berbew | 5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe
Size

67KB
MD5

6dce6be5603d991a638053cfa3581d47
SHA1

6bccf315810b37a598f62f12318dbf52a5f73b4b
SHA256

5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7
SHA512

3652476cf1577286b8d542a3d5527786df52abea80255204e66525796e8774c373284203f6bab087e623baac6089dc797eff47312fa354c5926cd0ea583841cd
SSDEEP

1536:hLbm2cRP4OWg7/Tq2f1ZqFsSn+p77tsJifTduD4oTxw:Ij94J2/Bjp7hsJibdMTxw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
992	Mgddhf32.exe
932	Mlampmdo.exe
4316	Mdhdajea.exe
3440	Meiaib32.exe
4412	Mpoefk32.exe
1464	Mdjagjco.exe
1264	Melnob32.exe
4404	Mlefklpj.exe
4824	Mcpnhfhf.exe
2208	Miifeq32.exe
1660	Npcoakfp.exe
2760	Ngmgne32.exe
1128	Nepgjaeg.exe
4512	Nngokoej.exe
3996	Ndaggimg.exe
1996	Ncdgcf32.exe
3092	Nebdoa32.exe
3664	Njnpppkn.exe
2464	Nlmllkja.exe
1092	Ndcdmikd.exe
3844	Ngbpidjh.exe
3080	Neeqea32.exe
4484	Njqmepik.exe
3624	Nloiakho.exe
4848	Npjebj32.exe
1624	Ndfqbhia.exe
1964	Ngdmod32.exe
5008	Nfgmjqop.exe
3776	Njciko32.exe
4984	Nnneknob.exe
3864	Npmagine.exe
1856	Ndhmhh32.exe
1692	Nggjdc32.exe
4300	Nfjjppmm.exe
1772	Nnqbanmo.exe
3612	Olcbmj32.exe
4540	Oponmilc.exe
1432	Odkjng32.exe
748	Ogifjcdp.exe
1816	Oflgep32.exe
3212	Ojgbfocc.exe
5072	Oncofm32.exe
1468	Opakbi32.exe
3000	Odmgcgbi.exe
4844	Ocpgod32.exe
2388	Ogkcpbam.exe
3572	Ojjolnaq.exe
4764	Oneklm32.exe
3596	Olhlhjpd.exe
2516	Opdghh32.exe
4716	Ocbddc32.exe
700	Ognpebpj.exe
1548	Ofqpqo32.exe
2380	Ojllan32.exe
1980	Olkhmi32.exe
3544	Oqfdnhfk.exe
4776	Odapnf32.exe
4572	Ogpmjb32.exe
736	Ofcmfodb.exe
672	Ojoign32.exe
676	Onjegled.exe
2256	Olmeci32.exe
4108	Oddmdf32.exe
4272	Ocgmpccl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Meiaib32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6828	6632	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 992	3536	5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe	85
PID 3536 wrote to memory of 992	3536	5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe	85
PID 3536 wrote to memory of 992	3536	5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe	85
PID 992 wrote to memory of 932	992	Mgddhf32.exe	86
PID 992 wrote to memory of 932	992	Mgddhf32.exe	86
PID 992 wrote to memory of 932	992	Mgddhf32.exe	86
PID 932 wrote to memory of 4316	932	Mlampmdo.exe	87
PID 932 wrote to memory of 4316	932	Mlampmdo.exe	87
PID 932 wrote to memory of 4316	932	Mlampmdo.exe	87
PID 4316 wrote to memory of 3440	4316	Mdhdajea.exe	88
PID 4316 wrote to memory of 3440	4316	Mdhdajea.exe	88
PID 4316 wrote to memory of 3440	4316	Mdhdajea.exe	88
PID 3440 wrote to memory of 4412	3440	Meiaib32.exe	89
PID 3440 wrote to memory of 4412	3440	Meiaib32.exe	89
PID 3440 wrote to memory of 4412	3440	Meiaib32.exe	89
PID 4412 wrote to memory of 1464	4412	Mpoefk32.exe	90
PID 4412 wrote to memory of 1464	4412	Mpoefk32.exe	90
PID 4412 wrote to memory of 1464	4412	Mpoefk32.exe	90
PID 1464 wrote to memory of 1264	1464	Mdjagjco.exe	91
PID 1464 wrote to memory of 1264	1464	Mdjagjco.exe	91
PID 1464 wrote to memory of 1264	1464	Mdjagjco.exe	91
PID 1264 wrote to memory of 4404	1264	Melnob32.exe	92
PID 1264 wrote to memory of 4404	1264	Melnob32.exe	92
PID 1264 wrote to memory of 4404	1264	Melnob32.exe	92
PID 4404 wrote to memory of 4824	4404	Mlefklpj.exe	93
PID 4404 wrote to memory of 4824	4404	Mlefklpj.exe	93
PID 4404 wrote to memory of 4824	4404	Mlefklpj.exe	93
PID 4824 wrote to memory of 2208	4824	Mcpnhfhf.exe	94
PID 4824 wrote to memory of 2208	4824	Mcpnhfhf.exe	94
PID 4824 wrote to memory of 2208	4824	Mcpnhfhf.exe	94
PID 2208 wrote to memory of 1660	2208	Miifeq32.exe	95
PID 2208 wrote to memory of 1660	2208	Miifeq32.exe	95
PID 2208 wrote to memory of 1660	2208	Miifeq32.exe	95
PID 1660 wrote to memory of 2760	1660	Npcoakfp.exe	96
PID 1660 wrote to memory of 2760	1660	Npcoakfp.exe	96
PID 1660 wrote to memory of 2760	1660	Npcoakfp.exe	96
PID 2760 wrote to memory of 1128	2760	Ngmgne32.exe	97
PID 2760 wrote to memory of 1128	2760	Ngmgne32.exe	97
PID 2760 wrote to memory of 1128	2760	Ngmgne32.exe	97
PID 1128 wrote to memory of 4512	1128	Nepgjaeg.exe	98
PID 1128 wrote to memory of 4512	1128	Nepgjaeg.exe	98
PID 1128 wrote to memory of 4512	1128	Nepgjaeg.exe	98
PID 4512 wrote to memory of 3996	4512	Nngokoej.exe	99
PID 4512 wrote to memory of 3996	4512	Nngokoej.exe	99
PID 4512 wrote to memory of 3996	4512	Nngokoej.exe	99
PID 3996 wrote to memory of 1996	3996	Ndaggimg.exe	100
PID 3996 wrote to memory of 1996	3996	Ndaggimg.exe	100
PID 3996 wrote to memory of 1996	3996	Ndaggimg.exe	100
PID 1996 wrote to memory of 3092	1996	Ncdgcf32.exe	101
PID 1996 wrote to memory of 3092	1996	Ncdgcf32.exe	101
PID 1996 wrote to memory of 3092	1996	Ncdgcf32.exe	101
PID 3092 wrote to memory of 3664	3092	Nebdoa32.exe	102
PID 3092 wrote to memory of 3664	3092	Nebdoa32.exe	102
PID 3092 wrote to memory of 3664	3092	Nebdoa32.exe	102
PID 3664 wrote to memory of 2464	3664	Njnpppkn.exe	103
PID 3664 wrote to memory of 2464	3664	Njnpppkn.exe	103
PID 3664 wrote to memory of 2464	3664	Njnpppkn.exe	103
PID 2464 wrote to memory of 1092	2464	Nlmllkja.exe	104
PID 2464 wrote to memory of 1092	2464	Nlmllkja.exe	104
PID 2464 wrote to memory of 1092	2464	Nlmllkja.exe	104
PID 1092 wrote to memory of 3844	1092	Ndcdmikd.exe	105
PID 1092 wrote to memory of 3844	1092	Ndcdmikd.exe	105
PID 1092 wrote to memory of 3844	1092	Ndcdmikd.exe	105
PID 3844 wrote to memory of 3080	3844	Ngbpidjh.exe	106

C:\Users\Admin\AppData\Local\Temp\5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe
"C:\Users\Admin\AppData\Local\Temp\5e7b394fd11412060396cab7441041c1206f55b1b10584c61aa3d7bd4079f9f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\SysWOW64\Mgddhf32.exe
  C:\Windows\system32\Mgddhf32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\Mlampmdo.exe
    C:\Windows\system32\Mlampmdo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\Mdhdajea.exe
      C:\Windows\system32\Mdhdajea.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3440
      - C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        32⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        33⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        35⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        44⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        46⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        48⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        51⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        61⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        62⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        65⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        66⤵
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        68⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        73⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        76⤵
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        77⤵
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2276
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        79⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        80⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        81⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        83⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        84⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        85⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        91⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        92⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        109⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        116⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        121⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:740
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        126⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        129⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        132⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        133⤵
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        140⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        142⤵
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        144⤵
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        145⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        147⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        149⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        150⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        157⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        158⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        160⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        162⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        163⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        165⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        168⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        169⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        173⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        176⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 404
        177⤵
        Program crash
        
        PID:6828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6632 -ip 6632
1⤵
PID:6748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
67KB

MD5
ddf059ed3bb80d86eff3c898dc040ae5

SHA1
6f483fb32dfd55ae5bc61a77bacb2545795dc62e

SHA256
966f5ca6bd49e674e006af6dae24e049521848264232e29f889106309a762451

SHA512
4aa5c181a5d271b4416236a3c8831014cda02034d18dd289f7154f170cf6bafafe843fd636e580262c0265929a76f715b119dc82a867bb47bc761ced9e536d83

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
67KB

MD5
e3a84096d3c955dfe9bce365800de9c0

SHA1
84d13891c4f8f1ef0b038ae4ec071dd66c76e016

SHA256
9c557dc55a1aa8b301e07eb44d9e9930d8044276be5bb3acbefe41adab6f5636

SHA512
e083712fd5a23cfa150a998f605167fbf15f08a25c165fe333172cd7ae5a081990363234d6967a784381fb0603146e993e90c044bbf42f0ea003ab3b73fee1ee

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
67KB

MD5
70e2f5216ddcc20461d808fd1fbadf09

SHA1
8b8a2822a3f51b51899551076a5619a38c556c5b

SHA256
c794facca2a3c790751ce983aeac20fd6b6900f13f7e390c230f1396a2c5b6f4

SHA512
9ec6758df37ec466b6525ea6815ca82225ea47eaa38df5b1985451b02ce10412b8e24e7aa5bd3b17db8ca620b559c58685ae4fb40b0d96c2c5716c38e4a6153c

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
67KB

MD5
7f7a6aae2eea8047576a39bef393cb44

SHA1
f9aba9569236b51dbbf81a98e7feb988680e5439

SHA256
26b76d2eb75c78f67e005fc9a5efe943916c93910bd142533a018f41f3ab16c8

SHA512
ef4d6145bf843297e8f1eb04ae73a2da290e13a4e698e782002e1727644634b52fb2a136fecf1884219556a078e56cbb8a9943e6dad34791811003042ca4a737

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
67KB

MD5
8be907dc15f7d1e50b1a5f09812a208c

SHA1
53d526ac63f70353e828e5a322be7037f3eb8321

SHA256
c8cd46f20a21718507f04fc00cb4c2261a197cbba57ac45bc9e4b3197a9ab471

SHA512
666fb69a222b6030603c55ed26e0d1add2ba334363c0bb59f13e039797d2553653ff5c4e4a63a0d7805d3371d93c47628fbe70a39792d05b4c8506089ddcf522

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
67KB

MD5
9b5bf6af5096ef87597502126659c9ba

SHA1
392f84d4fe60fd3f5a55c81e7dbd4fe6bdedebae

SHA256
93efab13544b7647622bf478b634ea494717c1621505b9ff1c169bed3b7e9be0

SHA512
d17d3e0e96bee8092d593c21a22fb3ff2112cbebb9f41c835ecbaa83a41f39694071e466709090979710e5288acbf029d1f7ce40bd09958cb537543d3651702f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
67KB

MD5
80d38f64183bd5985894e2abfc4e0aa8

SHA1
d12ed590d63c47c3764428fe4b4b12563ca8b439

SHA256
fcc4f6e79e3c9d102a54a4d83c9abc97d801db7a913218855204d3190dab52c0

SHA512
dae90bcae92671691c021a7321f05a99ae721b24cba351da811207b5ab4e95c10f947b7734d1503cabd50590a2391dc163c86e91ff06412edb8abd4b9f4debbc

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
67KB

MD5
600ce584e8d7aceadf645c0f7aa77c19

SHA1
f9eb131b783de330abf28b898466c524afff922a

SHA256
abf242c4db9e7f06862b688a4e67db13a0c1d38c50c815472dd335c206b2c31a

SHA512
2bef1094d1f183256def87a2057f5c75029680723ef90fcc9af43f61e17f4aaf100192c3302f3e8cec99ec3869b15630c02ee05401094a1ec16b7846b20521c0

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
67KB

MD5
52ab2b6ce40d2510542a82a890788449

SHA1
d3c54516263f0ffe9bcb18026ae9d30158eac35a

SHA256
fa299c9d0a0f286650185a1f9ad99415b2411944f81eafb5ce1eb3c8a5020f73

SHA512
4fe2184b1643b764e77ca2bc3b0b2ea41816a850b7dbeafd10aeea3c104be528f6a6d410dcaa251302804098c441823995ee4b7ab285437f3f44fd133ccb8dc8

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
67KB

MD5
27c6949ed3ebdc1d42980daf53882ebd

SHA1
3594d2ff9946ef1a533fd2a73b204ce92a1e72af

SHA256
f7fa87e52027a43aa1494eaa9aa496106f5f7a2bb0a7065776d35e489b50d75e

SHA512
a568d7fa2fdbbb9924e9ff4c4120837f7d96a12d1a620135bae3c640a597c3192080268c33098c69c8ba73fb922adeceeaa9c98ab6fa54c81c29e4c5cebaff6e

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
67KB

MD5
3c58b355a87facde9db9959c0d82a1ee

SHA1
91e9192d884f9735bf96ec0d4be5833b6b3a9478

SHA256
105263ad1a75c55029e083de2707483af1accdf5e144dff4b9ab6ba071e9ad49

SHA512
67c554ea81e9ec6562c8ccf6104b46cb6c876488cc978849e3c8b01c8b0ed0a6e220860d48caf15798653b47598cb9fb72993b88199d1dd92b5491fe42605def

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
67KB

MD5
681a7cb04263078c6788ee236d178d4c

SHA1
5b6818272eb1b46b9faf98f3f71e97c4deb9cdd0

SHA256
10c8ca3a8e4ce0d66e45d877b4ceb4feaf692b12095e41dc6ebdca263f37a695

SHA512
00021afc07d1df46c3b122d19a1fb06da1a3a68ec3acc0b4cc7f2e29a6bbc1f95610612b47ff9f8e7d15dc35ca2fa9890e396b6eddc4247576b226a040d76b05

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
67KB

MD5
41ba20480484434993be9436ef62c08d

SHA1
8ccd57a55ba0d077be0f3abe088204a3cf47f0c3

SHA256
5cef220c3833411567c178711f221117d2bfb2a2f2eeea534a6139f508ff92c1

SHA512
f2638d55cd299701c60cd7233e5e6b1a062d8b930588b5796b0d0d0b54570e680abdf6501f9ff8c98cf76b459380f1bdcb8156eefc6c138d688f4c77f7edc46f

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
67KB

MD5
4a91716d75b7735e24c98d142a882630

SHA1
01e7e9957977c082d7855efe69088c01ee140102

SHA256
6701beeb03b5ed53b5dff6b58593498c0add4e4da3ad15b5c2887ccd2ec32fb5

SHA512
11ac6f65bd1055f18dd4cf6383505f26bc9c32ffb880c42f54d1be87c883f0f216af6842dd0c1344902543ac60c62e09dd0c20ddbab5105c7bdf2913d0b444e9

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
67KB

MD5
532947ff0445e90be6470c0148055d31

SHA1
82916caa66691b4c10cf229667ef62d6031f1be2

SHA256
a7345739196c5edef76145edc95fce849d1e3220ed13bb72b490a96bbc533d92

SHA512
011813f0008638357aa62205cb11b2d1374534d1e197e90b5bfdfd046411048fb2850540f92438521192711dc57861938208589c05cc06033f6afe4f0301426a

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
67KB

MD5
22d1cf9172bc6dbb1b0c7b26c72269a3

SHA1
05407a3a9f61c75d89e96c45f957d0f3aab7be89

SHA256
ae4f65e133d9aa0f2c2ac0241db6b67d34eaa3dd844445a248723e2d70b40ace

SHA512
f4ac533294654340daf5e153184fa8b1a3e3360a31e83dd3907ce14f53cb1339721ea8776c3366e00d811a0f64f9cc89d964dd4b58998a7c0df573cb672effad

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
67KB

MD5
cafe28507e425418cdabac694fc2169a

SHA1
38d28c475e9885c2cbced7dfff0cd6aaf9ca3b53

SHA256
8f2a11327f468e3eb171588f340883fe03f0b1b64d10731e6ee13f82723e5a91

SHA512
3a3a31084921e3c756ed68557b8ccb5f7c2044c54d8418b0e30664ae9d6689be53e6b786dc68984d232d504af8af3e5f93d3b7dea393cb1ebb074165008c8fc4

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
67KB

MD5
7851f51f6f2599c84eea22349bd8a5c0

SHA1
023041aa2492ee2e6f8be9bcfd748fc5343a218e

SHA256
83c5baca5cf3d2953913b0d802b8e9cddad764700bd0fddb71dc3abc2f54e85b

SHA512
49711ba75008e5fa822875ebfaf0a4f65197ab9353966913ff6e621dc61542fd17d81d8753ab23ff744c873f3607378d2e4f1239d3a37e7163d2f8ca9d54fca2

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
67KB

MD5
a1fe82bac2de9a43028427269cd036a1

SHA1
4cb1ff6f74fd5858e34064951315d54bbf9b6790

SHA256
2b661f8f4d9a368ef36b04cdc691c364e7fe3e0fab8d6776c91aff68837ad4c4

SHA512
53e4b13b81521cc93ef71f4fe04b6d90cc0fc67b80999725beb669a1b95a403507a03fa0e06822104ab0dd9c340faaa11e36ce6b61799e103d95332fec26559c

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
67KB

MD5
ef1c574c01b5ae57552780b4f2591acc

SHA1
e2081b9afa6ad843634052d762e2ec4f5423ff3e

SHA256
69cfb4a5777e1b1963e3ed7c753018a67aadc71837feed4b437b3f9a08f8243e

SHA512
050e48b8935806d048729af721088613fd785240012bceb13ff18e65133733b55018f2531f5acdfe0304d6d56ea619f9b0b81147f40d439864d050305482fae9

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
67KB

MD5
1cdc53a7458fc85d360425a4a653a730

SHA1
4f54aef5ab1a609588c5df3d9674e97888f34941

SHA256
fcbaec96a04327eabd18816e92ebbe9e28c66b408a2c52853f64f21aa9e32239

SHA512
0eb8fbfa62e1a703f6b89161e5601a851b58c570d2dab06e116d568574fd45d23491a0876413103f71548fe1aa005d44b37c1cf7689832aad7f4089296a47373

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
67KB

MD5
15e12128e9c583df4dcd8ce659fde400

SHA1
363ede6df252caf3aaba6890bf8cca3b6208db1d

SHA256
7399ea5a28210cc3027f4cdf8b0b1e8fb7d5c337315b934d52bf629510aa5027

SHA512
60510d932bd9d42d243f37b9bf2820a45486206578e1e5157216d5d888503ca718dab9f338999573ae147d71b1667204cc8313bd57e070803972e3f610e2a84c

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
67KB

MD5
c6a7fab0932ce1f6110cb6b797cdff02

SHA1
de7658c2b4d75ca66cf0c921030046da5bdb44d5

SHA256
56befff9bc30e28bf426c04472b47516bda15967b16266e06974c301f0cba3b2

SHA512
43df974853254efb98478b9ca3cbb3555639142527e5c348e4d7be94abe3f04dd9b967ae0bee4b296bf39959472410f6cd13ea663de20a2520854b9fab1ad187

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
67KB

MD5
bac8b779df3aa422f1d3324284bec079

SHA1
d8b2f9982c70ff0dd1d8cd20bc409286b880e0c2

SHA256
dadb5c8f26702def0824bfce7ea8c1bb63be0d266faac0593bcd8042348140e3

SHA512
387cd09a20f355fdda5f2ae9939a6738f4746978d7e53fe17f959875cfb4fcb455e614c642e07ca118369457ec44aa85db148168f1393e26ec487f61200df597

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
67KB

MD5
5df22ed2253e43221f5e0223da9ecd04

SHA1
0ccb253d4aadc9d71a3454ec850a38ad3d358d00

SHA256
cf1d7a0b8e9fb1c74ce5fe348a7bf11c0849e51193f2f55fba2cea6efdd4e353

SHA512
f047002e1c8e18fb358290b3fd2b34ec9b35bfcd97a6448c402a833aa28006be03d453e3d657d3cc8781f6022c703cd3a4e869d5937429612e6221be71561f3e

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
67KB

MD5
ff57a8dadaff4e5d471302ad73ec4b03

SHA1
bf23b5633fa07181069fb9517a736208431660b7

SHA256
10b7515ff6b9425ce719e01d8baf55aa88f985e52548cbfac1dbd292b0281e3d

SHA512
e769a24a6ce21036ed15f18b6649614b5b64a36ea50715d8317cb25f7f355b01ea1ddfdc8f8ad639171a9cce05824c02c87fbbf37b24d45ff2a9b519166593d6

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
67KB

MD5
f08c360f104a2c6053a9d7f13981a5ea

SHA1
16b0681b2aa7c4eafa83ba835ca8f02b58636bf5

SHA256
f98170a3f5791d38959e63b827f72cfd3c98d7d9d766b6aba54f7082f0622dcf

SHA512
2c91ac0d58948bf2cc20df2574978a92f30831d7e39144431b0bff26d2cffb6ea8f3ac3f27d5b076df39d0e9cdfe24a7953a7ad66dec32189bb4e04424c96e9c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
67KB

MD5
da40469a8ffd612b9ab678f86bfb2015

SHA1
0577355cd05df929fc74075fe4fc279dfe6540d6

SHA256
3f3adb318f2a06614bb9ff8b2b95837581cc1bb3f0437540a63028fc9beb0b96

SHA512
6765d7d4612068906d67759c513f5b92595b9c5091740d076dc330e94d58e4e2781afea85b471b81829cedc43e666eb3563b09b3776fb8793d0d8970669e6334

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
67KB

MD5
4314026181b53da53614a7da8799750d

SHA1
096d0e12b804aeb26e862fbbed66829a754885d0

SHA256
3448a9a686801986d02b9a8ff9b31126ffad9d6bd6341c21a3c72eee50e8952a

SHA512
c799ad266cf75125359a6587228d0f7aba6956686860c801d4eb21b3e991020c91be09981a879fc2ac9a4ec412716fa18d1f4a06c91a66dbcf230135646d81f4

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
67KB

MD5
0614b179f5bec9098622726ba30d699b

SHA1
ea1b2a1b681622e2cc55100062a19d2cd67ad1d5

SHA256
5e88d321b3a1086cb9eba878ff7792c7f8f15f68ce0c7518bdb941b244869db3

SHA512
f89fd49f53f2cfd926a63edab6b0769a8e219d3ca3a8c38b9118822ed953f3a9f59a66f1ec5ba692d707d12b89329b2de5781dae81e006bf5f8ee932c354359f

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
67KB

MD5
9215a2402a6df470d58601f6ec2efe23

SHA1
588556a41f1deb61c7901d606810aa987fc7c048

SHA256
cf6afa80c9e3b4a3d15cf50e985d8bbd0df2dfa58da5d878fed7082468e5a586

SHA512
6b72ea6e9903c0a3e22b204c98459d4ab764e89d2e1328ec545919cc15d0a87ff2c4e63b134deb4f0fb668f2be4284657fbc2b778febd920e513b466e8e2f719

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
67KB

MD5
336e5f084cc10f20240196f0631b094f

SHA1
aef4e82567bccdfe11c71fba3ef4f9f86d8fd89b

SHA256
9bd1270e505e3b76f94feb22581448b883f209432e38099859ba6cf0d7b06bf3

SHA512
1837aa852aeaf20d71cf32f6f2a9ec4ad0b4a268a2f4aa9e548a717659b094942796f2d8a2edc6c8e8e626992cc661fc66f24884608bf4b2d5348e3736662867

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
67KB

MD5
987f6d71ca6b0f62540d23b2c31adcc1

SHA1
2c04f5c83fcaa5f92162cc39f4a287183588c077

SHA256
e5e78d86f2ca7b25b41ae2bca43f32ff89bf880acad0d421893dfc826b93bd66

SHA512
00b5096e8fe0dad63555d5d57e60bb5d2a5e904ea6fac1599a41d0a93dd1e5ec6ef3b3dd7f7f286ab297fd1c85491a65f8735e017ddf013264f2342b990f4abc

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
67KB

MD5
7d2084d1732f16c865d9ba11ded13ca3

SHA1
d963eb34c3d3db4c8a1b7e906a39b55a7f3ae097

SHA256
8c81bf0f1167bb2031bb2a8c066234d5ff6ecb403e92c3ea33fe0daf57fb7195

SHA512
8d217bc4bf1f82e97ab18c820dff9270cc3a0a060cac65ded8f1544ac1eb0c2485956d5cc421659de25a4b252e420e6eac2af2933d796ddacc6d9e3df2f7cd98

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
67KB

MD5
2bc1628b82d46cd6411a5d64248816f0

SHA1
b68eccc446f367d1f57ceea3032d26c769883359

SHA256
59a65fe55c1ec9f5487d77d9a36f679621fc923481c19ddc13f8c4767cc47cad

SHA512
851689fffdd776c696de2217beafdd9652af1dda995042dd658e2b6566ee4f016e526ee3d1437f88ce102408682af8f68fa7c9e9589fb788d31e3b170663e875

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
67KB

MD5
345bf83b58303f8c3a9bdb3ae961c457

SHA1
acf83ae0da4fe93978009a3e37bb00e5e6dcf3b5

SHA256
7f5460b12319bf46ea04d1fae887e7b7652f71a3f05351352b4fce39b5853b1f

SHA512
b71a2e22d238fb41a5483bf668d554e3ce514ecca75a0d45317df67459087281a45d7293ae7bd21f76b9ad36d518bddc0f5135a904927aa19fcb443412c02d48

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
67KB

MD5
75db1088330db3b9c68530366d538612

SHA1
d092dca9767430f882acf1d2e0c06ab1ff4e08ed

SHA256
c6e57d04599b4a116beba3fa250ec1d25cde7f2abc51f2fb629e06bc0763c028

SHA512
da3a1dc86f3fa1f5cac54a4b77cd9d153cc2c5b5d10755b16b502c298086e6bdd100663305e3028d2294bf0729cf28731d07651b9c36d446813710cf04ba2f7c

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
67KB

MD5
e83833965f6b17d4cffbcddfa70357b4

SHA1
cf4e6e339cc09eb37a424d5294f98a36ab0e1481

SHA256
f16c9b5cb9753f69dfbd309ca5286072a9e38830fc6aeff4c81fece303439fed

SHA512
543586faaebff12e1bcc721db25434c1d87440a21d11eb31449c8543394685febdbd76e67b00660a650332e64c37596ece13da78b2e3524502f44ccf8fd5ce23

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
67KB

MD5
e5a5e18890864f213d946ee1eb237530

SHA1
ea3f2a5c213ed54ca3e5b865aabf6308a5bc59b3

SHA256
3f1d2bfd05bc4ebccc6df780f973aef76a4f3ebd6e9f14e653cd365d3d2e64eb

SHA512
ed4a8f8bd97f1ed5c907c90dc487e64c10dd663926df300cdd69d2c57fa75535fd03f31e8ead3e26758a3878b0cf4064e7b38d288487922d29f69799c9331e26

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
67KB

MD5
1ab4865fabb5597efd0d69ff7252335f

SHA1
bee901b7c40e147776433df5c17c459f7caa0644

SHA256
779b64a068b3a4e6b0212dbda22bab73565ca7f9d0fb25cfd29c7adfd25dd3a5

SHA512
d2d856f6cdf8d333516fd366498a2209ae2de7897f7c30412779de14b5f39eb3b771445eff47e062e6d5c904aa367b9cbcc45edfe487dffd9079bfa1c716928f

Download Submit
memory/408-495-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/648-531-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/672-441-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/676-447-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/700-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/736-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/748-315-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-490-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/932-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/932-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/992-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/992-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1092-244-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1128-122-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1264-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1264-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1432-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1468-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1548-399-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-94-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1660-263-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1692-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1772-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1780-483-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-272-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1904-477-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1964-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1996-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1996-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2208-254-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2208-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2256-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2276-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2380-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-357-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2464-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2516-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2760-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-549-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3028-501-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3080-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3092-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3212-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3440-128-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3440-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3536-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3536-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3544-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3572-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3596-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3612-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3624-239-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3664-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3688-525-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3776-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3844-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3864-265-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3868-507-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3996-129-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4108-459-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4156-537-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4272-465-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4300-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4316-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4368-519-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4412-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4484-238-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4540-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4572-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4716-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4764-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4776-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-245-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4824-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4844-351-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4848-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4984-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5008-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5068-513-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5072-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5108-471-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5156-555-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5200-561-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5236-567-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5276-573-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads