addd1bd9d

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
55KB

MD5
357ff3a0d5f36b9cee9a7777bc5b3a9b

SHA1
7e9adb5edd2f7991e80822944554d5e12685750b

SHA256
db33b6f826e4201f5ef04f654b5bf667120b91c5c9fca03278fdb807c8b14e05

SHA512
17ef2ba07c9e43e728a94e264de2c80096f37dd45bd4626429c965561c346fb440be346e5ad82d5e387aae34572dfb94cb84502e694606e31f1e651fca56c5af

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
55KB

MD5
bfc7b821272cad6034851966b7664879

SHA1
adcf04c376f94a06c06aaf8a1cabcccebadc25e1

SHA256
a6e9bb446242fafcaf6e405503bb23469dc55ae7a8f466862b58e090fd3b9095

SHA512
f8c7e5eab11d99a2837d2eb64fe3aa772349489c77086be734a6f383958e839e01d1510e314af961690098253ccf75d12991401c018598fb6fbcf01d2c54e932

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
55KB

MD5
3cbfa9be772d1602a4bf513cc1223f87

SHA1
29ec82784da8ba23034ad2f9774998fc875ed9c4

SHA256
36c8db90d2f8a198c7c7bd9fa3de1bde5b36043af6c69737b975c2c652755555

SHA512
d8c94196730508c4674839ca93b822da141541914a3b25fe98064a6629bf200785458d86c64a6d62c5095569da5afb520287f2ba5d5b980ed6bde005c3602c39

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
55KB

MD5
3af3481bb7d92f6154df68dd22fc5814

SHA1
1097943f3d1e1879a8154cf29086b1833283f6f8

SHA256
d47408dab40de733a168aa1cf6abc0f9456c1a84126577f7c0362008f3a6f446

SHA512
ca2b9ad0d19686ac22e2093609f1a1f885ca8abf108db32d62c232168adba7fda0dddc9f335923f43bc0da1ae397a657d939b776d3eca62db49451fb7d3c57c8

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
55KB

MD5
bec6b37c765c269c613b1eb37a2822da

SHA1
f97c21b665cc16adcc5e865018b9d804d882ac7b

SHA256
517011eff0cbc6d36397096821c7de87e6b74d0ad5a1506ae1783b9c6a741944

SHA512
7b9b112aee4ec9ef3e4c51e3b87bb2291070ecba192bbb01ce5fd6da90232bac999c047019692222124c108afb2de333879ad788786a88d9d702fb7ffc6f2ed3

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
55KB

MD5
4681eaabda56ff192ff7f687bad7663a

SHA1
4960f396f955ae25bdf01d777fa55672236f5949

SHA256
308d6b885df8222b36e736e8a7a11c67574229e077127f5c52feb1d7025a3d17

SHA512
38c65d8b7c8f20d6cef25ca1db48c9308fac3ad7bd877d9cb6c8551da7cd9e6c80cbc32a6dbef731ab1b9eef1681e96dc41abf04a6b2eee7454e0db88a257171

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
55KB

MD5
67ebc2aab09eb6e7c8bf8022a2d26396

SHA1
b85c9798e2e1e80dd32de0d39cd29762fea32c6d

SHA256
a1847d23a282ded95e86952bbe3dd5b69c117bfccaac4340b6e355a5453d1a6f

SHA512
79d0bee2cfe2a257317d6f2fe84f722bb75eff65ba666b2267e5909a310d8397eefeac4294601d5b6b378293de660bfeb6be7cbc498318c777b93d36e8a4023c

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
0ae90ac4d53551c0f5394428b144e488

SHA1
2d811fe469fb41d774d1bcf4a36564032ef451cc

SHA256
fd1ff54fccf92db129d25da9913c8b3fb6cd258b47717e933feabb1a4a189fe0

SHA512
1603ff40033cc89e97631a357ddda694f22c12af7ed1610604318a72652e82e0fc1799ca771b7b3683e4d8e35c7f6d3b0a2e7ffeca9a5f8d8dabf3205c434612

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
55KB

MD5
00587407343cdc796fd83d9fb54778fc

SHA1
877beef6a817c77195eebbf9e08b84ceaee1e95e

SHA256
0b3ea716e5796459e129d95592fa88d09c6960785165f3fff88b4e93285b67e0

SHA512
5c025c1f17c7861d1a4ada309c9d171289531aea829555290b4479a8f44aad16932dbd6fd28f524ed35eff2692d1249475f77c078273ea4cae3373cac75b58cc

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
55KB

MD5
b054a17bab2539906c8fc34fe106ea9b

SHA1
e2b4b5d696ce84bfe9bb095b610b0c5d15df2fca

SHA256
14e25beb9727bab8beefaab25c824f8f5247c015acbf0b2bcc487120ac12b191

SHA512
53236089bf7875af81ead5c7aa6b3cd9e777bc3e157ba63a068be39c8d412ab6d67913b1bb0af7dab96d2da979439083175e5f0d5e627a5027eac7492b365f5a

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
55KB

MD5
27793900d7fda647f54fcba6a495ada8

SHA1
6935673509add9cca30eda991da329d05ffec868

SHA256
e2bea653b5f229ae25f72b6456a06984b5346fdb9f502742f675d07a0dd3d5df

SHA512
e505801c8bc36d13f4399d9b75cee10c83cc98dfc3ae31f254d3128ce3f69bc87c274e51e869587411e772ac9ed5cda6a7bea798edd50d2331eccfcd311fe01a

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
55KB

MD5
82bd0239d58cf7115ce451c8c0768146

SHA1
fe767e831ebf68a670b2c4cbdb766af058921e06

SHA256
17baf6e53e5e922e6bde0224f00d66e8f20435718981c90c375cbae8f92e8b56

SHA512
a6550fb29cb9071a2fd59d9f0bdcdceb8f0ed0d695be44d8cb69b7af2d58622da2b9faabe3876f12943ed9cbc649cd6aa95e7e8b5dd90c1d97ea8cc361f5427f

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
2caec5955d2e419063aae4e0b06043b8

SHA1
3daf677c0b647b76927fa5940a86eef8207726bb

SHA256
3c0a4991b18dd32fdb4e5deb925f9beb23a037f41223ab6b459386dee72bafd5

SHA512
ca23ac1b4ebb356fefc8e30437d62c1496bc4fa9c4e95fb7fc754a97eacafcdb3c3a5b0ece990678dbfd090bc72c823b5f8ce0fe673430c41f8179848a316cef

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
55KB

MD5
0c38c880ae154c5c7707b2944012cec0

SHA1
78d2fd997b588c04830b0787101906265c1aebdc

SHA256
ea6835ff2942e1eca99e2d2d40f82ebff82565c59a565530f236a90013d8d33b

SHA512
6d7b4db167ffabb6eba0d3e832c13e34824c4a6e52a83cff7c4dca3b87c49528daf52829f46cb7328b28f1a2a33b46c7fdf782191aa706f8755d6cdea03e54bf

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
55KB

MD5
cd3585a263ccb3aca25e1ccf4d0ceb7a

SHA1
0e472c7388639ca634c18e30d02cfe30bda937e0

SHA256
939027b4949bd3c4b45e37aa9e88a347ef4a2b09d5e779649afc3ccac59baf47

SHA512
3a17a976d38bbc8d14245100f0dfad83cf2f504c6f73a9e42c40d26ed946f776d9d5fa516297097fd15b48d590e49b8c91b14ca7b58a7a6ccce9aa6219c5f40c

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
55KB

MD5
ee8c31a181cb03b22c1a97aca48b083f

SHA1
a9cb11e838cf88fb49ca09a46e6ac86e8a2bc139

SHA256
b03fb76595f811af1b94ee17085d95b1dd4aaf9c7a759ca30eb09247de246d85

SHA512
c0ad4d79bc03ee44ec211bc185cea767db955a7e2d8e9a6ec1412ff3729584536627e43ecb67b62dd3e8b82f3528e835951d01df97a61d58b37615df34e6459b

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
55KB

MD5
746c450d8f410c442bfb70739d6cef22

SHA1
e659f90e3ac11911daca42556d65c46d3546ed88

SHA256
30a10bea9cfa90a2264399735bad5fe520a6096d173c51bb3f07628b41101e7f

SHA512
ac1b3bf5330b70801c6fb6be4ba161b63edbd9ae5769e4a3b958f0cabe72602203d4e557a43667bcd7aa3c0135c630cc6fbd7d89faac36a4b0191fdc268296cf

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
55KB

MD5
2a09e75bcb4b0ec3a28ad926e2974d4c

SHA1
70f34d241a6518ba213f9543111009dc42c36128

SHA256
58283c7d8ae66abf6a5fc02c86705cbcacf875a51838312fc1c58b2fe168dcdc

SHA512
c412b4aed73f1714d30f12a663cc6015b3764d233b341bd81e99794f4014795dd3c5b8555bcb4493f872dc9f391ac350af534b72faafc692618b86b38c5211e5

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
55KB

MD5
32f2e8a5cd92dc9124e5fe330bfa1d8c

SHA1
0a937ba0ef05e63f50896ed737234a7addc17bfc

SHA256
fcc1248f92399e193370c2137e6f0a0e40b3b2184520c7e8d989fd2bcbcffdcc

SHA512
4dfa4fed7d8cef11867d717bbd967cce0b3b5ec0c4b3f7f77741870ed4d7aa04c9738a20ef6dbae120ea34b310b6fad1cf982cc667a4fa97b57bdca136dfe24c

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
55KB

MD5
71d67a9310d250ce48f9cc995861a13f

SHA1
ede989b9f5b24c5877dbf1eca9d0d68dec4cd2e5

SHA256
91676f15051b2ab134cdcb3031ed02ba83390969f29c97dd9ffaa411a423d5bb

SHA512
33881dfa70f11b0e9f8f8fbd6c6c0de2fc0d0690b8d0b5df9b676f01eabbdc6f34c9276ce7dc16d2cd3c65ba49214ff439eb63d03b8d6a9b3f00a9fcff0e1b15

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
55KB

MD5
ff86d8bf2c59cd153d84b070c98fde3e

SHA1
efe8e30c286546e11795b4b0c179bb26a4b990e0

SHA256
8ee8b5021a96879f13e31dc6eefb99d788a0f4329085bfa3f1bea5728713e924

SHA512
bbf81c91e709a5cb27e3af7fd0b3c4b92aa5ffad878d122df8b17d18b1ef1e6e3e0b57218833c004e9241bcf4feecb979b7a1d848acae8f80dbd391bcf858a92

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
55KB

MD5
8f98ac53ea22b93ef3736e708f183eb3

SHA1
bc9523ade7f6d706c1fb95985556b17f7412bd3f

SHA256
928bbcdf4b5f9f4831975918134b64ee24d854d2365fc64bc31c84293cd0d7dc

SHA512
da79c5d097c2e41954be771dbeac1160171416c71153c5f7ce27a4e280179fff9cad8230755744816f10357996091228aeb1b519641702845d005aa9cb2f097e

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
55KB

MD5
89140d291bae567d273b7b2f621a97a0

SHA1
f7ddf3ab8dc90e3856f7ca20dcb36900993272df

SHA256
a71cbf7113bae52a3e2281766b52c8cecb90aa1cb90972794948b6fa61d6c34f

SHA512
ba4dec0c61d6909e7f6b2acb1b9492d8e2eda6bd5e96187988c8117911d2356a72f84edb425247d5d772dd0f8a7a3332166e7dac4059f0028a8326f6ae1daeae

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
55KB

MD5
3e80e2465fc8a016c544b0a117353a3a

SHA1
65b2254a778fd741e6685078e442205d5e7617b5

SHA256
badd05e27278cd8ded5fe5143d41bd882d523d6f50ec6da1cfdcd8c78f805a37

SHA512
260315b7db8cde048db439b798989ff011fb309e58021c3a2d3ed9adb08d93f38437aa825fa93a82b3f9a65218a847fb9976d397e51ae7128979c24c5633b336

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
55KB

MD5
f95069cde0637cd10c5bba8746765375

SHA1
cfd937e7b06c4019b7e288cfece44cb67eb37312

SHA256
222cb51371b0255f81e0666d46b15d1d83d9f60a70752f868cfe5a3c53c347b3

SHA512
6ad7e80b0cc855f3c43ca3aaf6a4d922b5f3b7b8290460ee76e3d112435881309974a9e8be9158db1e3f4dc52f69ad3a8cc60694efb9ec7ee1fc13b8a558cb1b

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
55KB

MD5
e096d7c89f93f9ebd39d1f511f7cc910

SHA1
a15a47eede56bb690ec72280feef7a30bf2eedd5

SHA256
b902622593d0c937751971044877a246ac6e575f64d100f3309a74e49568dbe5

SHA512
e5b8782ab5a351342bdac1956e1e0ae81196cc3b19cb6dbd53b8c669729ed6cd2a373918eb9e71df3992d832576bf50fa11f4e37bba31145b406b754c2bc4c35

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
55KB

MD5
0c66fab60ca2c5642d5c0b5e78d6e922

SHA1
8435925ad4cc9d9c80f286779dce2ba4fe3bcf26

SHA256
9eb4a6d452f69a234042d2d1b424aee3099535dbbc9db0d028e34475fa23bac1

SHA512
e7a2e433ed44205bbb238c479cf5370c260dc84af398cac849fb0629b81721056ebd154954ae6b38fbdbd919fb6a1e293c233b08736fe676b0c00ad0810c845e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
55KB

MD5
62ac7770cbf083fac13004bc103bbe5e

SHA1
3d76c0d09e5715aa8b1f9a50f0a8662530df1e45

SHA256
8ea10aebfa02b7add0dfda6f0216e37fcc7b1a9804c4d03a177c4224b2d0acca

SHA512
01c52e94a73ef58ded040a40164ce3746d385324b830caec1708649784ea3488480175d59ca90a0477806ed555f224c1d372896a26f907b8ae696105d82f50ba

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
55KB

MD5
f77d2a0e6a0bbd7107b44ea542ba2788

SHA1
2fea77f865db4bdea0f6e11b13434159f714b9b1

SHA256
7c1cea9ce0d5522dbdad3dfb0b95143d4cf0adfae8b8524ee62b0a3f7d958995

SHA512
0c62b90a8bf40a394f81ab5640ebcde3e3c40af077cd1ce421e6ade1ad0b0f8614690648eaf4a91d3f251bf7d6cddbf811ee2f5233e0c6076580b3226a89e993

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
55KB

MD5
f2a7f546d17ded78f12e5f3d1c6f8dde

SHA1
aa40b53ff4b8c5a5a09335dfbcb4445302193d1c

SHA256
075f2a1a16e6e6247cb5c778a2a1d6c6c5ae06e9f79820b02a93f7204f5c07fe

SHA512
419deaa2b01d5f0a3ac5f8921c26b82479f5951216dafd759339ce58e2af9101001aeddd8aa49dfb590699dc10cdc3cef8555e37997087e7258581f3a2454f13

Download Submit
memory/116-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4056-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5272-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5364-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5536-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5576-1152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads