berbew | 6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/11/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe
Size

93KB
MD5

e58c444bf018620f773667c37e83f4f2
SHA1

b23e86e2eff3394bb39e6eee83259031c59ac707
SHA256

6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b
SHA512

81489d1e60329335cfa601c7d532393a336a044ceea9e2611e81888cd13ef7f291526e99106ac389e754f5797377c4688c5626264900ac9487f2f22af0ca7483
SSDEEP

1536:HH/fxhxdx6nVJVyk2i183Per7nI3p1DaYfMZRWuLsV+1Z:HH/7xXoH+3m43pgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1040	Njefqo32.exe
2348	Odkjng32.exe
4868	Ocnjidkf.exe
4244	Oflgep32.exe
1132	Ojgbfocc.exe
1112	Oncofm32.exe
2316	Olfobjbg.exe
2108	Opakbi32.exe
2284	Ocpgod32.exe
4120	Ofnckp32.exe
2908	Ojjolnaq.exe
2288	Oneklm32.exe
1632	Opdghh32.exe
576	Odocigqg.exe
4588	Ognpebpj.exe
4624	Ofqpqo32.exe
4656	Onhhamgg.exe
4456	Olkhmi32.exe
1608	Oqfdnhfk.exe
4684	Ocdqjceo.exe
3032	Ogpmjb32.exe
2836	Ojoign32.exe
1956	Onjegled.exe
4536	Oqhacgdh.exe
1876	Oddmdf32.exe
4116	Ogbipa32.exe
1624	Ofeilobp.exe
3400	Ojaelm32.exe
4680	Pmoahijl.exe
1640	Pqknig32.exe
1884	Pcijeb32.exe
5060	Pgefeajb.exe
2576	Pjcbbmif.exe
4848	Pnonbk32.exe
1156	Pmannhhj.exe
3888	Pdifoehl.exe
4828	Pclgkb32.exe
3444	Pfjcgn32.exe
2176	Pjeoglgc.exe
3520	Pmdkch32.exe
3064	Pqpgdfnp.exe
3136	Pdkcde32.exe
3116	Pgioqq32.exe
1540	Pflplnlg.exe
4716	Pjhlml32.exe
1688	Pncgmkmj.exe
2428	Pmfhig32.exe
2616	Pdmpje32.exe
4888	Pcppfaka.exe
4448	Pgllfp32.exe
928	Pjjhbl32.exe
1392	Pnfdcjkg.exe
2380	Pmidog32.exe
2256	Pdpmpdbd.exe
4968	Pcbmka32.exe
4952	Pgnilpah.exe
1904	Pfaigm32.exe
1708	Qmkadgpo.exe
1912	Qqfmde32.exe
2372	Qdbiedpa.exe
1436	Qceiaa32.exe
4824	Qgqeappe.exe
4592	Qfcfml32.exe
4036	Qjoankoi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Alcidkmm.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Fpnnia32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7484	7376	WerFault.exe	303

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1040	4128	6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe	83
PID 4128 wrote to memory of 1040	4128	6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe	83
PID 4128 wrote to memory of 1040	4128	6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe	83
PID 1040 wrote to memory of 2348	1040	Njefqo32.exe	84
PID 1040 wrote to memory of 2348	1040	Njefqo32.exe	84
PID 1040 wrote to memory of 2348	1040	Njefqo32.exe	84
PID 2348 wrote to memory of 4868	2348	Odkjng32.exe	85
PID 2348 wrote to memory of 4868	2348	Odkjng32.exe	85
PID 2348 wrote to memory of 4868	2348	Odkjng32.exe	85
PID 4868 wrote to memory of 4244	4868	Ocnjidkf.exe	86
PID 4868 wrote to memory of 4244	4868	Ocnjidkf.exe	86
PID 4868 wrote to memory of 4244	4868	Ocnjidkf.exe	86
PID 4244 wrote to memory of 1132	4244	Oflgep32.exe	87
PID 4244 wrote to memory of 1132	4244	Oflgep32.exe	87
PID 4244 wrote to memory of 1132	4244	Oflgep32.exe	87
PID 1132 wrote to memory of 1112	1132	Ojgbfocc.exe	88
PID 1132 wrote to memory of 1112	1132	Ojgbfocc.exe	88
PID 1132 wrote to memory of 1112	1132	Ojgbfocc.exe	88
PID 1112 wrote to memory of 2316	1112	Oncofm32.exe	89
PID 1112 wrote to memory of 2316	1112	Oncofm32.exe	89
PID 1112 wrote to memory of 2316	1112	Oncofm32.exe	89
PID 2316 wrote to memory of 2108	2316	Olfobjbg.exe	91
PID 2316 wrote to memory of 2108	2316	Olfobjbg.exe	91
PID 2316 wrote to memory of 2108	2316	Olfobjbg.exe	91
PID 2108 wrote to memory of 2284	2108	Opakbi32.exe	92
PID 2108 wrote to memory of 2284	2108	Opakbi32.exe	92
PID 2108 wrote to memory of 2284	2108	Opakbi32.exe	92
PID 2284 wrote to memory of 4120	2284	Ocpgod32.exe	93
PID 2284 wrote to memory of 4120	2284	Ocpgod32.exe	93
PID 2284 wrote to memory of 4120	2284	Ocpgod32.exe	93
PID 4120 wrote to memory of 2908	4120	Ofnckp32.exe	95
PID 4120 wrote to memory of 2908	4120	Ofnckp32.exe	95
PID 4120 wrote to memory of 2908	4120	Ofnckp32.exe	95
PID 2908 wrote to memory of 2288	2908	Ojjolnaq.exe	96
PID 2908 wrote to memory of 2288	2908	Ojjolnaq.exe	96
PID 2908 wrote to memory of 2288	2908	Ojjolnaq.exe	96
PID 2288 wrote to memory of 1632	2288	Oneklm32.exe	97
PID 2288 wrote to memory of 1632	2288	Oneklm32.exe	97
PID 2288 wrote to memory of 1632	2288	Oneklm32.exe	97
PID 1632 wrote to memory of 576	1632	Opdghh32.exe	98
PID 1632 wrote to memory of 576	1632	Opdghh32.exe	98
PID 1632 wrote to memory of 576	1632	Opdghh32.exe	98
PID 576 wrote to memory of 4588	576	Odocigqg.exe	99
PID 576 wrote to memory of 4588	576	Odocigqg.exe	99
PID 576 wrote to memory of 4588	576	Odocigqg.exe	99
PID 4588 wrote to memory of 4624	4588	Ognpebpj.exe	101
PID 4588 wrote to memory of 4624	4588	Ognpebpj.exe	101
PID 4588 wrote to memory of 4624	4588	Ognpebpj.exe	101
PID 4624 wrote to memory of 4656	4624	Ofqpqo32.exe	102
PID 4624 wrote to memory of 4656	4624	Ofqpqo32.exe	102
PID 4624 wrote to memory of 4656	4624	Ofqpqo32.exe	102
PID 4656 wrote to memory of 4456	4656	Onhhamgg.exe	103
PID 4656 wrote to memory of 4456	4656	Onhhamgg.exe	103
PID 4656 wrote to memory of 4456	4656	Onhhamgg.exe	103
PID 4456 wrote to memory of 1608	4456	Olkhmi32.exe	104
PID 4456 wrote to memory of 1608	4456	Olkhmi32.exe	104
PID 4456 wrote to memory of 1608	4456	Olkhmi32.exe	104
PID 1608 wrote to memory of 4684	1608	Oqfdnhfk.exe	105
PID 1608 wrote to memory of 4684	1608	Oqfdnhfk.exe	105
PID 1608 wrote to memory of 4684	1608	Oqfdnhfk.exe	105
PID 4684 wrote to memory of 3032	4684	Ocdqjceo.exe	106
PID 4684 wrote to memory of 3032	4684	Ocdqjceo.exe	106
PID 4684 wrote to memory of 3032	4684	Ocdqjceo.exe	106
PID 3032 wrote to memory of 2836	3032	Ogpmjb32.exe	107

C:\Users\Admin\AppData\Local\Temp\6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe
"C:\Users\Admin\AppData\Local\Temp\6c1c58c4ecaf7a59d65db200f39127223a8bee7c3d9e5096c47e893503cf424b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\Njefqo32.exe
  C:\Windows\system32\Njefqo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\Odkjng32.exe
    C:\Windows\system32\Odkjng32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\Ocnjidkf.exe
      C:\Windows\system32\Ocnjidkf.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        25⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        33⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        36⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        41⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        42⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        48⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        52⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        54⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        63⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        69⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        70⤵
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        72⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        73⤵
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        75⤵
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        76⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        77⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        82⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        83⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        86⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        88⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        89⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        90⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        93⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        94⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        99⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        100⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        108⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        110⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        114⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        118⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        120⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        123⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        125⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        127⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        128⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        129⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        130⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        131⤵
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        134⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        136⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5692
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        141⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        142⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        143⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        146⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        151⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3984
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        154⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        156⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        157⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        159⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6492
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        161⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        164⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6800
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        168⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        169⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        171⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        177⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        179⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6400
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        181⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        182⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        183⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:6724
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        186⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        189⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        191⤵
        Drops file in System32 directory
        
        PID:7148
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:6180
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        193⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        194⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        196⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        198⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        200⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        201⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        202⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        203⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        205⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        206⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        208⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:6916
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        210⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        211⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:7244
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7284
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        214⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7324
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:7376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7376 -s 404
        216⤵
        Program crash
        
        PID:7484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7376 -ip 7376
1⤵
PID:7460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
93KB

MD5
6660103e0b42613a2785e3569d41f0a8

SHA1
3120a8562baa68b12b1bbaeb4614b2b2778f5d92

SHA256
72a716ae8556b1b6079189d8445e164301a5e7e2677012c9286b5edeceea5dbe

SHA512
2a853fddb84a538cf4586ea2f39acbbf7ff7afb6501f7310d667b130a528fee7bb821b43666cbe5bb4ebdcb193a0a276ee8d141c56b79d75e3a0e2de8c024e29

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
a4a1496cb20d78afbab15cc0b0dced8f

SHA1
c421f07dd470c1269fe17c844473b9df55c3f3b0

SHA256
77de8cde2f40ceb1880506ec9cbee11ca392915ac14673e9b162f714ef953088

SHA512
640ab3887fb391be7e1eb5c154079765fe3277f1ecfbbb5e004042562af5aaa55ce58b50f2c204040d3aa64fd5f81bdec8e24be585a7dc30deabcb55cb51e89a

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
cd60851b2be7ce00d4b6ca49a16abd6d

SHA1
52030ce00de7b921a2eda466d7b15a099ffaab21

SHA256
cae4901ce1679f2bd6ca651a0441ef5a54635de7baef5a486960c19ee9e41fcb

SHA512
9e176ce4c85b069c272ecf5a85353d974157315f4dd2079bd209cbd8be6780ae8f5889a9ef01b3405716b99f8b7f7de9102618f059b9748d6f8f5252584dfc03

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
6e7903e339ec6eea3e40b747dab39469

SHA1
3373d4521a071d77942365e30538f58f8f7e86ab

SHA256
d039ee271bce1fb2fe36955cb9e038112859b61451fd5ef5418ca113b3d7a8e0

SHA512
5d57f6b081d116b5bf7203d0b4cab4614597585b200176f6e7dfabc96f9e9f454f84aab37ae884025a14ff8d295b4e6151805799e81497e9575a7bc17a5f2796

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
6f08121d6eb934787c0979cf234c4773

SHA1
e12de87ded2d9576f222079ff4df1e97cc0e5083

SHA256
023efeaf5b3931584f6adc5c1a1b2d39b6e91ae5b17d970644ccfab09b2bf936

SHA512
1d09831f58322cbf22ca52089db9021bcdbf44465c7f447633cd49a04df0cb104e6f4b53976066475b474f561c2a846a6fefc6f10fd9e58dfc27101f070fb7dd

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
93KB

MD5
97342a850be3d295ab8cb705c8a2ea15

SHA1
cdf467e9c0b3510859f3122742f04318807a057a

SHA256
44c8b230e86cf0d8a6ffec0d0da2a21ed7b41f35b05caf9cc8727de44b607e80

SHA512
545f5fe60cadd01e9b1527356152a7212115d25210d97b199a4667fd6ca687d5abb53c6fb2fe23d25aacf88ff5ea444d420b738482270763f6d75c5af5502747

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
93KB

MD5
b0b64c1f0c658cb02ea033195e3788ee

SHA1
18dfb9ad54ee64b689fa9408db719a448c16a8f8

SHA256
c93f9b0b58912aa809068c4071625482cc66b972c30c55f8da9253fe42ce78a7

SHA512
fe680c3bb3100efa841eb217d3d5539327bccb2b9fca2552f00358b07fe5e58417d31e79699eda9bf5ee288a724fb6296ad1f0bd47fbdb8593cb2f9125c33854

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
a50d28b423e590669bc80f178d74eb57

SHA1
f77393485d7cc51daa3c06f0206a7518f89d282a

SHA256
dab6a7e896a1bc5a8852d2828cd1d255b515885a70836e2a9295651e26f6fbc3

SHA512
f67baa10bf0baa53cf0a0b2833b72ea536d54614b2cc28a7566cc68470ccca8a5c95a5783c1de797e87255a30fabe9bc660a8aac39022e8c58207e1e98d83d26

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
65e8614dee4b4019ed7ad7c1071cad95

SHA1
18f9505a40b7412f8cfe98c7e6ab334d5a6b1ebe

SHA256
a6202ab47cbf937b744303574a3389a711b986cc8548e45b76043c047757c8b9

SHA512
3277fde4acf237adbb455f62511b854be107264c204243c6f28fac802eea770708ad8fc36616c71b0d0746a093fb87ce81bc817d2326e2a62a62fd709e4b33dc

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
93KB

MD5
fc34096472868190c1c55c987ebfc552

SHA1
c63e64f2e4295398a9faae7af03dad14796f4b56

SHA256
550178856e67eb6b440e9691535b99c6ed429f4d67240e2191d613824c243858

SHA512
82c8d620fffa5da215f2156002a35f59b7ca9407acc9bd78e05a62a102a36aa8f744476fdc12d147376ecd6cd99fa42fae9a209641f0f143314da21ab5b33f99

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
41176f8b8d849847879b86cf4c122419

SHA1
1f5d0bc5e3eac6253c3f1eabec7f7ed04fd01ea8

SHA256
4fa1dccf11fcfcfcf600375ce17e24b129d1ef1f863f7eacedec4efb25b8fb8d

SHA512
c7836d9e55b836f91d5600e86be2b5147001dffcbeaedb069f3d65045ea97b931298b18ff07cfd8c6638c679b19b8cfc6c438e57481173f0f4529b1e80ac35ce

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
93KB

MD5
3ab6e701e5e1604c2669b2e86fe134b9

SHA1
71bb33b6df7e61d2c7a438da4e9bad2c1f0d022e

SHA256
24ee1a153c5508009028af3c86dac86230fcccc9f5320d3708eb8cf64166ba73

SHA512
7bdd9f739461bbb904390564627a02993e1d37561a3f8d71f54e3d9b0bf21abae8ece561f45268ff0e9d8f9bd7f8f01f4f03e16e888e3f3b884766bcdeac11c6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
93KB

MD5
8207bcf748b357504358e613e747a439

SHA1
9a6852e1e31cf50574bdab780e7241ae14f77f20

SHA256
42118171222b0fc403972c49ef06070d98ccae8514a502cdef30e22c23c39b7c

SHA512
c28100ddcadc2b4373697e4af70094df8b3396570e9a97a118603589f9a3a5a5553479183adf17dd5601ea01958abd0d9ecc7b37d897bf597f8bcd92f9b2e953

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
93KB

MD5
b28079b625a667e5d786a7d26f316d0c

SHA1
923de1d3c2c7250e9f290409407260ea2b2cf648

SHA256
033f1158b70febf97c53f503b1cba168f12bb91e4d5decd42fe8b9884693dc26

SHA512
dbf7cd6d5abce8adbc0d4f75b48e9a71c2e122b9f597edbb37a79459909069151b58723e388cc2f2a537739264313422d39ffc59efcebbd3656cac090990faa9

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
93KB

MD5
e2c5065f2af70d5a7e37e819d8aee3d4

SHA1
63e9860865375f4b4a1208f347a66a9151f731fb

SHA256
894dd155d802554cb8f079f1315b1266ef353b62552854119bc58f30b80533a9

SHA512
b0c2becdefb6a113b56c0e2d51633dd1687673f8534b0ddc79580b65f14d750b574c1f3f8e6b78286b81fb799716a4080ce3858aef9945d2efe1b4afc2defa49

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
93KB

MD5
26d332798dd5a7d8b1cb459f7b699236

SHA1
a1af8ba92565c8546b918c15139f8e267282928c

SHA256
7adbdc13d56aaec93c3fda894464b3902d727362aa69d47fb33de21e46c81d37

SHA512
f2736edee9eea54c3e2315d7352cc50b736a51e13841589cc6048f5e7e8384ba125c514a86cc60237248f1266043156ca767120f0ac286f8f806f91bddde125a

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
93KB

MD5
ee220e30ccb5f542404d4c07b0d4dd1e

SHA1
d2312d1e4e4bc711a1be941f5afb19138994cb99

SHA256
74a040da64e0c407d14a5be1ede18c821f50bc5e116c73563711669a36f278a7

SHA512
bf1c5a8837d8f1f7cddd293cd0588e921709e98a391621201581325eebff80ac43317210ba485c5fb87080ae5c9ef38d91ca0b19189b1a7435bce75f71ae0671

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
65b4429ba9f4cd173751661f533e5c19

SHA1
ce14119ea1fbc8776a61e8416e7f1082d3a6adb5

SHA256
724ac874c66a4120fdfa26e9fe55d9704623db1c402c8e34f7ba2de6ce7a7e3b

SHA512
868253a9e508edd8ccd93bdbf9b6708b5dfbab6a80d2df20d91b7f9a77582001c502144a9d958996c44000b46b205e8ce0ef687ed8dba9ce9be69b52cf92dfa4

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
93KB

MD5
cd73c69f8aa0eacd50d4d0344c7340f1

SHA1
13f76198013ff35a9bc5d729955ebcd692615355

SHA256
41376254bbc46d6e70ea25ad6f4560c2254bdae2af95442b34c431f1fa3c1127

SHA512
c8d1d6a424098db34f3e2d603729632727a75f0ffbd9be97a2e88297b8593951fbdd2a105cfc5165836ba46351adc767b947a501a96156ce3574e7e23f3c560a

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
803136946820730c42937bccd67c32a8

SHA1
94ab15e6aa9006ddd81001cd69d5e09a0e0dd179

SHA256
b08a58af1d357e79edeed9d56849018b3a22dd7287a6b678d6f97112c3fd5ade

SHA512
1878ba6d5f2403ef0b71c34ea5f7d4c0121f58e8bf4710ad83339acb6efb8e097af3e7d7d386bb308d9ec55d1304d009bde95e394a7c6d4a3673c9887421a8ae

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
542f270598bc58979d7ecc6f90426141

SHA1
10ff30241844aa7583f599059d014dd41697fb4a

SHA256
13a00ae95c30adc11f1e9fa89c3b98897bfc1c13b0cfafd6d6e6ad8e1f254c54

SHA512
ea92ff633c83813a9f99069e93cfcd0741521652f4989f32dfc41b91c2b40ad0d107826a372ad6a4b50779caebeb43b509293754e351d9785785388e370bbcd1

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
93KB

MD5
498fb29db8a703333e704d7947ad03b3

SHA1
30d2db4a5884bc85ba38059a452a05b95d8e668a

SHA256
dbae33e6739ead0fa956df5e94e2b4dc106f0a71e3be4b6450c0ce7918ab79cc

SHA512
8f0dbff853f7462d6e11c620b83e628449c9d2f465173de5008ac8d66f39cc582700af9eaed950c849d4cbb056f21d8ce940cc62f9cf8146371cdd5153dfefd4

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
65ffd013f0a8238f0d925bde31bfdcbb

SHA1
77d49b3d6141d6b97c3d34b3b052352580e7871d

SHA256
52d4f6a592e601d08b5dd3967fb66d6ff76d0f1a06ae7b8fc4e59077db92de7f

SHA512
4f5abf2292e595bca14e916a6b76e9a0aec4b3d77d84012a0164037985e6a22c95317af937798c147ecfa8d14c08f43e3582f2b9450b7ae24e61424d8937a1a9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
93KB

MD5
ef83de1a2178d444b5b783270cbcfc88

SHA1
03bc95dfa551bd5e75fec6eee29827543c7a4736

SHA256
d5ff08c14a6282ccf9f1708a991942cfd60a773ed509684f21f4e9d1c43edf88

SHA512
2bbac997422388174cce5fe87aa92c7d6de316c5f5446cb9d72fd12d56729a4aea71a32b8f4465fdb0a54d5fb7b17b224762e6e30a4f16afd892e934db9cd61e

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
50a1abdfd85387218b095dcc957b5511

SHA1
748c0622314e06fab65a2f4263d7bbf6758990f0

SHA256
f899438d81b3b22a90ffa59394ffba8282154fcda3345f5c2fb8fcf6af28f64c

SHA512
dc557b4ea83632ea272694bffda5b16e6ab606f2b6d7c039a6f1c6b93b1e707047c21d1dde200bff4c8226563fda351951a09bce7c9950e028d32ae966102878

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
c51dac303a08e3fb57115583a601c774

SHA1
1ac904ab5288461305f81abd838022f35e5ccf51

SHA256
85ebde2c49c26c531e071d787891c19b43f0c7ae9eeb0cc0f9bef50e3b5e7d61

SHA512
083cdb2b84449d5d6ad5bfde0aa237ee3b26087e6d767e75f3b48c72d4de3f12dbe30c18d4e463c6955103c854a8d276cd938114175e5f8c6397b76c461ac0da

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
b0ea92bef36e1b1e5f59e0d6e7b383d5

SHA1
afa432bf6168f7228d6b24ac28de1d438360d665

SHA256
8383ee920d8c85d6dce50bbb6e8617ef502a831e493b0268af2b8486c6cc8222

SHA512
8fc16fa61f05d2659ae678a8f4a781fafad3cc6093c5b9ca300a7625878feebe0bf00db213e400fadfc1449e99d7f84cf6141f8faf715845026c595c39e224f7

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
93KB

MD5
731f875f9db8afe5ac4d565ecbbdbec3

SHA1
ef201aa0adecc42deecac3e2e78350849dcc1b79

SHA256
1eacc8faa881dd235c0ff35b5c608376b7f79996d91a3aa696ff1037c8faf3e9

SHA512
6e88e56d55ce9965b84b514b0bd0ae8c81eed3ffb13eb397656118805a48259d52cb17e6c8f26ed2a288a50ca087d8db3add2b537e1a393551afd5d7e6e7d160

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
2af490c566a55839ca5ccd65bd9e8360

SHA1
11ee2f460c463f10fcbf0e10f779723befc0559c

SHA256
97d97b8bd5114d9a02b77c296c034ef846ef8c3b96aad9c3dd2f939e732d5613

SHA512
7b9fd8bdbde6a96cd533cd4923bd38b82d5f16496e78b479b6643781e43789e8eabdfc2a0264a01e13a8882dc8c494c488e5d4a84efca05d999393d29dc9f000

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
93KB

MD5
c2cb945e88c0b53d10a2521b177eae4e

SHA1
7cd524a27fc1b637088f71059eb431b56f2e8662

SHA256
64359d2c052dd33147b04e66cc6c8ef74f1a7f84bbf9efcd3ad459409c2bec30

SHA512
de067b4ec2744c74abcdc8effb2212c30ef6d7609b1179ec495f7bd0ec91936c6fc9c6571f3f8558c655211e22f0eb6b0b60ef1ea908e1a7c16613a0f91d1492

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
93KB

MD5
799cfb5a7524477348b1f6ee1e0f778a

SHA1
6213cf4071573d7dc5976fe740d57c5a0f833c64

SHA256
4ad1dfc8abf4f73e476781603c667f9594c6fb5612e2daa8115b11967441e3fd

SHA512
5b0937433b91e8854c2fc0ebceb69eb40f639e05071fa9630a5ec162515e3a746e4c348eaae0e646d0bebf5cbb9c26e7481ed099f487c665989b1b883268f0dc

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
93KB

MD5
8957e6187d5a7b04ad90ce46c40242d9

SHA1
513b3678a6bc077cc4c32951ff3b091dcdf102c0

SHA256
8e5667fef7d90df434635aec6a658399b03318ddc78af398411985148ec48884

SHA512
f50de1a508f509c6e3acb43fd78198a18af59d5cea6cb98af08b737ab949f60c926ea6834976675ad89733eeacb25f3b501403e01f08eeec08be6f1883d7cd9e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
93KB

MD5
e97050ec95c64039e9b6409a609be267

SHA1
53d883545cd40fc666feec137588482b2088fc17

SHA256
ec227db6a95e5bff2abc3a9f6cacf1f65271f3cb1b88566aa1f6a57d38a88087

SHA512
8e0c4e8ee99a58a2abd8c244c07500c4e0807ccf300e83e3051514e493925d1d9d76f714c214476a93e736adb4bf3745b349744cb61ad5beb8e67f75066a69a7

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
93KB

MD5
a913883d5096116e6580120cc8b69592

SHA1
cdb2c1d773f331b484ea035da15643aacb8041e2

SHA256
cde99ac03ce4bef5daa5ed7d89f6cd363310da32dbcb6137a76a49f95bf65dc5

SHA512
fa1e510393598479d568b59fdbd05467d52af6dd167f6be201c45a6df866cb0f699bf641bd2457550e74a590ba3fa6a11cde342f2e798a266fd9bfc68d9ec98c

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
93KB

MD5
abd8a3e4d505e76507565556ffe2fad2

SHA1
0ac0e65f6b869a1bb9ba11c11ad0aadb60b4943b

SHA256
2ca8324e3dc39cdd2e757bc54e2cf09709f1f265350aa013878d5194890e5b1d

SHA512
e4433fd2b4c4ff673911224bb7131014cf5f274a2e3b89fba75220e6ab1a1c07d88c3de85006907ad2d90a11c60925062e58915fdb160d27590dec512467f0d7

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
93KB

MD5
4ad29ad443d8b6301d99906a52e295b0

SHA1
c83c34d514324ef6868098fdc1294409fff2ff3a

SHA256
ead13f00400f6fb193bc919136cf301828580a4f5246b350cbef1667ccff23e0

SHA512
17ef8f0cf2e02e6fd526e9e889cb22796da86ad353a16df0aaee267475a3f5b114a10bd0aea0f31f1d2cf7724ba741f42f0d8bbeae8da92ce4ae64978ab5cd8a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
93KB

MD5
e35adf0a4ab5789073c4e1c2462c0511

SHA1
1d83e2e474bf5df33f25b6d6238d03ff60db79a5

SHA256
7fdf367526b86db9a8ddd56043ead51cb46193762e111ec6525d3eeab7f4deb3

SHA512
b138258d141955e795246abf43f0496926985d165539065347e3364617eaf98a2d65188a5a2da1b8b2578b62507612578ffbb6b96cd3c1ecd4fbe7321e824e0b

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
e73b0e15c4daecd0466daeab596e09f9

SHA1
bf6a6dace479c84193ddc070b8269a1e7b5fd319

SHA256
e98d968c07bc0be527e13935bf80adcd28f834eb2033a4bc8a2ca39514597859

SHA512
f5daea76a41018afb292cd11f2a5553f111c8ee5ea558ffc2b85d5ff17eb9152621762068a432ddc6ec2a59d1f791e097a75325faeecc910cd65c5db6ba1cf55

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
51dc60c0bc656ac863b4c9a08950b265

SHA1
5c66240db4fe93fafeaf05c3d1d06a8e0bb522b9

SHA256
3651f264c3b70b10a23f1a149699c2bb1daf549a079c2cfabc2bec4f7c6f21f4

SHA512
e53f88c2d570cf69f19543607cc12d1205d375d8f1a81e5b74f133a155f48ed04516016ab046b06b1cb3948f3ec550fa745144923baa3c9dce7c31e3e6803af0

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
93KB

MD5
a37bcaa120c473723071f8694c644c1e

SHA1
47ed05b5825c8e5e1ca0d9ffd8f6bd7a2a86e4ed

SHA256
2aaf666d3c83524dcddbb4417ac7d532b01079523a9227ce0916222339bd03ae

SHA512
7885648f4cfb9fd28c5aec8b6e5cb7b48ee99036d96e7a3f7e7a161f10f216f0faf03ad444ee8965966dda29057e9f4aa288cf9ac8a42055bf25ea958e4f93f2

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
348fbd1e865b830052335fca34d8b07b

SHA1
0ad9b36fba743e653ac697854175b590abf3b810

SHA256
e328547db7039c681348679b0bbdd329e7cbb33038d09a18887cd65975e4a4b5

SHA512
2fca8ae838964cf494df4deefdc74c311dd8df54c44a2e94a0ca34fa1ba8c82d4c95740196191a842a5937e20529a3d5d4ec97300f18bc45ee6244d90430a370

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
0f849edf7003009433eff718d2bcf27b

SHA1
88acef0aae4e81578cd77bfb5d6a4076c6e03ba8

SHA256
389ec90b36ca104a02d006d075123533afab3cc207337537a6111b10270367ef

SHA512
cd772a4bcb897c700f6affe45f139b791ec32c4a3ca964620e244a06d7db2531da63c008588d837e035c9d853f60e5581c68a0323657f5bd9af44c1046400f2a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
93KB

MD5
49ffef1bd79a249009957114d8ed9316

SHA1
9292af3ab809ee35a399d7a3b0e73d4eb7dfb2a9

SHA256
4ec322cec4728d21a8fa7d0d281a25d8aafbef89c22dc4ff7fd64c33222d92fe

SHA512
82dbe35f1abf6e8a204d3bb6187c7ea14a696c9318bf15bcb1fe95c48909697b688a1e97d8062c2f7c36b2adc7e6cc95980ad76edeef57b7271d60bba3ee6a6e

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
93KB

MD5
3d5cd83bf0d2623c493df54e93d410d3

SHA1
5d773fc06e8eb06edb4c1a39f7db1489fe880cf6

SHA256
ede69caacc10dc50fc4590459c0024ffac2af6fc026299d50b3852145a09129b

SHA512
4151cb2b27f9701671289bf541c1843408d06f66bd9362e627581b09c9540b938d055db8f06c6f087cf2f912452e3dccab8a312ad1e13d32a2c2390d7c56f830

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
93KB

MD5
357e56262fccc7662fad45337541630a

SHA1
9c2fdb2dddb91c810af521fb4e7ada0062cb601e

SHA256
49b5a0964a6dc986d29e4808fe325185318c5f75e791a6166cee6efad214777f

SHA512
3c9511b6b2c1647b1a22dcead014dca336490a50cd77c30f3800b51b88f389fd3ea295456e9753116f02f550ae8118b9fa0cbd06e781f025051a1f27d8169dbc

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
93KB

MD5
202c8d154479f074ba6b2cdd5b5ccf93

SHA1
a26d794f6e3975ecbb94aceec0494c3d2b724a17

SHA256
ec21d07d52b2e66d9f76fe38b8d53eae914ba5afbecf9cd40e73bc1a9d38dc72

SHA512
56c69b0f8bb4f11634abc010fabeaf73bcdd25e07b9f01f9ff4d150291535fb96da97be24f6059a4be4921c1319de4d4a2845fe82dec3ae76093e60e13252e88

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
14e0b023d604fc9b7c027466bdf31c35

SHA1
6bd73ea3227f6a3a6e80c941f43ac05527f108ea

SHA256
7a3f4f958bffb649de9eb004f0e26080abeb8237fc5bb984c5281f1ba4a19a41

SHA512
2f8b9d6d1839db5b565691de1399bd566f50bc1358699443a2d007bdd6241be00aff9392ce1d2fc6a49b2d4045f9d4a80a175b3e935c28344f9eae043245621c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
93KB

MD5
abd00902cc3d7220b22b7e00d4f881fe

SHA1
5f3dc4660cc7d94555c0d406f8d9887c9ec037ff

SHA256
60b56219b267036bec5d57cb8691dd672d29945dee3a5c17a3d9b4b7c29e6511

SHA512
84fb812d0e90cfd77ea3d50342546e4ad001c5a82ad60174cf9d48ab91d1e75259b5f449c3609f4a15101c4a76f8faaae5064aa308d92e2e46f00a8659ddb220

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
93KB

MD5
adae3fdc83954fef903e018bd4a7c60c

SHA1
bf6d0333c0e0ee6047e0df63e31d0c3fdd5716d1

SHA256
4d8a8325b95717b5bb11b5c4c7efa3539309edc179573cde3b1f2285f9f53854

SHA512
3b28ff77b90e7349aa2c239e9eaaadadf2ee24cabcd9a936327e13d96522292a012ce7e3b7b7d1ea48a93e3c8f9b317e41bd032ce123604ec230e54e6b9cbc13

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
93KB

MD5
fa444b8bd659448a282e9b560dec8c5d

SHA1
22ff54bcde25fc6b8ee9e522954b7fd47f0d4e53

SHA256
19d3df289527de733a69b2741f2d9ae98ae9560f1ae74e74ed6b09512954dc67

SHA512
08be093214ef7b3c0c053c10ffe7da15a6e573208cdb87cbdd13fc4aac870625b5fb476d16b9d92561ab0d1846ec3956bc1d4b74d344ebc8e3037e4540ca1a42

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
93KB

MD5
9d3da4e95b76df6c20fe9c33fe8e2dca

SHA1
57d9a5ce8053b56e99b8f0980ada0421fd470496

SHA256
93d1b27d75ddbed4826acc867cf837a6dd483cae6501d25f04b802c0d2a33a0b

SHA512
50d997fe4bcf6b15a69972dcef216cca641c9fdeb4ddb0083c33178e1afe6c212f5f2d01b55f203caa71392846d11d8cd3d5062c4d305ed4f9820b994d9fb531

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
93KB

MD5
7d9ee745c2c4d32ae7169ce3edc52e80

SHA1
09c0421f52303921eb05ba49bfbf45c358974505

SHA256
201fe222366edc6fcb29c6f458648c2d9329b34e887ac11219ed9ea3488fc829

SHA512
ae72e6d572e951d4cd0b04a7dd457e56f40baeed924b5ab67dc6ae96591fa02eb1f1425629e7fff54f64c4291aaf035e7389d07fa1362b7469cd43b2a4a7edd4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
2d29d005015926b310a7ec4e005e6a5f

SHA1
ab4f43408f4e2de3786422dadd94eec735227649

SHA256
429b344fe0f8854fa1a835fe779bc89c03bc92c1fa011d52a1583ce9aa47ad5c

SHA512
0c61ff883b00364927bdb478021690e7d3e709e28832fb2f479ecfac1ea6def9b206f07d2728945c01396697fc7e347b78d53ed77353f4eea71cd9a38e33583b

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
93KB

MD5
403e560c5182e6ca9ad9860c12594272

SHA1
f3fad2c49be3cb0c3a89703374415697dc2b28cd

SHA256
c347eaa1221545a27c4d9c7d5b50eaf31b92e7ea76c20465af9293b8a3fe23cb

SHA512
8d667168bf0b8636705f19e76646d61cbeed8e58b478fb5af81b78ef4deac292d6cf101d96c0f074582838fa6ef54f35697a64bee8973abc3f171d2e22f4d209

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
93KB

MD5
d039c47b29a6824d2110b3ea957a6c18

SHA1
a5342167dd18dc307f2be3f15621d678bcd6e69e

SHA256
5f17cbf275e54741bd6fd4dcc6b29cd80231e6931ceec6ebfad602f514f9a0be

SHA512
0737629f14a5e945d771bb1029767528b0fbb236b473d11a229790a134aa7477d37c8ed855d732e0cd88a4617d6dc0bf60ade56e6d0196a731a02cd4d616bd3c

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
93KB

MD5
1d76ccb955a50ab4aa937c9d948f6ed8

SHA1
bcac8f7e6679516794021f23b42640f89ef4a4ce

SHA256
a798ed4ca7d0da33b1f5bc139e44c1a12e2e55bee006c4712164514b23fd36f2

SHA512
e35403926d85bdf26fb6a27ee1eaf1fc0784612b1a5e1ebd0c1a52ccf7264ca203ba64967e4886498041324d5eec910f32b3e3f332299a02e0fdb30ce76c3bad

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
93KB

MD5
2ebdd277676846408b7d1ef31246b3ee

SHA1
2f047219c52fa4fe3e0bb7e695583953f2f7ea1c

SHA256
33985754f136e7491c04a0703551daae07283d5cae370435a2ec5324db652657

SHA512
5194a8b06d4da3a1f38024617fad921820e017501c608158ae258e0af11350a7ae46d6e7971e76d5f01f8085308e5f60f47baf3d078965214aa0c288d187836c

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
93KB

MD5
a7e55e7ce64e8e80a0abdce46b68f1ac

SHA1
73e48cfb61d201100d989f09c380efe213e49b77

SHA256
3b85e041776c52bf3ebffb4715ff49b69e49e2beefad3b4b1ea4f28370a46203

SHA512
e9017b0007cb64e8a4fff39a690d326d47c573c55e3d93c0fbc19e6e313d57cfb23aa48ead44fff2861e5e768228e3eb0d36171c599f8f4d355d8296f0856949

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
93KB

MD5
61754796f00482c22674b4586f5d37e9

SHA1
703570fd42e7b33eb93a7e3b6b01530f75bbed4e

SHA256
da19fcfe876f3643c243da5259424783a7fa4a511f938f24a1bdd2813a7408a5

SHA512
cdeb2362337da001d4abd4b07a2f4f52e1f38b2a976f157833ebdfdf2467a64e3d3ae44b92894807f1ddba38060debad7c7b2be28ca260a32ca11434ffd3cb98

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
93KB

MD5
d5445aea03d9f7ccf293f4abc0aaa589

SHA1
25333a944dbbf2790abb81957e0a5c7a738b5b8d

SHA256
5c4dfd4a6411e6580fa0bf23589b41d9772452c7fdacbaebf1a2a58ed690af77

SHA512
adb989299ca335d3741644dfaa77fc51f86ee88bb08bec8e23f0b7f3273c479d76deb800adc5d1f026fb08cb2f8145ec619155e8768d7ff2ce70d98d57746df3

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
93KB

MD5
f571c593854b28b0c18d4457c5d35d8b

SHA1
cf361b485d307a2c457814fa179344b10822e2a2

SHA256
0836fa678e0c3cc5ddcb0b6411f8fe8e5125eb5a7486b2240e3709c116ce1d41

SHA512
f676123a6ce5ae9c895fed9a87dbe923a9b224d7cd83a1bbe9aa72faf0794b7c2939725c524aa63f3a9c18e6348beb4fc8bc9dc06e9900996e0ac344b8c9bf26

Download Submit
memory/540-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4140-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5160-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5204-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6380-1444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6712-1523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads