berbew | 4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe
Size

96KB
MD5

4bb3572cf0afbea49ab0b067833e5670
SHA1

fe1b00db01ffcfe8696f132de27f7d2befe69ad2
SHA256

4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52
SHA512

109cbd560e4cc3f3ebcf3019467b2b24d5c05cbfb701ebc10718833ba78495b58600b45c0963b7bc9cf511170027de471d9c9f1ec1ff2b51288e8e8bb3dbd40a
SSDEEP

1536:G1yXsapl3/nIEdU5xfhEa+7ivbX2LAB7RZObZUUWaegPYA:gyXsel3fIEdU5h3+7ivb8mClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4612	Ndokbi32.exe
4992	Ngmgne32.exe
2872	Nilcjp32.exe
4832	Npfkgjdn.exe
4388	Ngpccdlj.exe
4796	Nnjlpo32.exe
3032	Nphhmj32.exe
1592	Ncfdie32.exe
2412	Njqmepik.exe
2044	Nloiakho.exe
4872	Ncianepl.exe
4104	Nfgmjqop.exe
3128	Nlaegk32.exe
2944	Ndhmhh32.exe
1364	Nggjdc32.exe
4080	Olcbmj32.exe
888	Ocnjidkf.exe
1656	Ojgbfocc.exe
3476	Olfobjbg.exe
2536	Ocpgod32.exe
2472	Ojjolnaq.exe
4668	Olhlhjpd.exe
1864	Opdghh32.exe
1196	Ognpebpj.exe
1584	Olkhmi32.exe
624	Odapnf32.exe
4448	Ofcmfodb.exe
4224	Onjegled.exe
4532	Ocgmpccl.exe
2424	Ojaelm32.exe
1576	Pmoahijl.exe
4912	Pdfjifjo.exe
1652	Pfhfan32.exe
3184	Pnonbk32.exe
3624	Pmannhhj.exe
3256	Pdifoehl.exe
3228	Pclgkb32.exe
548	Pfjcgn32.exe
2768	Pnakhkol.exe
3096	Pdkcde32.exe
1568	Pcncpbmd.exe
5056	Pjhlml32.exe
2264	Pncgmkmj.exe
4120	Pqbdjfln.exe
2096	Pcppfaka.exe
1928	Pfolbmje.exe
556	Pnfdcjkg.exe
4864	Pmidog32.exe
4312	Pcbmka32.exe
3160	Pfaigm32.exe
3188	Qnhahj32.exe
788	Qqfmde32.exe
2920	Qceiaa32.exe
4152	Qfcfml32.exe
4792	Qnjnnj32.exe
3876	Qqijje32.exe
2848	Qgcbgo32.exe
3488	Ajanck32.exe
732	Ampkof32.exe
2132	Adgbpc32.exe
2556	Ageolo32.exe
2380	Anogiicl.exe
348	Aqncedbp.exe
3504	Aeiofcji.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6572	6484	WerFault.exe	228

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 4612	3984	4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe	84
PID 3984 wrote to memory of 4612	3984	4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe	84
PID 3984 wrote to memory of 4612	3984	4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe	84
PID 4612 wrote to memory of 4992	4612	Ndokbi32.exe	85
PID 4612 wrote to memory of 4992	4612	Ndokbi32.exe	85
PID 4612 wrote to memory of 4992	4612	Ndokbi32.exe	85
PID 4992 wrote to memory of 2872	4992	Ngmgne32.exe	86
PID 4992 wrote to memory of 2872	4992	Ngmgne32.exe	86
PID 4992 wrote to memory of 2872	4992	Ngmgne32.exe	86
PID 2872 wrote to memory of 4832	2872	Nilcjp32.exe	87
PID 2872 wrote to memory of 4832	2872	Nilcjp32.exe	87
PID 2872 wrote to memory of 4832	2872	Nilcjp32.exe	87
PID 4832 wrote to memory of 4388	4832	Npfkgjdn.exe	88
PID 4832 wrote to memory of 4388	4832	Npfkgjdn.exe	88
PID 4832 wrote to memory of 4388	4832	Npfkgjdn.exe	88
PID 4388 wrote to memory of 4796	4388	Ngpccdlj.exe	89
PID 4388 wrote to memory of 4796	4388	Ngpccdlj.exe	89
PID 4388 wrote to memory of 4796	4388	Ngpccdlj.exe	89
PID 4796 wrote to memory of 3032	4796	Nnjlpo32.exe	90
PID 4796 wrote to memory of 3032	4796	Nnjlpo32.exe	90
PID 4796 wrote to memory of 3032	4796	Nnjlpo32.exe	90
PID 3032 wrote to memory of 1592	3032	Nphhmj32.exe	91
PID 3032 wrote to memory of 1592	3032	Nphhmj32.exe	91
PID 3032 wrote to memory of 1592	3032	Nphhmj32.exe	91
PID 1592 wrote to memory of 2412	1592	Ncfdie32.exe	92
PID 1592 wrote to memory of 2412	1592	Ncfdie32.exe	92
PID 1592 wrote to memory of 2412	1592	Ncfdie32.exe	92
PID 2412 wrote to memory of 2044	2412	Njqmepik.exe	93
PID 2412 wrote to memory of 2044	2412	Njqmepik.exe	93
PID 2412 wrote to memory of 2044	2412	Njqmepik.exe	93
PID 2044 wrote to memory of 4872	2044	Nloiakho.exe	95
PID 2044 wrote to memory of 4872	2044	Nloiakho.exe	95
PID 2044 wrote to memory of 4872	2044	Nloiakho.exe	95
PID 4872 wrote to memory of 4104	4872	Ncianepl.exe	96
PID 4872 wrote to memory of 4104	4872	Ncianepl.exe	96
PID 4872 wrote to memory of 4104	4872	Ncianepl.exe	96
PID 4104 wrote to memory of 3128	4104	Nfgmjqop.exe	97
PID 4104 wrote to memory of 3128	4104	Nfgmjqop.exe	97
PID 4104 wrote to memory of 3128	4104	Nfgmjqop.exe	97
PID 3128 wrote to memory of 2944	3128	Nlaegk32.exe	98
PID 3128 wrote to memory of 2944	3128	Nlaegk32.exe	98
PID 3128 wrote to memory of 2944	3128	Nlaegk32.exe	98
PID 2944 wrote to memory of 1364	2944	Ndhmhh32.exe	99
PID 2944 wrote to memory of 1364	2944	Ndhmhh32.exe	99
PID 2944 wrote to memory of 1364	2944	Ndhmhh32.exe	99
PID 1364 wrote to memory of 4080	1364	Nggjdc32.exe	101
PID 1364 wrote to memory of 4080	1364	Nggjdc32.exe	101
PID 1364 wrote to memory of 4080	1364	Nggjdc32.exe	101
PID 4080 wrote to memory of 888	4080	Olcbmj32.exe	102
PID 4080 wrote to memory of 888	4080	Olcbmj32.exe	102
PID 4080 wrote to memory of 888	4080	Olcbmj32.exe	102
PID 888 wrote to memory of 1656	888	Ocnjidkf.exe	103
PID 888 wrote to memory of 1656	888	Ocnjidkf.exe	103
PID 888 wrote to memory of 1656	888	Ocnjidkf.exe	103
PID 1656 wrote to memory of 3476	1656	Ojgbfocc.exe	104
PID 1656 wrote to memory of 3476	1656	Ojgbfocc.exe	104
PID 1656 wrote to memory of 3476	1656	Ojgbfocc.exe	104
PID 3476 wrote to memory of 2536	3476	Olfobjbg.exe	106
PID 3476 wrote to memory of 2536	3476	Olfobjbg.exe	106
PID 3476 wrote to memory of 2536	3476	Olfobjbg.exe	106
PID 2536 wrote to memory of 2472	2536	Ocpgod32.exe	107
PID 2536 wrote to memory of 2472	2536	Ocpgod32.exe	107
PID 2536 wrote to memory of 2472	2536	Ocpgod32.exe	107
PID 2472 wrote to memory of 4668	2472	Ojjolnaq.exe	108

C:\Users\Admin\AppData\Local\Temp\4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe
"C:\Users\Admin\AppData\Local\Temp\4b791ab7dc317cfb630d7894c7b23293a250dc4c8cf330eb4b6c71336f569e52N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\Ndokbi32.exe
  C:\Windows\system32\Ndokbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        33⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        41⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        52⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        56⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        65⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        72⤵
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        76⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        86⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        95⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        102⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        106⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        114⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        118⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        121⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        122⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        124⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        125⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        131⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        132⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        139⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 396
        140⤵
        Program crash
        
        PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6484 -ip 6484
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
a4589cb0c45722793767f6242dcb8e8f

SHA1
89b837a121ef5199a0207487be02858019c2ce79

SHA256
f4bb12574ebfc6f8632ca0f45d686576531d15bf20e29f36e7223316be7766b3

SHA512
f3c3624ccd0e30dc2d67530ba562e893f87a13898c7f64010f3920c63d56c78bc2115cce8558089b3bc45419f92632ef4321df1c033b85ba1c042a1d1de1be56

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
5c13e297edbc77a0709dbd56d69649b5

SHA1
b50be952c1734ab587cd95f4810a456389963dc0

SHA256
72536aaa993350a7def067a060eff19dbde947d1a16506fd381dd15b49e42abf

SHA512
f129931b2e4cce977165c6197ca65b9000d7c2e8ad9edaec6b867e3149087c0da92d725428d710357ffdb8c01c9dfd4f1ed309386f60762e71ee53f12be818da

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
dd6b0a4743007e958a82c631d13004b3

SHA1
9f8f2d8fab481593c29d1a1dde87268ea6280a03

SHA256
17789c65c7478070c0f1a775f3388c88a6c987d23e051039764bfc9c74cf7312

SHA512
28985b2b3e55790991c4fc20587fd03dd8cdce3c9c65323bca82231f04d3fd1270af8174f88dbdf090931b35e6349891083c4fa90e9426f7c0d2b9f7b7336181

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
c75efc6e61012be4cc9fa593f4811907

SHA1
5e5802402a0a95a1724e4bb0fe40fb4a8715d839

SHA256
044db30fbf88cb4d9f54e35a203791b53c3950fdad2703b35c2d1c43fe9485e4

SHA512
c25d22e17bfa854829430eb0c617cefa6b5e265d7ae033ed8598eb8a7257fef06cbf9de82cb0a17e82cd5dd0aab7c7ffb7e4474747cfc7a5dc210b5d6edd1a18

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
bb731b5527404ad54dc26f14a3d62288

SHA1
edac52c7b16ab42dd0af6e53ac45b3208cc21319

SHA256
50e64cc65aa3881753ed3af3d57211300d6818c085cc57743ead3af035c29510

SHA512
46b12e2c16754a6e668852f3b6ef21c0b83240fd13e3d8a278352f560cc7a1844b70d9c9b0699c7caa0ca4b2f23b51f7e5901c44d81cafb32d897957b2520a84

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
e44b81dd380c8ff64afeaf613049ab46

SHA1
cec70a48512fd520134e18c0216ce58ddbf08f02

SHA256
a44e3a76f40e6df8b4757feeed88f404607a256093e6ef0149312acd10f727c3

SHA512
d9a4c1749b3561398fac7fdfc1267eb5c240db973b81044fdd5f2b69910fee375661b94f0fa35e263f7709b1d675694137d752471ad3b62471d7d917b3226927

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
330c8a730119f9934a72f03ae29796ba

SHA1
9b739296071c4facf7ca21d13793087b4c4d7d1e

SHA256
6487f27bb6f29ebb93ef2cdd8b21ee19cde02ef51183564fb9d616115ce3540a

SHA512
9b4a0fe6a7d137a5c6a03010eda79c4e3e404740ae3cf9ad41fea301593309b77eb611e41055d30b03111d6ac1b5e45e5722c8eeb5a5671be402d9ceb39a2d77

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
c6ab65de516882a33e3f5bc1367f931d

SHA1
f57726564e43f3ee22b486a0cba9945f27540c59

SHA256
9c4a60bc4d0441e1db9ca14ab0b7099fa8ff1314f8fad1a3affc49c6928ac9f0

SHA512
3aec6d8296708a95da580cce11ddb6f95cc1f876e0abaf91797ebb70dc6f01b791c571d5291de4e0c7cdcfee818133527ca87725891d3625a7ce3584a37d50aa

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
da457f03dac5062fb9d1bf41d3cf4728

SHA1
283d0b712e1736bf9e0737f19366315b1809828c

SHA256
49b9aacca82918a8cd494e72290a96c7ec102decb3c8cb9ffe619544a0677f51

SHA512
aca20de08bb3d3d72049d3f88bf131aaa997487ae6206b28365eac1e9a5f79ea1a0ec8d05fbfb85a96ccf25cbbbacd4d5222bf8c09669984f0c85ef70f860d48

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
55ca8b9f7c70a775a4f3f6e981609304

SHA1
569dd85bb2bcc1ee66e0bb2d68737c9a3b2fd51e

SHA256
446415c257f17614b53f94bd89c23e3cbe1df6c796a1b963612e037e64d25236

SHA512
01d1da045b1d869b7aebbe536b9342679244cb919a17ad73f8e2052bf2c5bef11c37fa4929b16129e104d605378beafe46f1c1c680815fcf87c7b1489f6b50f2

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
599a032524024ddfc7978ce36780eae9

SHA1
b19bfbcc9a807e63aaea9b657be7925a3d207ca1

SHA256
c7400d3cb6e20f9005f237717e42c975efb154692146a557dfde65df7634ca9c

SHA512
0fe85188353eebb04aafad42100fbd95a5eef62266b96d5c331b14c3a0e0a0a06c1a9d16f4ac077c0ec3930547938640047f93cb57559670abefa71fe9dd875d

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
719bc003e2b76baea48faf7c730c49d8

SHA1
97b2b40547ce084fd3478e9e94019b352b56da84

SHA256
d31d7234cea03a19e0630a2bac7569ed8d3dfa15867167a4a070c5c05c3a874d

SHA512
3e9591b7f3848bf6a4e9190fa57bf68a03de071ed6c23de813c16e0a728f207846a176daca99f2923de99b4eee757336a05f51b00c421783c7cf23bc140921db

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
354e40f977078f2047821f199d252637

SHA1
bcc4ec98086fe55b6508cb8c1ee2febfa442401e

SHA256
6ec2b39ea99ab5e4fbf1e7ba90f9c605c1308f74afc36b32619dff845fba87c7

SHA512
1d1743c7e29fca69292eae244f22bee22c0ff241aeba27b99c37db71a0af01ba50fa7b8622a81812c4e90a2a8cb13cde855927b452163976fd49f25620d3cd41

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
96KB

MD5
c4b805e10531a254819772aa6d3a4b98

SHA1
f55eae4185946eab8a16a1b17d3cd6170f1a9d9a

SHA256
dcfa518bc07e5c9d253c8faa913faad06d86b4789962c23ec279d0bae72cc83b

SHA512
07c6a9b1ed95174c65e2525e9b352987e8583d5bc0efdce78c9a16105879330122c4d8d93454b6c67a79e22804a6330f65e6ca4c6264fb729c11d959be5a220f

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
405a92617ae10fc60f3b3536fecd339a

SHA1
289634125dd9134d9e329091f23f150b0b37d9a0

SHA256
68ee620a154276b861bd266f40c38c7a8e9e07105f08850c8c1c03221b640535

SHA512
b30ba2ff0e0d3a7bdbad6061473abe66bbbb258623b9921c5c1cf3686b3124e3d4417b4f90b5146d1e9d065c5c1b782b6f26ab9dbc286ce7966ef906d93a63ad

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
9e22df223a1517e304e046aa76f88a58

SHA1
61108e2053fb3010c0a575651b68dce95431a2fe

SHA256
eb41889d780f8b866f464f2a0e1d5b11d6440c77835309ee96e80dd3336d9f74

SHA512
ec10e38aa21851528031b9e53602f7147f8ee178861d291fe0ef6551056fd59320c769ce5cdb963b9cd297c9881562ecd94f9701e1fafd807e02ecb3c60ed950

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
3f7c137662099f8c1f4a9645ebe78348

SHA1
0117b551b9b8c5e3556c6d05a0fc3708771b96b8

SHA256
48f5a9b93f12887f9ef4e308aa3ec8bb6ecaadaa5828a6ecfcd398d390aab606

SHA512
0234eb96f1735718c75cd46a15f22b17a625a1e99d4ab06a6787c7555d0e535014effbb967cd348605da3b861cb4a9bc0b06a46adcd10be25576e152e23b8a80

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
2d8fd7794dc6bafe46a19ab782ba0e26

SHA1
2fa15b5e67e76c4c006c4cc1d3497f22d1baf533

SHA256
f786e4fe87a69b208a2a7a86dd1ee5332b6c51c372e71c39575bc7472507f51e

SHA512
3f00fae156b03a1231c98b0d7da9948598bb0cca8bccf0cd12cb402d880e6b34c18e71b02bb184020f75a76dfdad8ad14cb03ef378abfcbe3607700dcc82aaf1

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
16c921d54fdb9a608cff44b6cba1a312

SHA1
eb7b4c375d6691261e2cda8013fa5f02c19ce4ef

SHA256
f6d95bb512fec6b0c9ba3f2f1c972c3a97dff57508fb698d666e365117d1db0f

SHA512
0a16915f8c4127c90dd8a566e71294ff205b940d7cbf7f74b14725238d5715b29a5d95b06777da85ab9554eb37561cb90a4a11fac391bc4744ef502d7397807f

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
96KB

MD5
d7d23270e1f460eea3c15b1ac7cfedec

SHA1
e6555052df3bfa3bea87ed06325840aee674ba9c

SHA256
657aa84ecc2601818ba2e7efb653446b201e4dc240cd8fd501b0b866fbe68d6a

SHA512
2dbcf70be99dc1b800ca539c9a2ac548ff644c1996184ff0611d10da8d67ea3cfe0217396416fa3a2e2d05210128e0d750048f54b733fdad5c8812117bf75771

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
c89a54ef21b5374275cfa1f557f1abbc

SHA1
269f49cf97263e2048cbd78e188738047efc0188

SHA256
2faa7847a65d5e23c8196331b92ec65497fa000ed8b5930faedcfdf39880e64c

SHA512
a1d3ca9c42da6eb8276bcb48ea416299df15c9ab5eb7aa5b895647139b979457f792de46f95812234af4e34a01b333fd42dabfd59afaf1e875e895674e7d936f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
48d68ccba6f82d0d8461d2e267370e1e

SHA1
d211d932f20bc6f840abfc8a0325b9668e55f282

SHA256
57a053823c06be5182967c1426433ca28bca4accde5d567e4bcd8b6615446682

SHA512
6a5f844db4a1609982b69eb55bdac3e4e51db2c0a265816fdca554bf3f96c7990b579b364d517b6b7b3afef27dc1809763d36f5d8bced66751f2bcbd5355f3cd

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
e2b26fd35eaed1258de7b075b521bd93

SHA1
e66e827d74221cd4cb88f3606bc09ec55de1a4f1

SHA256
8e4c04fcae59bf100f190d18e5758a97a3abb4726f66be1bda027b04be70c62c

SHA512
f842551a0521cad6f32edcda9863508b45b10bb9a30ad0891cb64f71128ba0c5d9aa8ff46b15cfacadc94163855938c14ffd4a72c89b834a6eb03c1648fd5ef6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
4f25b8a1e5cebbe45d7a720b64fe0c34

SHA1
b62ccb7ebfb987a4fd7dfa66d57e1d62fb1aebfc

SHA256
9075cdf4e6f2ffecb1b7f771d4358c0b4c7ddb756eeef8793b692f314e5278cf

SHA512
329e5812e94e99826b90e4aaf9cf6e3c38a794dbf2ee2de5a3f2ba5c6d628dc9692e08278d7adfd0d7a47bf42a36ff204c633c9a9d63da08a715667587af7b55

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
96KB

MD5
2c986d1d01ef6df649da0698530de7a3

SHA1
2a96ca5fce3d27dca8c91df0c7c5b7eb3759387f

SHA256
c88b92cf4f431aad06af5078cc83e9a18020da443ca0c7b5aa9fb6cc517adb3c

SHA512
87ee837920652d562d8c5299da120c5dd8e62bfb9510b6b717706d45e66a56eb93e99a065e72c5b167f86c3a363db2bffc64e73aba18d0dcf56d5101a60769e5

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
cdd4f7af79e1277dba5189ee7c41cc65

SHA1
f35ea2e4d4c5bf8e7c4f6d583cdb5d5ff7af9291

SHA256
cac1c5db121056c34e789f7a8dd865d8af14a4ce09af66ced8227425f991f07e

SHA512
af445876c7afd44c2fb4285bfe1edd243222b5d1572dc260b0a212d8ba2ecf8baddd661e3590cdde646f76b164c31595d86c8b31c9a67f695e8bdeb341cf612c

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
a9e5530f9ec8874dcd12eed56c462bc7

SHA1
d49fce4d2fc94393cab1e22771be42970fed5193

SHA256
300893a2f9894c8d0744b798026aa13d3f1948e1c192dcaf0fcfce9cadb3e051

SHA512
a4b84285a91edbeadbc29b01fa80741e0d9febf5afb0504815ebd9f41de30cf8369edb9c94329c14ff4118d612a51927742bd5342f1b1f591f89c9de1386a547

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
458af1979faa87b9ee4fb9ff384e33e7

SHA1
92263ed05a95a5034880ef996b885685b653952a

SHA256
97f25f45574687aedf39bcfeebaca37ab0190b2957f9161856c525a0164bd36b

SHA512
d5d40dc4fc47d2b267ee76a618dc99dd321576cc8064a898174ceb40b0c49f22d48fa8804584b062cd050aa301b0708cdf8b745f381916fc388340a4f18d8a87

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
c1f17691fa5c9657d08406dd443085a3

SHA1
8ed7c79f991de43a71b0992c5702d73eb985a924

SHA256
d4f76eb2c577e6791b8da8c86855b1e021c5eff1e2eae13d376cd64f6b31f6f3

SHA512
fa6aadf57fdebc7a735dfa900b93ed5df87de77da5934f9965ba83c5ba5459f6876f7bbc6553567dc17e66ebd9654ef28c70b53ea07790d0cc36b43b239f6490

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
1fcc10e859917af5917c842cbcac536c

SHA1
438afe44713daf63aff2e706adc0657249ee9365

SHA256
b9a76b30b17975776cb27650e15acaf397dd927411fe3a472f6ad752c4633dfd

SHA512
54bd353f0b553c319b4944619f63f327de3bf40f02b54698f03b6edee88406b7aaebf1b6254210da79f28e49c1979ed6db3842742db0061e7da098bbaff60b07

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
9936b0811177add5a82b0d42d9ad19db

SHA1
1c39b8c617d66f1f4af73a0028b0121e59d889f2

SHA256
6cf717ec73873f123fbd57a678329d3f5d924757f459f26d123612bcc387be55

SHA512
d45e1d25da021edf77654b75ce67a1f33ef47f2a999961cf4571b9d0e4e3d52e1b9fd3e244a18a78bd1ca7511bb9532c40026e78c8c19bcd7c521f6a053d74c9

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
96KB

MD5
f9f41af0815ae0078856bec16163a1b0

SHA1
ea4b5cdaef0361fe86d084b76ad17c8feec21465

SHA256
777385a6328f1c58731552ef3b12888b87986e6312913ef3c976961d5e3b2bda

SHA512
96faec60fdc3e623cab7c21d465eeb1d3515f194028ae3a7906826bcf6b1b2a19b45ae68a04b6c9df6ffa2b39f66788620aae38d910f8abbde45d7ee7267b4ae

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
96KB

MD5
03c4947869d5ed64f99bcf79d6a26996

SHA1
c53ac1e79a2143c22af027f7058cfab49433e5fd

SHA256
03b4e79b8872c61374606c5a87f6b286542d8212961e56ba6d6070b5390ac305

SHA512
91abe25874d96e0f838a2a186ad8f0812eaa41008359403e15da15e00cfdf7520e78c1253ab766231373b894e12f1c4b2eb384ac9420e6e81e2c5dc86fb997c6

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
3d58ae6b0728dc6546b1bfa63eae5daf

SHA1
5cdd149fbb18b1d0349fda6ade959a0ec2bce7f5

SHA256
40a505c0798e917839d2f36f482235482c4e94e92100cf32863eedde1ca089eb

SHA512
e8db40fc51ac8144698cf6d588cdd30025a66f2790d40a2239752f23c4e17e03246a846aa0242e5da6c0084cfbea20663b2e00e0dedfa709fe2f18963ccc8586

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
9d92d599f066392ecf96260a2bfa409b

SHA1
f94c15784a8c54235b0d81c871b1b70a1df66563

SHA256
20dad73c28ad508d0ec00773372d105dbe690815b58c7fa57cfe3769979918b6

SHA512
62695091bf4ab71e1c41853d8a50d45f6809c0fd91c2f0f4f7d408d80a7f0811fedd81f1fc161ebbabd499d6f5f52a023c856d32b63d704a5048b36837508be2

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
ff8716859b3247c1cbb9d3302513d392

SHA1
5f31e2fddab4825d9781d254e7e498d2c494457a

SHA256
43cabdf74e2ef581ef54a7c43818b508a6c391a063e4b06ef2f91b116477c366

SHA512
471feceb20d2fd2024d88800065d7d26320a201d39e43911570778460d290d7cb898759658ebb8b25af39737c1e230c56cbb447253c12c15163ec5f1231c5f95

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
a35a3cc92699c9cf4bb948f5b2b2b3e2

SHA1
07cec29390cb9b4ae83c01f68c4ca7e3d15cc02c

SHA256
c46e822fe46ed0c25c6212f874edb342e50b8ce640eebe0976e4a64a326be245

SHA512
a38d790a28ce9c03d6d999f2cd599bee344ce0c779ade35232804835d9c640a57c0baf5df862a3829b35e5f3cbd2ec2765f63590f8ab005988ce45df1e66a5f8

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
9c10c0ce55ac94d6a9124f79f1176d0e

SHA1
7593531a6fb4fd4ff7ae147df882a995f79ecc78

SHA256
18ad026ecf30b4ccc1f0b6c950ada7be3deb85d8d685dc0c7f9785650f7c5b70

SHA512
b92715867b2f37302b971260b9466a79e629018469561a44335cd6b4f9a45d6ce967db31dabd5dcacd71387ca44014def02acb8658480c01653d27de35ddb32e

Download Submit
memory/348-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4080-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-1018-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-1010-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-1045-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6288-958-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads