berbew | 7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4e

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe
Size

76KB
MD5

ced5ad0f2ab8f24f6df49b4c837ab9c0
SHA1

5232f098487f3cead97b8611881774bfe69fe8a1
SHA256

7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4e
SHA512

7a3e0f63fdddf813d4e21d311fde06f9ef0261e081caa144d6957d35946d5029c390b556dbdd1b1593f47a6af6af9ac7b140f879278bbbcc09026a3baeb1e73a
SSDEEP

1536:Lqr2pfF8V8I7NvjMroicpyHioQV+/eCeyvCQ:2MFPGRicpyHrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2304	Ndokbi32.exe
1160	Ngmgne32.exe
2968	Nljofl32.exe
760	Ndaggimg.exe
972	Nebdoa32.exe
1020	Nnjlpo32.exe
5040	Nphhmj32.exe
4592	Ncfdie32.exe
4536	Njqmepik.exe
3652	Nloiakho.exe
1780	Ncianepl.exe
2032	Nfgmjqop.exe
4584	Nlaegk32.exe
4944	Nggjdc32.exe
4120	Olcbmj32.exe
1400	Ogifjcdp.exe
3308	Opakbi32.exe
620	Ogkcpbam.exe
2632	Olhlhjpd.exe
1788	Ognpebpj.exe
4708	Onhhamgg.exe
1512	Ocdqjceo.exe
2984	Onjegled.exe
1428	Ogbipa32.exe
1132	Pqknig32.exe
3524	Pfhfan32.exe
3592	Pqmjog32.exe
2196	Pggbkagp.exe
5116	Pnakhkol.exe
4984	Pdkcde32.exe
1988	Pjhlml32.exe
2172	Pdmpje32.exe
1200	Pjjhbl32.exe
2856	Pqdqof32.exe
2868	Pdpmpdbd.exe
2248	Pjmehkqk.exe
4144	Qqfmde32.exe
880	Qgqeappe.exe
1016	Qnjnnj32.exe
3028	Qqijje32.exe
1804	Qgcbgo32.exe
536	Ampkof32.exe
3192	Acjclpcf.exe
4916	Ajckij32.exe
1936	Aqncedbp.exe
2448	Agglboim.exe
3576	Ajfhnjhq.exe
3984	Aeklkchg.exe
3352	Andqdh32.exe
828	Aabmqd32.exe
3412	Afoeiklb.exe
4888	Aminee32.exe
884	Agoabn32.exe
4836	Bfabnjjp.exe
2888	Bnhjohkb.exe
4668	Bagflcje.exe
4364	Bcebhoii.exe
4336	Bganhm32.exe
4040	Bjokdipf.exe
4876	Bnkgeg32.exe
872	Beeoaapl.exe
2640	Bchomn32.exe
3808	Bffkij32.exe
4556	Bnmcjg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5160	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2304	1140	7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe	82
PID 1140 wrote to memory of 2304	1140	7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe	82
PID 1140 wrote to memory of 2304	1140	7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe	82
PID 2304 wrote to memory of 1160	2304	Ndokbi32.exe	83
PID 2304 wrote to memory of 1160	2304	Ndokbi32.exe	83
PID 2304 wrote to memory of 1160	2304	Ndokbi32.exe	83
PID 1160 wrote to memory of 2968	1160	Ngmgne32.exe	84
PID 1160 wrote to memory of 2968	1160	Ngmgne32.exe	84
PID 1160 wrote to memory of 2968	1160	Ngmgne32.exe	84
PID 2968 wrote to memory of 760	2968	Nljofl32.exe	85
PID 2968 wrote to memory of 760	2968	Nljofl32.exe	85
PID 2968 wrote to memory of 760	2968	Nljofl32.exe	85
PID 760 wrote to memory of 972	760	Ndaggimg.exe	86
PID 760 wrote to memory of 972	760	Ndaggimg.exe	86
PID 760 wrote to memory of 972	760	Ndaggimg.exe	86
PID 972 wrote to memory of 1020	972	Nebdoa32.exe	87
PID 972 wrote to memory of 1020	972	Nebdoa32.exe	87
PID 972 wrote to memory of 1020	972	Nebdoa32.exe	87
PID 1020 wrote to memory of 5040	1020	Nnjlpo32.exe	88
PID 1020 wrote to memory of 5040	1020	Nnjlpo32.exe	88
PID 1020 wrote to memory of 5040	1020	Nnjlpo32.exe	88
PID 5040 wrote to memory of 4592	5040	Nphhmj32.exe	89
PID 5040 wrote to memory of 4592	5040	Nphhmj32.exe	89
PID 5040 wrote to memory of 4592	5040	Nphhmj32.exe	89
PID 4592 wrote to memory of 4536	4592	Ncfdie32.exe	90
PID 4592 wrote to memory of 4536	4592	Ncfdie32.exe	90
PID 4592 wrote to memory of 4536	4592	Ncfdie32.exe	90
PID 4536 wrote to memory of 3652	4536	Njqmepik.exe	91
PID 4536 wrote to memory of 3652	4536	Njqmepik.exe	91
PID 4536 wrote to memory of 3652	4536	Njqmepik.exe	91
PID 3652 wrote to memory of 1780	3652	Nloiakho.exe	92
PID 3652 wrote to memory of 1780	3652	Nloiakho.exe	92
PID 3652 wrote to memory of 1780	3652	Nloiakho.exe	92
PID 1780 wrote to memory of 2032	1780	Ncianepl.exe	93
PID 1780 wrote to memory of 2032	1780	Ncianepl.exe	93
PID 1780 wrote to memory of 2032	1780	Ncianepl.exe	93
PID 2032 wrote to memory of 4584	2032	Nfgmjqop.exe	94
PID 2032 wrote to memory of 4584	2032	Nfgmjqop.exe	94
PID 2032 wrote to memory of 4584	2032	Nfgmjqop.exe	94
PID 4584 wrote to memory of 4944	4584	Nlaegk32.exe	95
PID 4584 wrote to memory of 4944	4584	Nlaegk32.exe	95
PID 4584 wrote to memory of 4944	4584	Nlaegk32.exe	95
PID 4944 wrote to memory of 4120	4944	Nggjdc32.exe	96
PID 4944 wrote to memory of 4120	4944	Nggjdc32.exe	96
PID 4944 wrote to memory of 4120	4944	Nggjdc32.exe	96
PID 4120 wrote to memory of 1400	4120	Olcbmj32.exe	97
PID 4120 wrote to memory of 1400	4120	Olcbmj32.exe	97
PID 4120 wrote to memory of 1400	4120	Olcbmj32.exe	97
PID 1400 wrote to memory of 3308	1400	Ogifjcdp.exe	98
PID 1400 wrote to memory of 3308	1400	Ogifjcdp.exe	98
PID 1400 wrote to memory of 3308	1400	Ogifjcdp.exe	98
PID 3308 wrote to memory of 620	3308	Opakbi32.exe	99
PID 3308 wrote to memory of 620	3308	Opakbi32.exe	99
PID 3308 wrote to memory of 620	3308	Opakbi32.exe	99
PID 620 wrote to memory of 2632	620	Ogkcpbam.exe	100
PID 620 wrote to memory of 2632	620	Ogkcpbam.exe	100
PID 620 wrote to memory of 2632	620	Ogkcpbam.exe	100
PID 2632 wrote to memory of 1788	2632	Olhlhjpd.exe	101
PID 2632 wrote to memory of 1788	2632	Olhlhjpd.exe	101
PID 2632 wrote to memory of 1788	2632	Olhlhjpd.exe	101
PID 1788 wrote to memory of 4708	1788	Ognpebpj.exe	102
PID 1788 wrote to memory of 4708	1788	Ognpebpj.exe	102
PID 1788 wrote to memory of 4708	1788	Ognpebpj.exe	102
PID 4708 wrote to memory of 1512	4708	Onhhamgg.exe	103

C:\Users\Admin\AppData\Local\Temp\7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe
"C:\Users\Admin\AppData\Local\Temp\7148b58fdf03fa1516cbb667f05f9a8f429ff952992ed0e8351df6616cd6da4eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\SysWOW64\Ndokbi32.exe
  C:\Windows\system32\Ndokbi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\SysWOW64\Nljofl32.exe
      C:\Windows\system32\Nljofl32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        30⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        37⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        56⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        61⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        72⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4804
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        81⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        82⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        92⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        97⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        98⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        103⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        114⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 396
        117⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5160 -ip 5160
1⤵
PID:5228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
76KB

MD5
5c7e022d9fa2c726a748807b2045fb2b

SHA1
8aae029ba43e153c87476111da65e23300efdf75

SHA256
41a6b7e9e57e2adb6a49c2d3edcf35da9e2f5df6bcacaee19eef5b48562d35de

SHA512
acc7ca1a046a24b0a051de1604bc12a462ad4692640ffd1011c3c73461ea476d7eeb7a2dbc06b330435037ac4c0059b1236014fabf8da70242c35ee3ca332fad

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
76KB

MD5
6e31abbe86747a51e495e0d000b66885

SHA1
a10bb60529d1e722a5a0c150519af7e5ac6466a6

SHA256
5fe22ea51d5da8b31615bf4b9861b5742c9fe70692270f2fd91baea59e61382e

SHA512
5a947c893eb0a95248a9a2a3040f5286e88a8564e1c573a8e77306ebc12fa8a18c620459c76b70b81c20be103260732b2cd3ff67f5e4abeada46b139c82ea291

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
76KB

MD5
c9e6022df65fd66b253a829be1ad2ab0

SHA1
f94f9567d0afc2c5e4227a0b11f4e6c8f5849e97

SHA256
081904cc9e3fb5f6b00e2d7e8b8a6620714aa08ca89a62b16bcc923e19d2c6ca

SHA512
7f2e328326bf347e772d3e40a85e2a38b4daade113b5e2d43f51f6fde6a48b24e046b17292490046c495498774eb8861aa74349a8094095769be9193c35a5306

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
76KB

MD5
63039e3c0ed64bdc1d8be4f6cb593e03

SHA1
7929c54a3c19b54b8cf979df8d017c5dff51f1c4

SHA256
2acb2bfe9d9fbba6e16acb8b99f5ba89cdad4f88f9f4988a456bf2a39f85de6e

SHA512
9808ec64ff721729c13423eeb526fca05456e16d8eebb4ab333a109ad1fb5899ccf6a1e3776c2e592cb28e9af16ef7b94de37eea42b508dc37c7e89fdc026145

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
76KB

MD5
a5db07dabedda0ad7b8bd8c65342087b

SHA1
d8a31c46676922a5ead9b3161a6c422e92ea52ee

SHA256
0fa3676663256264b9fc20483b06ad52e107e8a23965042b9bffcaaa87d7638b

SHA512
26a1cf9b46430bae7a0eb0a6a02f31d9ec37f562a36bf59569d75b564d09772e712f8d59d6857c166e20b21ead4179314c0479aabc6acbbccc9e22d426e14f2a

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
76KB

MD5
cb5e6d98ff8cdb67eb5ddebe1495fcbf

SHA1
3288b6e49088002a5d0bc3884f84b63ee155807e

SHA256
9993451bb3b3b2e8092b2808aecfc4d8570fd1958700b16049a3fd0f8e6a7901

SHA512
08a08fdd6a7c199ce97302077b91795910dae9094414a0c4c675d31af67a3205a29a2e1f9459252ea78bf8976e008f04debb9b3f93dde86be1eef1919f43955c

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
76KB

MD5
f59a947d11cf4ff0a53a113d96c514ce

SHA1
11f1c68c6b911ac194620924631c28d26a33a315

SHA256
cb8198ebf2ababc854d06d575b2c9f4f70284191f5fa60bbce5ca6858cd74114

SHA512
5d81504f1aa5d1826b76d56f533cd48b68ba26ec70f1b0386d1027e9a0f3cf16a5e31ae3080b35bcb89c7df312be90455b25f9d2a5715a0337dfd1cb4aa9ef48

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
76KB

MD5
e8f795edbc46752060755f5c4bb66e28

SHA1
4dee979e7ee74fa0c9bd0814527549f38fe98873

SHA256
38a5cab7ff1221f555813b74426c383082083b12c4d14bdb3a346d3596f92a52

SHA512
e4f99e53356f02130230b9c42722b2cf3456accfb5ee8bcc4ac8806dbfd270a74c3045ab554e2f1ec7dfe8f3939d24779be9f968b8b7dc6eeb1c117855a5e423

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
76KB

MD5
f81d678e67d0d8ca2158f4137e5475ca

SHA1
61247dd068980b41af3496676ab754108687746a

SHA256
0fde5f0bd5ecbd92aa37dbf6f96affd8f571778be695f4a98b36f4fc66dfa2d3

SHA512
b5fec93f09c5fd213499d8b78e1cfdaaab21485ab9f12ea7fbd5a2dd82349414387531d3f69237f52849d48e537dc909954be7be17cea616698691bb46899af0

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
76KB

MD5
41b0f212926c94b29c20dcf684e42ee1

SHA1
43e3d5bed4e7a4e8c4ef16e4d536d7e6f708bc5e

SHA256
aafe50ae26491bee1bf0f5ade442a9b44f952cb0918fff8cae2c2e7405c639e6

SHA512
12deee8c9c4e5063a01376737cb4d781a36093c58d0105fba9ed0531ca72a5feb6b2383eb61b9ee2381210412cf54ddefe10bba82c27fb7117e96341cd3b2cee

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
76KB

MD5
92314ebd79ac250c552875a764682880

SHA1
d80434e708cce86e5526b4f1c16e67d60cf133ad

SHA256
1cbb3ae1b35c1616e72bf3a0d1bbffd6fef3aab9711f6e250cd224dff6fc01d6

SHA512
1de5d4cdb0b9b4eccda9536370478e04dcf8444bd15baf9c3e2e46b47a14b634fc7e7891b69dabfcda69dca579fe6c9a33443c97c9ba941f1c20f7716b3a5c52

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
76KB

MD5
14a0ce24af98778ce942166ce3a14dfe

SHA1
09722f7e4f60f2f14d6f417abd4a991fefb08fee

SHA256
f58b09e87f3fce2341007f3d3753cbd463544934e8ebafa6a92601346b4c561a

SHA512
19eee3a94e5fe02b1bdc8b7219049bfbb5ff84d445d21d00bb439d7307121c3df0e6ff17240170cb85fdf72f2ce41a3267ed69d5a1d49f477345f37477eb0ea1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
76KB

MD5
904bf0e4efb39971669cb663a98373b7

SHA1
8851ace1946a6eadb351e7472a5acba0582294d9

SHA256
bee582bd4bf15e86ea790564d96d71d94b8a898d8df3955091a50c6445d97e33

SHA512
06762c3f38cf6fd3a433cb2d60a2976d7150bbd85fc54ad1e02e373ebc079b13cf13e8c973aaae3986377866823b30e755a4ff7a3138911488d230f417f6bbe0

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
76KB

MD5
b11f712f5bbade4df18329dc2446b87b

SHA1
25501f2d54cf5e90fadf49977cfca01794f69e31

SHA256
d48e7a507688b5bfef94ce9a2e524df292a48e397ecdcb6478a5ed0945a49707

SHA512
8710d57828a00c0e63b42d29995e922b4e0622d654376e9064b11f1497fcadb7cdaf50aebc1889a669e3b76e37e58ccf173a32439d2212ef7e00642035178d43

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
76KB

MD5
83bce2851ab4771606b31354a83a369e

SHA1
55372107eebfcf19f3212cc7d14020f35c47846f

SHA256
7e5c9b5fd2c2f542dc04fc37517245c9fe24b9d574b74a25ba656a243aa0828d

SHA512
dff5f4b8c2c77717902730ab99d75d35ec4108f9c9d85ae809bda812094ab9978a2eec80a8cbb1d2f400a2c99c339c6cd6a7e99a9993702cab46806445242171

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
76KB

MD5
ee1f1c5cbeb04ab0058237fb853746c5

SHA1
292e610aa26c3722d670ff7ceb0ea88f24b13b26

SHA256
fdf154cd152b5188e43a00303cce09dbb3b2e33e4665b23dcf029b01182dbbdc

SHA512
6a9c6e0a248c3c00ca81ea7fa8a59cb97396ffd0b8dd3cf3008b5b8781faa91c7d4aeea2b96069cdd034f74a0570ba5e7be87c6fda722e82f98394e0c34288db

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
76KB

MD5
c538b5925ed06a143902bfc5263384af

SHA1
8216882c5fa3305ad3f289e2c610777be35bf9ed

SHA256
86c1b329f576c88321ba8077c33815867e602e26c3c4569582c1587f31f98c36

SHA512
0e9c069990bde68b709d65dc12bd2745cc3ba96b6dfb9b6cf3d93b9e407a4d209d5ad30cbbcc49a54252366d6d4eb68d8a2fbe82b1d558fa03536d6a4d9c07b8

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
76KB

MD5
735225b04aef97e56294c8742c5fec38

SHA1
48a91d7bc2e40268ad034b5fbff2ab81920a6b04

SHA256
aee26bc8d0d30258cd518fd5ee01ab192f10973584dd0e156cc3fd41566f24d3

SHA512
9d2028e920cf49f5acb6cf415600038fa6672b94afe021e2ac29708917644789f3ec9d1e72ebd6438e113f05c9715d00fb85e88ecc42c6486721cef5c3390805

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
76KB

MD5
d646284269826d0767864410ae1e1c31

SHA1
02a50f229257c52704b425577ef0caf0058b3794

SHA256
cc9f81c11ed225e777b0f05b8c1c492037d6dc5a5c594d4b9e7645942739bea9

SHA512
1aae528f3e359d2b77f599e145067299fb3cc09f43165cf1249d78cfa65706dff5de830a1f0ee5c0e2d1a76631717490f10411f5608fb4819c407bbf5087e5f6

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
76KB

MD5
5745c502aa9d97a311ccd73ac739a286

SHA1
9c0680caa58793a18630fddc5382ea4660a8a5f1

SHA256
ee757a8055e97f0034f5c9420911487c94da50a4b493ed499cdde64d7a11093c

SHA512
66343d4438abb605124472e72b29051263c68021438d781f40cc1c63adc3c3e9cc71a5733699584b5affa33452a1c7e1e1fcfc953633af411e85163602326c1a

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
76KB

MD5
779efc7ccf2459cc046c18808c5bb5a0

SHA1
04c70dafb923198f7b871aee235f2f8f2a680392

SHA256
965b125095e17771f28729748b13f8381a689aba8cd827763553824bb9d9f5c3

SHA512
3a5e9d54641a0d0d758a4ddb5c224ad1a36b7f00523c1316a251ceb781b882030577a7aa0e17db427b192da163cda1c16ed743fd09097295d857ac3f2c1f2436

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
f331591d0e6081fc79dcb0bc05e81f81

SHA1
8a49b9ffe7456305124a547662356edd565a2a52

SHA256
5963fd5fab9b8192458e18dbe55455f23229eff8c966a43f6b7743290dde1ef4

SHA512
273c3406bfc192348f28c5824364d1a7112a31f0a811a69970dec2edb66799fd5a33123cd18caf9139f1b1412bd79ea9a0ae7b23a68e46972317c25964bd170a

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
76KB

MD5
14b96c2fac93140fe607bee9e587f17d

SHA1
2b88c43688aef3752ec017264dfb5684bcf2fddf

SHA256
3946e2117e5969d5a3aa72cbb7044e2803e4f58dce2937915595fca8dc52cf14

SHA512
a8a94ed913c7ccafd67ec2f8ea1f824befe9935ba90c99844fcd584c45177601eb66816519b020c5840340ae33979cede6d6af35e6be1009b5ebab87a73a7bbe

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
76KB

MD5
0c850ec2e373a08059715ddb59f448f7

SHA1
381aae44e4c738ca9cbb895860f5045634160917

SHA256
a1fb2898b73589d00e0e6a2b4daf2c77d286a8b469c7037b78560b47807a7dcf

SHA512
2b10c3b1da1257f768506acceb088718e144d710f6e1a62b34e285ce06a76be829a45a2459b9504934c7ac13b5bd9ff940743ad2acb8dc23fb246103a314b2b5

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
76KB

MD5
8b541aa6a71646471fbe36f9d549b2f5

SHA1
94779e41064bd1b1a2dd36c266bcfc929d4a5c04

SHA256
a69b22537fa5934e9e5afc82c542bb2921d9e509a7f638306814cb13c5c1a40f

SHA512
51d743246abb8ee2d6d967907c77cbe70e672d380b2d8e7385953461511a10d7e78b7584e9413f78bb7f3d522c88feffadb43090a6015602c3165d847bb92701

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
76KB

MD5
99f50affc4d994a4f1312bb9e1c2d0b4

SHA1
0e1073c0e546f0a7d273d94c40bec0e7d7bdaace

SHA256
c84b078ebd4fead4ec91158d4a077de2592a1315f0acd8c0ff794f4c8011d898

SHA512
613945c649cda52019f5ed0555c8ab5a93fb0de16940759d2b2133630c836d4690413805f8078e167040dccaaa925c3bb6968d3c75816eb0ac99a79cbbba39cc

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
76KB

MD5
6d94522850c767827766d2e468f0cad8

SHA1
3efb48d8227c06930aa448666e9b50ea9880ece3

SHA256
7975f55dcb0f67b254e8abfb1d5592252794a24967d9b6aac08237341307063a

SHA512
1e99096c5009325a6f721b4e6f6d89ea1064610fc62d4d772804958b765c61982da995c88aaaa1e68ba2e04fdfaac532b45e08d63207c605bc7221189f541227

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
76KB

MD5
378caf4d19144b2294d0f119049dfe8b

SHA1
be6ed97e4ba0f0cf2910836f525a0e1743048bac

SHA256
7a896503e9899960b8a085b813083b137cafd89a890c4c574f378f3e10e31692

SHA512
edeef991d609557fa27b00c6a91e32acd5b1355fb23ad583a9ed912cdaec29cea6b527445812b023025ff585c74574ac5fde597a4cf71d95dba86499da2ccd64

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
76KB

MD5
bc2f6b0f79822a1594016c7b2e6846ec

SHA1
96ba28fe443d54077fc8e8557b8ed9e26cbec114

SHA256
fb7fe394ef72a8338ab8b9d5101ba5f7f85f327d10dfac74c8a904a3df5af36d

SHA512
1578945b577532f052473c7870194c78c93464aac3d36ef7d1919823361f3c033ba5b103965981abf09476ac97790393323540dc3e47bca998384feea1743b4a

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
76KB

MD5
c036bbaabd5bd34464691d547d6c191c

SHA1
016d3fd7b267f404e1d58bab8509939dce065404

SHA256
a1d48d4084adef4504d475888fe14e70b9039e313625f793feb0e6eb4d610d44

SHA512
67fc3d8895d939cf3adb434612e6fa088e8b5c4923b219c0382c1d03e72fc3cd37467e71549036bbfc1ffbb00c44a4decc588c99caadc12c0078595f99023538

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
76KB

MD5
c18846b4bb8013f57dbfffac120fa743

SHA1
b0d6d4eb0e52c4d4d90cdf2d7b14f2adb8844c2b

SHA256
272f103a539726539d12e697758d6f72c83cd3ebe4c24f1fd9563f7fdf2514aa

SHA512
e7554f4ad36f68dd7617e3c448e82d13c0f0bdbdf9b93d9ebae5ed5126c189c25550f3c6cba6d267a71019fe719c278267061b58a464a13862b192c7fd529d8e

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
76KB

MD5
614141ff0f77289c87d27ea1eee74351

SHA1
f51c292a6b370767b1a3d7ac67a007876a6bfb81

SHA256
880f6215b9b67d72fdab8e75ff853afc927b8ebec0db8c77d6329e770d11dc53

SHA512
98563598849eff151ae2be240c177ecf321a9765ba31c1fa79bc5d2eb19e906afae84eef2e1e6d113716cd8bb9428ca31b6c2d96990e3ac2fb1c674e471637e2

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
76KB

MD5
2becdd920152a076bacba0689bb533c5

SHA1
e43d7f007c9960ba47fc5f909ad39100f85f12be

SHA256
b8d710363187fd5beb3731b27d2d739223cc44d8e04f093d10fc30f9018d1c0f

SHA512
29513cf46a3eeb6fa9f33d1c1feed986e0d966e6dc65ae6f5973196f2fd4ca6a4aff2e5fb48aea48c9729352b32d8da727c462862d849d06e7b8d2fe3fa2b9e5

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
76KB

MD5
7717123aebb5aee13cf861e5e755152f

SHA1
84de19f13f26efae22ac2c62924da962a55b64dc

SHA256
7b84cb5853ff86e011e8fd560cb3bc0aabebd3a79926927332b04ae77420eb39

SHA512
47cd656c1258eea58988c78d8939fe35937d5a16b69e11c728a7e989f47eb0fb2a28db2be29cc6317be2131f6e9ca4ccc39bef1526e2457e23fec7a45bb8df41

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
76KB

MD5
cd47d023453690d8da4bd596eb9a4270

SHA1
ff0645fcdc9e6e9480e14789d7276e25111d380c

SHA256
20285671c20ab63769c51a6e861c894b9587cf6ce620e307bfd84ac41cd43165

SHA512
83a018b28f19e8a1edf5e0353c7edb38d1cd593aa1e16e75fb186f939793b27adedda4b8af099005e2f5ccf5372f566b5da8392ac50eea4450d9bb6a473a72c8

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
76KB

MD5
bcafab681e5a00ff0628b6459256bbf5

SHA1
b0e49ff0fb3ca02f6e39acb2773b77b8b64fbde6

SHA256
b34823d27ae093f2af7265c7aa36895be876bfa4db492a9c21ccbeec2e8c0932

SHA512
94076b26ef70e093db0ba632b87e83fc24b33ff87915b79500c9138618cd20e11d0069464e8986c2b44b95591c703e72c873d08d233a27cc47a3ae0fa0b0e44d

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
76KB

MD5
128413e49f3d05acb78d3f5c47ebf19e

SHA1
e8b912b7af78d6e27b016f7e77e39a67414869a4

SHA256
6eedcde3bc3b58e6cef36c3dba91e495372fdec1e2f363a359cf9b9fb7b90273

SHA512
e15288bbd37f7c7c943716d8b7bc7a5494801d4f5e69f5d64608461f08c56630ac2ef0fefcbf2ae0b2dfdfb82826788ede6dbb17e0fdb26fa5962f7deb94428d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
76KB

MD5
99092d26fcbd274821249f7550ea023a

SHA1
a3deb79b1fc840eaf2458f1e00b2bb95ed0f82e1

SHA256
72034c5362355ec174e5fbca7d2f70b24bb71b7f97d0dfd65d271a49f950b100

SHA512
c8422b629d2cbf65f4e9fbbf4426bb32a06fc740579ca405669ba67761a40b5fad07876228ff7835d8ba24842ea73d5b4b059866ccbc98f4cbb35b04f45396bd

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
76KB

MD5
96ba15cd6a62aa64da30bdf04be854bd

SHA1
d00f8282812f39247838da033d346186ca6643f9

SHA256
a380e483d2e50eaaa220bffc45bc545c9548359e628beeed345c12d1c18f9b4d

SHA512
717f5ade32da08cd7ed79cf2727db0d7119b40330953e62b62640107114a9ef336c1681becbeea151fb2689ffe9ae67aa8375cc9e27ad5540298de95f9868c66

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
76KB

MD5
0605c7ea79e9d0f004103db95f5eebfe

SHA1
3c53bfeb8a2528b73acd7a2a548d2d997e79f7ec

SHA256
65f19e30dbba81d8c5c3ab0a31564ab9f458031cfda8891ef512a796318853f6

SHA512
3607e15b06a4263121bc51aab71466a2bcecb45659bfc48afff511086fd6960279df2a8a2448e0f59561bcf64b9ad58bfcb4796cc8f5b785d2b29c5db7c2eb7f

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
76KB

MD5
071dfd92572ca0416d6d630657f96c8e

SHA1
b4f7e4fab96f1791ad6d3c269626b80fb9c015ae

SHA256
11895e44885ff968ffeb9c30ee3308e15791c231d401b40028a32f70ee175772

SHA512
7a5d27923e1abc428c406d48320214aa48870f89abb06487475ff1d8519d6a3741e15ce2c4fec9461def726e265e6b29dcae88a7dd15c0e2191430c43e41031e

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
76KB

MD5
e03a43342dd068fabe0d46e723290ff5

SHA1
b37691790a8e8b7c36507932c864f34e36578866

SHA256
124e99d21a61296431928db07c2c42b0dd6fea0fb3b88e3a2a7a7ceb0c3a348e

SHA512
32e8e774a496e87de7b9324720f4e767fbf804fab7a07d5dc97ce0e5b63da573787e85f76251b70ed0258b643ddd6187a7f9a1a3ab49772a17bf8ee4e55e0d82

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
76KB

MD5
cab2c449ef3555f43e05ed76acba4a52

SHA1
54a6b2d93aeab815e019e71441f0a17366812c20

SHA256
7b9653157593b92bf74b5d794ba1cbb40950f6c4a386b22a9e76add3f493c835

SHA512
f2d4564c971e7b1eb0ebd21aa4fcb124c9bffd65e0ee514131bbd5f7fc36ecd297f2e1a755807fe160626e2e2be77c353ea507a723282d18a6e6e1042c9da6da

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
76KB

MD5
23427ab8bf0e8d25637d9091b449a87c

SHA1
0a7dbadfa00f21adcda1b972d3bc57a6df3b0834

SHA256
51ab83243c8daab186903e33cc965d9b6bdaa6e7a92261b44844c4022089a140

SHA512
46d4565c96c48df5b04fe1865424cb3d8332f3d850641fab1f68bbdcd4fce16992673c0631016b0ce06e1d02346a414f1f7d58afe50d6a018f95ba33eac6558e

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
76KB

MD5
82255d09134fd3648e2094d82ab79171

SHA1
177bf17d973a0616a33032b8cef8a9263ee09ea4

SHA256
ac82d914bcaf4797b7b73fdd41d2284e2903472deb7eb49df5f1f60c45134932

SHA512
1c659c6e2753f86f696951f7065eafb405a3acfd43af76b474fc69f9191ffc71098b26b7f710c6430316b9b47017b301a1355d243eb63e86c166e8f883f76ee2

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
76KB

MD5
b98d40cc9724e17ce58eac65c40f3f58

SHA1
16a618a73fbeea5aa81a996074985768338ae596

SHA256
bbe856e9286b5a27bd38c9626b1b24e0ce170a959f78a2c7fc2295ba69e63d6c

SHA512
4a62ad863d9428585d8fd865fa70f68908bfc9573ab821516a52f5603935b2585eed8b67659e4bea6bc3935014551da1189eb91647473958eb791ef85c23be5c

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
76KB

MD5
8d4f5b711f65f296b4637a98b7ccc0f7

SHA1
561313098b6b8316abe28bde8af05c545de39df9

SHA256
d92bb3b29c24d261d4a9fa55910832c5efb2aea7a180858e2a9b56e7cecbf296

SHA512
b261da9e37897b4b190eeeea457391d46da5814cb2a4a72b091933949c1c0a26d9072d8387642fa8ace8a8df2b3d51ff3f7434827dd15b6c4b1c0f47a2b375a5

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
76KB

MD5
ca1685c8dd8d67052d7f5753eef22804

SHA1
6e2d19de6b2f4a4e6abd3854887140acffa0ae54

SHA256
441f773bf3ccb460d8e1eeb6726d6d1fc112bcc6058b7c4e4a428b072c71b572

SHA512
7cf567387cc838d005d04c3bfb908ecf46e40226f750fbfb1191f3c3b4994874e040190596f3c57ae94727e3acf49ceffda2cf003b3b108a35a1825ee649a967

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
76KB

MD5
52937bd13994aae211df6f9390f51de8

SHA1
3f410b9e58a76234a96806513bba4e237fb441d3

SHA256
86f661ba2fc5156273958dcf50fd3c2ba4ab319b409e74b290a864b6393ac9d4

SHA512
f05b4f15afef069735c42c700e93a679e1f68df4806e5821f29ef3e2e44719095203d1e4aa4acec3d9a086d81636d18910e4dc3d036e452d6510d21638684ace

Download Submit
memory/536-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/880-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/972-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1020-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1160-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2032-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3352-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3524-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3524-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads