berbew | 916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
Size

337KB
MD5

bc349307b3e86441f2826c9f4d1cb221
SHA1

032878fe656bcdb83141534038ce871ef69f3dca
SHA256

916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0
SHA512

d213312f5f822afce4d4c04a15545e821db314bacd5be80da352c94744ad61ce3aa9cc798d98bfdf025a80d799918b9a0dc20a6ceb3e67267f20c6949139b3bf
SSDEEP

3072:H6FKu/w7wbgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:H+/wEb1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oakbehfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2144	Npbceggm.exe
4584	Nflkbanj.exe
4192	Njhgbp32.exe
3804	Nmfcok32.exe
2188	Nqbpojnp.exe
2184	Npepkf32.exe
2780	Ncqlkemc.exe
2164	Nfohgqlg.exe
4368	Njjdho32.exe
2088	Nnfpinmi.exe
1956	Nadleilm.exe
4904	Npgmpf32.exe
3964	Ngndaccj.exe
3108	Njmqnobn.exe
4384	Nnhmnn32.exe
2540	Nmkmjjaa.exe
1744	Npiiffqe.exe
4540	Nceefd32.exe
3632	Ngqagcag.exe
2488	Nfcabp32.exe
2508	Onkidm32.exe
1384	Omnjojpo.exe
2820	Oplfkeob.exe
732	Ocgbld32.exe
4776	Ogcnmc32.exe
464	Offnhpfo.exe
3172	Ojajin32.exe
1056	Ompfej32.exe
4460	Oakbehfe.exe
3176	Opnbae32.exe
672	Ocjoadei.exe
536	Ogekbb32.exe
4252	Ofhknodl.exe
2232	Ojdgnn32.exe
3580	Ombcji32.exe
3956	Ombcji32.exe
804	Oanokhdb.exe
4528	Oclkgccf.exe
2016	Oghghb32.exe
4364	Ofkgcobj.exe
4024	Onapdl32.exe
2388	Omdppiif.exe
4948	Oaplqh32.exe
3512	Opclldhj.exe
4428	Ocohmc32.exe
2512	Ofmdio32.exe
2980	Ojhpimhp.exe
5028	Ondljl32.exe
4048	Oabhfg32.exe
4336	Opeiadfg.exe
2344	Ocaebc32.exe
2708	Ohlqcagj.exe
2840	Pfoann32.exe
4968	Pjkmomfn.exe
3416	Pmiikh32.exe
768	Paeelgnj.exe
3040	Pccahbmn.exe
1292	Phonha32.exe
2936	Pfandnla.exe
4220	Pjmjdm32.exe
1344	Pmlfqh32.exe
2696	Pagbaglh.exe
5060	Pdenmbkk.exe
4784	Phajna32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpghll32.dll	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Ojdgnn32.exe	Ofhknodl.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Npiiffqe.exe	Nmkmjjaa.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Pdhkcb32.exe	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Bgpcliao.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Coqncejg.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Qedegh32.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Klbjgbff.dll	Pmlfqh32.exe
File created	C:\Windows\SysWOW64\Pfiddm32.exe	Phfcipoo.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Npepkf32.exe	Nqbpojnp.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Pplobcpp.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Pneall32.dll	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Akpoaj32.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bobabg32.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Ppahmb32.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Opnbae32.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Nnhmnn32.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Opeiadfg.exe
File opened for modification	C:\Windows\SysWOW64\Qobhkjdi.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgbld32.exe	Oplfkeob.exe
File opened for modification	C:\Windows\SysWOW64\Offnhpfo.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Pmlfqh32.exe	Pjmjdm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjpfjl32.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Nfohgqlg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6784	6520	WerFault.exe	244

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjdpelnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akpoaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baiinofi.dll"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaplqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhmnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjdpelnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnahhegq.dll"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cnjdpaki.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2144	1176	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe	84
PID 1176 wrote to memory of 2144	1176	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe	84
PID 1176 wrote to memory of 2144	1176	916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe	84
PID 2144 wrote to memory of 4584	2144	Npbceggm.exe	85
PID 2144 wrote to memory of 4584	2144	Npbceggm.exe	85
PID 2144 wrote to memory of 4584	2144	Npbceggm.exe	85
PID 4584 wrote to memory of 4192	4584	Nflkbanj.exe	86
PID 4584 wrote to memory of 4192	4584	Nflkbanj.exe	86
PID 4584 wrote to memory of 4192	4584	Nflkbanj.exe	86
PID 4192 wrote to memory of 3804	4192	Njhgbp32.exe	87
PID 4192 wrote to memory of 3804	4192	Njhgbp32.exe	87
PID 4192 wrote to memory of 3804	4192	Njhgbp32.exe	87
PID 3804 wrote to memory of 2188	3804	Nmfcok32.exe	88
PID 3804 wrote to memory of 2188	3804	Nmfcok32.exe	88
PID 3804 wrote to memory of 2188	3804	Nmfcok32.exe	88
PID 2188 wrote to memory of 2184	2188	Nqbpojnp.exe	89
PID 2188 wrote to memory of 2184	2188	Nqbpojnp.exe	89
PID 2188 wrote to memory of 2184	2188	Nqbpojnp.exe	89
PID 2184 wrote to memory of 2780	2184	Npepkf32.exe	90
PID 2184 wrote to memory of 2780	2184	Npepkf32.exe	90
PID 2184 wrote to memory of 2780	2184	Npepkf32.exe	90
PID 2780 wrote to memory of 2164	2780	Ncqlkemc.exe	91
PID 2780 wrote to memory of 2164	2780	Ncqlkemc.exe	91
PID 2780 wrote to memory of 2164	2780	Ncqlkemc.exe	91
PID 2164 wrote to memory of 4368	2164	Nfohgqlg.exe	92
PID 2164 wrote to memory of 4368	2164	Nfohgqlg.exe	92
PID 2164 wrote to memory of 4368	2164	Nfohgqlg.exe	92
PID 4368 wrote to memory of 2088	4368	Njjdho32.exe	93
PID 4368 wrote to memory of 2088	4368	Njjdho32.exe	93
PID 4368 wrote to memory of 2088	4368	Njjdho32.exe	93
PID 2088 wrote to memory of 1956	2088	Nnfpinmi.exe	94
PID 2088 wrote to memory of 1956	2088	Nnfpinmi.exe	94
PID 2088 wrote to memory of 1956	2088	Nnfpinmi.exe	94
PID 1956 wrote to memory of 4904	1956	Nadleilm.exe	95
PID 1956 wrote to memory of 4904	1956	Nadleilm.exe	95
PID 1956 wrote to memory of 4904	1956	Nadleilm.exe	95
PID 4904 wrote to memory of 3964	4904	Npgmpf32.exe	96
PID 4904 wrote to memory of 3964	4904	Npgmpf32.exe	96
PID 4904 wrote to memory of 3964	4904	Npgmpf32.exe	96
PID 3964 wrote to memory of 3108	3964	Ngndaccj.exe	97
PID 3964 wrote to memory of 3108	3964	Ngndaccj.exe	97
PID 3964 wrote to memory of 3108	3964	Ngndaccj.exe	97
PID 3108 wrote to memory of 4384	3108	Njmqnobn.exe	98
PID 3108 wrote to memory of 4384	3108	Njmqnobn.exe	98
PID 3108 wrote to memory of 4384	3108	Njmqnobn.exe	98
PID 4384 wrote to memory of 2540	4384	Nnhmnn32.exe	99
PID 4384 wrote to memory of 2540	4384	Nnhmnn32.exe	99
PID 4384 wrote to memory of 2540	4384	Nnhmnn32.exe	99
PID 2540 wrote to memory of 1744	2540	Nmkmjjaa.exe	100
PID 2540 wrote to memory of 1744	2540	Nmkmjjaa.exe	100
PID 2540 wrote to memory of 1744	2540	Nmkmjjaa.exe	100
PID 1744 wrote to memory of 4540	1744	Npiiffqe.exe	101
PID 1744 wrote to memory of 4540	1744	Npiiffqe.exe	101
PID 1744 wrote to memory of 4540	1744	Npiiffqe.exe	101
PID 4540 wrote to memory of 3632	4540	Nceefd32.exe	102
PID 4540 wrote to memory of 3632	4540	Nceefd32.exe	102
PID 4540 wrote to memory of 3632	4540	Nceefd32.exe	102
PID 3632 wrote to memory of 2488	3632	Ngqagcag.exe	103
PID 3632 wrote to memory of 2488	3632	Ngqagcag.exe	103
PID 3632 wrote to memory of 2488	3632	Ngqagcag.exe	103
PID 2488 wrote to memory of 2508	2488	Nfcabp32.exe	104
PID 2488 wrote to memory of 2508	2488	Nfcabp32.exe	104
PID 2488 wrote to memory of 2508	2488	Nfcabp32.exe	104
PID 2508 wrote to memory of 1384	2508	Onkidm32.exe	105

C:\Users\Admin\AppData\Local\Temp\916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe
"C:\Users\Admin\AppData\Local\Temp\916749bd464b2088ce59456fab3e847f064186884155862eb6088b26603acca0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\Npbceggm.exe
  C:\Windows\system32\Npbceggm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\Nflkbanj.exe
    C:\Windows\system32\Nflkbanj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\Njhgbp32.exe
      C:\Windows\system32\Njhgbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        27⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        29⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        33⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        35⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        36⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        42⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        47⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        50⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        55⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        61⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        67⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        74⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        75⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4344
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        83⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        87⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        88⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        89⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        91⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        98⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3296
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        103⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        104⤵
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        105⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        106⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        108⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        109⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        110⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        111⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        112⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        113⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        117⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        118⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        120⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        121⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        123⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        125⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        127⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        130⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        137⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        141⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        144⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        145⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        151⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        152⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        154⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        156⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        158⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 404
        161⤵
        Program crash
        
        PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6520 -ip 6520
1⤵
PID:6680

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cacckp32.exe

Filesize
337KB

MD5
36223b87c08b6198a4ae1e5c4faca691

SHA1
567ff0e5f544962ea84acfcbc76887a50ba66b6d

SHA256
2d08a9991af242ebe65f13904317a3e39e5bdfdb075caf664a709b3fce94c956

SHA512
28f156c04cd7d9c22e48126eefee1360ca3ce73d1ea5ab935fbe7fa8c9e9331562c59693dc7922cde76868d5bd8e1d35e0886a40614c579a36b9728c24e1d9a5

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
337KB

MD5
4c1cb5cea4c9b136564fa56007bb3a3d

SHA1
6e13968de497ee7fee08e97823ae2661428b3170

SHA256
296c13764cb0209bf432d19bf29161d3000af0ffb0c1bc3e293e11ec1fc630a4

SHA512
573209299894bf2c1c2569ff92df8b0c280798c182ba598c23df9277f7e3356e468ddd9a86986ce064f77cce6a4c721b3b22ad60412219c49222a1eead63ab7f

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
337KB

MD5
b09fa8570262d812c6faf47cafd52087

SHA1
e4adc5f2dc7834215a063b5deb6f6bc408288a21

SHA256
f4cc8970a32cc3962f0fc68239b05c0475ff49d1c735ed32802a5afd4d179a46

SHA512
3741c5c94c19b58ad240b431c98db9f7d191922b7ccb9b2aa760a113653f3f9da514b43430c75be2a4f072bf53964a1ceadbc53d1b56a3490ac529ce97b4bea2

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
337KB

MD5
c5f841b3916af078401c58ac1ab4ac14

SHA1
a7dee377d6058f3cc5b28b3ca5be84c299aaae35

SHA256
c1e278007acb66938215d78a10ab75a433bd7b9629e26809aa9a41d53196cc55

SHA512
8ffc566add3cae5a928ae42a7e21b4fd0b10c4fc4ab408a2c14cb120b6661a35c9fad0cbd13d54aa6abd7fcad98e919886eb5e2a60fb5499444f940f5b77f856

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
337KB

MD5
1b16af8952600a31ae484809045bf3fd

SHA1
b31f8c81a8d8dc0b757e3249eea04d61497c0292

SHA256
d60b3ad00f4b70c61f3527d9390dd06ecdb981cfcba727e94653d16d7a7aa18b

SHA512
963ebd77b395227756a08eb31ee5226202abfb3b9c50f66cd35eaf8d1ba9b95cf63f7f1f2297437d9ead2d0ab0c82849e93b97778e62ceec25ad22be5dde4166

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
337KB

MD5
98a4453f695d99bb19166083fcbb08bc

SHA1
656f119e5cf91cec8fd6bc2a229334b5691c2edc

SHA256
67685cf3a913eb12eb73572b044ab6ad69d8493e4342e43fbb85a4fdb02efba8

SHA512
1a37208d6239b3429f2a7caf8db16633b6bb64a0c8f6ccd71eb4457d612a7c4a213a38f07f357cdbaaaed5706c9d71d3a30cc46e14fecd08e58bd7b332871930

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
337KB

MD5
14ba1780c7dcf8e02e67fe042ac10de4

SHA1
be31dbe82a97d0b0365304608c400f8e56adb64d

SHA256
52d032c277fc72dcb8efa9058c9b0a5e2da687df517b033bf32578628961d153

SHA512
0e6885d8e2bed9dc669054cf241590b822c00a690b021abef5a3ab1dd0155088e2d99c19c422403682ee8c476e3280d303d84a84b3e1ea3e8ae608839d188c19

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
337KB

MD5
df598434c68e5dc2851f328e60b6cbba

SHA1
cda94ba72074a3ee0266a2ea432278e90f69b230

SHA256
e39762a2d1fcf3eaea29ce3193a30f442c480611a3e46b87e50dc296afcc4467

SHA512
f744b189b088b0a9f085d9e8f75c39cd76dabc4f61ee1c28bdc0029c17f38fd603216bab3055c3904653973436486e3f298812e4181b30180963f658e29cad56

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
337KB

MD5
a53944ff95783069db708b53eea73621

SHA1
e50ccf0aae41af7f08387c147fcdeac7a2dfc601

SHA256
454bfd193c5a2989f1a8634645f9bbb5d262860f4ba182b1c1f417435b52f418

SHA512
d96ec44dcb229b0f792e17e4c02f244ff8d1450643b317e3dfc401dfb810537303b6b85bcd3202b170794eef9632738b05c5bb8d2371e0441f8bca50a4f43a1c

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
337KB

MD5
dede8950e8ef53463c30113875d3bd3a

SHA1
67153976b70bef5315543b617a4572b43e5a37de

SHA256
c38878254e2018d342452ada09acf0f189dfafe4d495afa0f8266eb433f3f60b

SHA512
8f5e029c22dbf1e718ab2f92a912013423eeb90f4b3a925a47e101eccf44264f754d24c13120bc637cb9744e85ae1ae52ee59d82e08ea62bd0618a1b880006c2

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
337KB

MD5
3ff410bc0d996a0afc5ad5f9c484e9ac

SHA1
0f4d0735a9a6208b65eb058e0a2d9400e19ec900

SHA256
46d6e6db58b98d4ffcd8654d7584143695adb74ee2fa0477f9c62c18b694d747

SHA512
75522871f35fee55922e644b551622c89507516c120370a19b4ad46e9c38900e1fee011d05eed7ce2064329f8c8ea70ca64dc527490c53f1897cbc84617c1521

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
337KB

MD5
c74d44f2cf3b4fe2b0dd7f7237994e96

SHA1
dadd12c20e21975e0025f9b55739686fb7788418

SHA256
b004a125ee882d9eb286b54771d0e0511d6df49ea404356944c1a93c3282eae6

SHA512
d025c27d353d80b1fd47783dc86ec32af6f7b5a2a82bf325a510286d16a7405c4c13b0e78bfdb1397d239fd426690f8a86a58b4a0826f91f4604ced0e2b97d4c

Download Submit
C:\Windows\SysWOW64\Nfcabp32.exe

Filesize
337KB

MD5
f2be12009075435e46ee8cdd4a34346d

SHA1
b0173d577c33f0a58195a41b329d0b092eb4eeea

SHA256
1a6689a8683e708470fa3ff7c3ad8a8e60b6982a01475d35c008d00960cb9d39

SHA512
b19d26e1de03ccf5b5e9b921d628476df9a854bf0978a1eb6c8387f449c27d0f3d0ae24cedb9695bd17af6e3793d9c2792fd81041691e6a4c7cd8d9ede35e1a8

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
337KB

MD5
c64644ca21f0d2cefeb9870530a9185c

SHA1
ecaec3a1cc3a10169dbc233da6de5fc3401c40d1

SHA256
8f83973179d8fcdc56774106b2e01fb31647e9859ddddf9a280476ea7ee73a8f

SHA512
b92981873a73fdd82fbf6faf2492ca822d41b6331927019de0bf13eadd2cd9cc217efc1ebd404d2bb8dc7a8b5581d0741f2fd88c4f59d0ee3038055f5b75ed78

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
337KB

MD5
42e54571d4a10478fed52e035c144dc0

SHA1
3669c3a77e4aa138d0d437c1c1e91db4645caf39

SHA256
f0e7df27b15de852f456113701b82e69365515245181a87a3a52f386ed1ddc18

SHA512
69d4c2028078439d58dd8a8cdc2634534c0fc24641ceb13544b443ff5445c62a532c1e7c93751a167d6af4f0743d03210799e5fe108980669cde05d8040c08d0

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
337KB

MD5
83ecae52c84daefb33b8feba469451a2

SHA1
fd34eb71970c9d5b1ce1c4faec0870c2b395adb8

SHA256
a8860d0aad6698c6df7c01c374b39ca39633ee65abbb86482140d3d4b5f2236b

SHA512
b20aa4a90535472fdc9f00b9cbb4bc2b788644092c422dc1c9ad817cc718c6fef66658f8614310bc05bfd2cc720113631422fd84f00ed6664c5ec4cb13336843

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
337KB

MD5
5a4caa4b4d6511901b4a9e5976c1e154

SHA1
ed344e7e973d1d62502b070eea053cb72c3c19b8

SHA256
1dd25575973a00f30968237c4c07c7622400c8899386f1e18abbde1d17fee067

SHA512
c467905a703dfa9079eeee6ce9a3f81bac905330c6939b5d078ad13a0e14c302432076cc755e3cc98bc84b630cf41af6fb04d201e9af59a9bc0096fab9d59229

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
337KB

MD5
bc24fcdcfaa51633dd5b11c9eb85073d

SHA1
8af22ef5f55baea8fba36fcf0c96f1164da1236f

SHA256
26d208d6d3134de6bf76a1974e3a473e83a5279db6df451354981769d156db25

SHA512
c16ce6240ae861cf3bf3832cd64dd4604c933584a5e83bf0a7e65d12e43451b0daba2dc0b1b636b2903b38634c56c2f74239c2c660d690f29eb3b844885adedf

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
337KB

MD5
7d1abd093146cb2c0c5cbfbb817231b4

SHA1
07c1ea680bce1e4a78e443be088dd1e63e041e18

SHA256
5f617790a59b87af9fedab07bf43443aa47947dc217ff7019ed80f46cfa2f74f

SHA512
512ab08c033e180f528b44d788762fa423ee5dba4beb94a7679151e58122fe6910daf3177ce98b47c45649efae0bc2223545a9ca87e3c59d134ec69a545bfdfb

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
337KB

MD5
65cbee3a5d3527f662f31411d54ee62f

SHA1
4438b42e611eee35658009a45546560fe1f64978

SHA256
1b6ca170fd6914c43a9e3a1dc40c158199bd0b4497bcf2007a01b4f56f7185ef

SHA512
59a8918b085b55ac7fd3794963b3de516e976aca73197a53dd4125f69a6a49040570ad5ab11a34a98d1e8446e5fb262a89d7a287ab4871e9e32951cec29ba0eb

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
337KB

MD5
c780a763df7285f61c24f885cd78fafb

SHA1
8cbdc6ecb55266f8af6f61680684b66db2b373a2

SHA256
61a7bb3e7c0befa7efdfb409000010c488a4cf6a19ad1868595a4f8d6705d0e1

SHA512
36a5dac5b570955a871f569e34257cf3b7565c9735319a40eb8f378ae9bd6e22c2f2ead491935239bdbd75e134665eaefbcb6dfdf1d5d7895768fc4032303107

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
337KB

MD5
9ae0489b01a0bb2aaa3ec2f012a3b0a6

SHA1
2481f4bfa373fa27c6dfc0151a0532276fedfdcc

SHA256
55abdf434b51336bb4ceba59f136cb767eb739d212db2951e4cb7b5a671e210e

SHA512
07133928b790ea25e009d78e02f77892f11b2d60cc26ea4faea5a68ca1d17cff574db83e876ad30faafa58dae27f3376a9dd525ce9b62c33c76bc520b9ca8c57

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
337KB

MD5
13df3bae1dd90552426c54b17850cead

SHA1
f4f192cf62e803e8b4d7a550a8255cf934bd5878

SHA256
cb8ddb4e6f0f90581ad5c8a32397abd59c9957d31abd748bb987d47abf198c31

SHA512
31c7a69e0670e03a0aae4bfb59a60017904ef22de535812aecd826a488a78bae80ec4cb3f85580455d521ce9316eb2b02e6e38d2c7660493df827a03d7e812c7

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
337KB

MD5
84bda11f97af79a3a2fefdf644dc47d2

SHA1
5c8a95c59c394a7271bcf64458d218466e82402b

SHA256
e60e3f6df75c8a996d6952d17699c8629b8a0bac6fc748f3374bb891201f6f02

SHA512
f1e5c4a4778b2e6447b8edc4833cfececa53141585014b3f2ab0871e4a47ffb405c66ba62c40eff84f046dfd80a3229d935030c403e29ae3cc5afd97cae25c22

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
337KB

MD5
ba26b15706e8b817fd30f3481521b674

SHA1
ffc0f86c1ee4b9237c7e76725c0c5bdd249c5d1d

SHA256
9285649487e866fdd1ff057794870c0c05ca16b4670f3ccebfce29bbd95f8336

SHA512
c36fdccf204cf7f934ac44d043d7505b4e8e4786bc9985b7d0f361a97d5e617cbccfbd2b005f9b74a653b5065b12bfd573ed459fcd6a32a8e3d79c0d3ca1bbfe

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
337KB

MD5
e68ceaf27bfba10e241a369d3a786283

SHA1
6eb91c3454ffde6163f7b41addf92eb5eace9a1e

SHA256
c14c2487f86b2af4f9372663e94c551525172bb6f1225498e71bd5965b388881

SHA512
17b5c43b7182aefc98ca89f6b9182530c9572ae7718a221e3ed8729bdb5ce923f9c3caf9f0c5d294891b970b51b59be3b8a6b142a88e9b8de099b2352d9292f4

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
337KB

MD5
f6c2f7459031a7cc17487cfc8747e6db

SHA1
533d3d73bff140c54f206650634d393e8732342c

SHA256
59f59c75b9fce6f861629104b1dfb626d81a33990112a983440f7288f9eac71e

SHA512
a43a770182f13d635a85c08f37b596612ed992c5f17388959bcc262a7f3533940c3ff101e6f9a7e0587210f0addbf6a98a3f152a10ee66820e022ab42a7f6fe8

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
337KB

MD5
762f926e13f999dc0f7ddc02aee2a48f

SHA1
3620f87b5948c0b5744864db57a2f2d6d89d82ad

SHA256
5c567720a1555f72291303e14486b801e3fbd77b1e1b1533b97b585a6d5ab0f4

SHA512
6c87edba4f68833d7e9543681422bac3c63aedacd9d580f09e2653d9e57c19e49daea8f0e6eda84f1fe3d0a09ab31c4c2624d9a9446ded2f12c9c329a6b6622b

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
337KB

MD5
c67a898f4c2d535568deec6bd6fd265c

SHA1
76f7980160d0c21e45094d7d8c693fb5f1349610

SHA256
3216d031b74f9ff8ae3e40314bb4e67cb53f0eb6c9ed7466ce77f76e48d6d7e8

SHA512
83eb4a678507e738b2e61f0cee7934d8aad5e32ad5ca3640b08ef10f7316935f776104c301181d81aecd70d7857b7efc96c40520f4a1e7a890c33ef002c9eed2

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
337KB

MD5
f7dd0a783f4e182f2a543a6e2ac46c9b

SHA1
7623fde3ce5c6fdc030b0eb23461cd689d539f1e

SHA256
9af561191f585af8eb5b0e1a54cbc9c5108eb7bc752a18cb25264b2ee81be79a

SHA512
c2902d8fa7bc9eab52a1a5cefbcbd088ee2f0f2d12b11b7462625429f62b7f98d1be45f1e546dcb4a6072355b5969f64933e824e334744651df4d8e3d19ee829

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
337KB

MD5
a758f636ee28286ef5d07b706a97b4f2

SHA1
d75dddcbb55fb3f907bb1e4d9a4fa6915d128bfd

SHA256
4e6c139201eeafd13b0016c9b6e8cf8ed9b9fb9e2dbebfc33c74ddd0654af717

SHA512
e694b3bfe75879bf15a18eb6b31f508449074c336bf666a231407f181defe58a0d79ce74554680aa311c39fa8acec1fbd5ee2c1e9c5871bf2bee6d7c4a1a6653

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
337KB

MD5
876039f36e9ae11b41aed287b4030957

SHA1
52508d9c9b2dee779af0d92fe46c1dada4abd5f9

SHA256
a9ce9b6a64106bd21f44fd497b593c279dbe0b1456b0d2b5afc3f9a2761c256d

SHA512
4d2fa68d73508355dea9c248eb43e3f77135dbc99b13dee8c76806db88bddc965dccb24eca3c9f291da2278ad0f6f5a7149e9623ef16730c2d0a64366ffcaf81

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
337KB

MD5
9c5915cb03caffdc73a064ea04bb72e5

SHA1
cd36f9266ccd43a7824e838e0502e4f68f828573

SHA256
7ddbee2064bfc5b7dee5497b9c004923abf7822bb444f3dd18c277fed37389f2

SHA512
732a337ce4bc8341c6650706a4d786e9fb672a12c1c398d11eb7a75d16ec1158f6e792188a82ec6299ea745fd6d8969a749c68f46e3c85cfd85f5878baf4e186

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
337KB

MD5
5b1f75dbe89402478151ef4d75c7f6e3

SHA1
125a674a2bcbd06b4815e0fd59550e0d038b2b78

SHA256
623c742219009d8d80dc13896b42ce02d277499f48210e9c86e1bb91c97c696b

SHA512
ab5d4a64f54af891f5e314e72d88ed279803395cb5e1dcc7c95b686a6d8d21a2e681f44128678564db0fffdff883da13d72191ee5babb69be486de7ae323513e

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
337KB

MD5
d3a991ce8608d3b5d54be22a6a3c5bac

SHA1
9e93ed9b6ba2a2b748d9182c211468a54d192706

SHA256
2c002bdbdffe45b10ffd3c7bad66afbaea212e9ca7311b1953c6d23393d5f8ad

SHA512
f162913d2d0db6fc294575abb88ef3cb7fc98641dc40d56ac85bd84fc9b90dbf8743caa66685453dda44111a53ad67318f9301b58bcb8a7c7835904316c17be1

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
337KB

MD5
61483ccc684c825bb0a4908e3df1f306

SHA1
a6a090b77ce44d7f0fb65f984065d29be69626b8

SHA256
3d6494fa75f8d04de1fc02a9c30db784e407e4cf6c6ae995cd24dbbc0ff804bf

SHA512
2890c8756c65ad00aea9897d22949817a0e29555f0527270b230a4081589e650825911fcdbb35efdbdc53429669298a553c02287671b46d04d0b2596f30ce1bb

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
337KB

MD5
6ae654862d823a757526ac56fdc483f5

SHA1
2d03e70ec959cb0a9f97a149cc8a2b0a81dfc85e

SHA256
2c6e4d89bd198df94b46b7ae12b0d73c89dd9d7aae23647f365524fd0cf86a08

SHA512
fad0e86546757daa8bf84e9a5b68acdc47bee1e3867d22019faf7d2cb714a453c3cc1f2ab111a3c818c79276be58353ffc1567126a7929f4edddf7f2ca424c5a

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
337KB

MD5
b02e4d90a6cc2f0729c0cb2f47113cd1

SHA1
b262be5787ed8d670eb6d428507684fd45fa64a6

SHA256
83659dcc65aa9996ea4844776d6e50bee20717def9e21963ed026b94a945e31e

SHA512
06d7ec6f77a8374b49cd07efb813b4b4eea7ce55b28d5ac5561ee49dc0c230da9a46a40cc24117a66cea21146c9ac25218b494c7f1763877d41c6e2086164673

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
337KB

MD5
8ef525a5372d8d0fdb61584b6002743a

SHA1
f2315333e39c6c734ba24bf4021aa22c8550e9be

SHA256
c76ee5833beb21de1a5a5fb2754fc2c665d8dc96ffebd0bf2ef2422817fe4cbc

SHA512
038f7725710905689308082d0a2f99458caab676258de5288bbfa5ce8ad34a888fbf6faa841574eb7d4af88630b741e3e354a8afe339e5410084210db037749e

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
337KB

MD5
3ede4ec09293ae850f7920b895cb8301

SHA1
210929a5c21da417a4085fe015cbc2173d7181fd

SHA256
f171607109b96a350bac617f6d0d756b303bd686b9722e0e57dfbc01fdfc58fa

SHA512
a845522d3795ec7d4649b7c67e5d1341b794d28a00f9583bf4246463993d5e771c4011ccfe3e1e5be13db1f2be9f0c41d3388fade2f5008c5851d136360084ad

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
337KB

MD5
025cdc1d0e6ccaa3984d4895610d3d61

SHA1
7c7d7ad71dc59448e19def20b1bb98b504f87b8f

SHA256
30e3f89942bf8d0f8619c785b38ca56b11b2609d778800aab217947bcd408bfe

SHA512
ccccc1ee1c9fc6133f49822d77b0681acb9c8c39574ae46a19f93d5bc59b93dfd7d206c30dabc77097aba8ca02cb58fae440734fe5bb7d371385756b362afc0d

Download Submit
memory/212-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1176-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5184-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5256-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5348-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5672-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-1015-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-601-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5892-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5924-619-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-625-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6292-1019-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads