berbew | 0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe
Size

163KB
MD5

a128b1e4591af296c389afcb18abf5b2
SHA1

dd72e6019b048232a888588163217d978e90cfc7
SHA256

0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec
SHA512

1aef69ea3bcf40cc9966a6550c0344263ddbd5047630859ee072edfb208aa4d8f00683bf7e264f8dfb603ed26e48ec254751d2650e241d426bfd414975f5ee5e
SSDEEP

1536:PeQz8Lmy1Jey7GD9YZbwmpj/+zPTKZk5UlProNVU4qNVUrk/9QbfBr+7GwKrPAso:m1tzhwmpcLKZsUltOrWKDBr+yJbA

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cd6-743.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
1912	Njefqo32.exe
936	Odkjng32.exe
3924	Ojgbfocc.exe
3128	Olfobjbg.exe
1384	Opakbi32.exe
2416	Ogkcpbam.exe
4708	Oneklm32.exe
1392	Odocigqg.exe
3428	Ognpebpj.exe
3664	Olkhmi32.exe
3356	Ocdqjceo.exe
3000	Ofcmfodb.exe
1884	Oqhacgdh.exe
3492	Ocgmpccl.exe
216	Ojaelm32.exe
1712	Pqknig32.exe
2328	Pgefeajb.exe
4972	Pjcbbmif.exe
2304	Pmannhhj.exe
3752	Pdifoehl.exe
2008	Pggbkagp.exe
4456	Pjeoglgc.exe
1140	Pmdkch32.exe
1388	Pcncpbmd.exe
4136	Pflplnlg.exe
3400	Pncgmkmj.exe
4656	Pmfhig32.exe
4924	Pdmpje32.exe
2984	Pgllfp32.exe
1464	Pfolbmje.exe
2768	Pmidog32.exe
316	Pcbmka32.exe
2880	Pfaigm32.exe
4420	Qnhahj32.exe
5072	Qdbiedpa.exe
3580	Qgqeappe.exe
3468	Qnjnnj32.exe
2508	Qmmnjfnl.exe
3744	Qqijje32.exe
1860	Qgcbgo32.exe
1796	Qffbbldm.exe
5108	Ampkof32.exe
2740	Adgbpc32.exe
4160	Ageolo32.exe
560	Ajckij32.exe
4116	Ambgef32.exe
3292	Aqncedbp.exe
1976	Aclpap32.exe
4544	Afjlnk32.exe
4668	Ajfhnjhq.exe
5116	Amddjegd.exe
1072	Aeklkchg.exe
4604	Agjhgngj.exe
3520	Afmhck32.exe
4880	Amgapeea.exe
4100	Aeniabfd.exe
4628	Afoeiklb.exe
4440	Ajkaii32.exe
1232	Aminee32.exe
1436	Aadifclh.exe
1304	Accfbokl.exe
440	Agoabn32.exe
4424	Bagflcje.exe
432	Bcebhoii.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6140	6032	WerFault.exe	209

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 1912	3160	0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe	83
PID 3160 wrote to memory of 1912	3160	0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe	83
PID 3160 wrote to memory of 1912	3160	0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe	83
PID 1912 wrote to memory of 936	1912	Njefqo32.exe	84
PID 1912 wrote to memory of 936	1912	Njefqo32.exe	84
PID 1912 wrote to memory of 936	1912	Njefqo32.exe	84
PID 936 wrote to memory of 3924	936	Odkjng32.exe	85
PID 936 wrote to memory of 3924	936	Odkjng32.exe	85
PID 936 wrote to memory of 3924	936	Odkjng32.exe	85
PID 3924 wrote to memory of 3128	3924	Ojgbfocc.exe	86
PID 3924 wrote to memory of 3128	3924	Ojgbfocc.exe	86
PID 3924 wrote to memory of 3128	3924	Ojgbfocc.exe	86
PID 3128 wrote to memory of 1384	3128	Olfobjbg.exe	87
PID 3128 wrote to memory of 1384	3128	Olfobjbg.exe	87
PID 3128 wrote to memory of 1384	3128	Olfobjbg.exe	87
PID 1384 wrote to memory of 2416	1384	Opakbi32.exe	88
PID 1384 wrote to memory of 2416	1384	Opakbi32.exe	88
PID 1384 wrote to memory of 2416	1384	Opakbi32.exe	88
PID 2416 wrote to memory of 4708	2416	Ogkcpbam.exe	89
PID 2416 wrote to memory of 4708	2416	Ogkcpbam.exe	89
PID 2416 wrote to memory of 4708	2416	Ogkcpbam.exe	89
PID 4708 wrote to memory of 1392	4708	Oneklm32.exe	91
PID 4708 wrote to memory of 1392	4708	Oneklm32.exe	91
PID 4708 wrote to memory of 1392	4708	Oneklm32.exe	91
PID 1392 wrote to memory of 3428	1392	Odocigqg.exe	92
PID 1392 wrote to memory of 3428	1392	Odocigqg.exe	92
PID 1392 wrote to memory of 3428	1392	Odocigqg.exe	92
PID 3428 wrote to memory of 3664	3428	Ognpebpj.exe	94
PID 3428 wrote to memory of 3664	3428	Ognpebpj.exe	94
PID 3428 wrote to memory of 3664	3428	Ognpebpj.exe	94
PID 3664 wrote to memory of 3356	3664	Olkhmi32.exe	95
PID 3664 wrote to memory of 3356	3664	Olkhmi32.exe	95
PID 3664 wrote to memory of 3356	3664	Olkhmi32.exe	95
PID 3356 wrote to memory of 3000	3356	Ocdqjceo.exe	96
PID 3356 wrote to memory of 3000	3356	Ocdqjceo.exe	96
PID 3356 wrote to memory of 3000	3356	Ocdqjceo.exe	96
PID 3000 wrote to memory of 1884	3000	Ofcmfodb.exe	98
PID 3000 wrote to memory of 1884	3000	Ofcmfodb.exe	98
PID 3000 wrote to memory of 1884	3000	Ofcmfodb.exe	98
PID 1884 wrote to memory of 3492	1884	Oqhacgdh.exe	99
PID 1884 wrote to memory of 3492	1884	Oqhacgdh.exe	99
PID 1884 wrote to memory of 3492	1884	Oqhacgdh.exe	99
PID 3492 wrote to memory of 216	3492	Ocgmpccl.exe	100
PID 3492 wrote to memory of 216	3492	Ocgmpccl.exe	100
PID 3492 wrote to memory of 216	3492	Ocgmpccl.exe	100
PID 216 wrote to memory of 1712	216	Ojaelm32.exe	101
PID 216 wrote to memory of 1712	216	Ojaelm32.exe	101
PID 216 wrote to memory of 1712	216	Ojaelm32.exe	101
PID 1712 wrote to memory of 2328	1712	Pqknig32.exe	102
PID 1712 wrote to memory of 2328	1712	Pqknig32.exe	102
PID 1712 wrote to memory of 2328	1712	Pqknig32.exe	102
PID 2328 wrote to memory of 4972	2328	Pgefeajb.exe	103
PID 2328 wrote to memory of 4972	2328	Pgefeajb.exe	103
PID 2328 wrote to memory of 4972	2328	Pgefeajb.exe	103
PID 4972 wrote to memory of 2304	4972	Pjcbbmif.exe	104
PID 4972 wrote to memory of 2304	4972	Pjcbbmif.exe	104
PID 4972 wrote to memory of 2304	4972	Pjcbbmif.exe	104
PID 2304 wrote to memory of 3752	2304	Pmannhhj.exe	105
PID 2304 wrote to memory of 3752	2304	Pmannhhj.exe	105
PID 2304 wrote to memory of 3752	2304	Pmannhhj.exe	105
PID 3752 wrote to memory of 2008	3752	Pdifoehl.exe	106
PID 3752 wrote to memory of 2008	3752	Pdifoehl.exe	106
PID 3752 wrote to memory of 2008	3752	Pdifoehl.exe	106
PID 2008 wrote to memory of 4456	2008	Pggbkagp.exe	107

C:\Users\Admin\AppData\Local\Temp\0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe
"C:\Users\Admin\AppData\Local\Temp\0f9ac5893a382735137952de9af56ff47e8586b69b7e964bac1b17226a834fec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\Njefqo32.exe
  C:\Windows\system32\Njefqo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\Odkjng32.exe
    C:\Windows\system32\Odkjng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\Ojgbfocc.exe
      C:\Windows\system32\Ojgbfocc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        38⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        46⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        47⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        66⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4280
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        69⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        75⤵
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4784
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        88⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        93⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        99⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        101⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        104⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        111⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        112⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        119⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        120⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        121⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        123⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 228
        124⤵
        Program crash
        
        PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6032 -ip 6032
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
163KB

MD5
2fd060ec752cc7ef8021f4f117c3aa6c

SHA1
5002e88bfc05b9f0f0b5618794c34841d6a1ebc9

SHA256
ba11783918d4dac935c3ac2710b4426b3e21adca930542e07292071d31794fbf

SHA512
fd161ffcd79bdeed7b20d0b5a6459b2a0e882ff2b935566de53ae22db35caa96511e6926871f7e3cf3ad171daa047ac2cafb6a990c462db00133abf65e616f6b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
163KB

MD5
005018ef9defafe3b8d258102048931f

SHA1
15f6456458e54555e750309afe1044bf5e4f9932

SHA256
9c3227d63df480f4782e9f0b49c7bf1f20f532e808f82474194af7eb53bc688d

SHA512
41fb5dfc4b6c10541961106b53fd4ea99722c87668ae45b1661861d8d7d464577906305414c89e2cddac23053e67d3b5003a9b0c553f21a806dae253f83d1cc8

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
163KB

MD5
64de3c164ec4ab63c4f5eea120d9a014

SHA1
57af47c7e95b072bab97212615beeb70b76458b6

SHA256
e3efc424372f7ed31c793907a35aa09f2c3fc76cee6eee402ed0fe7c99aa42c7

SHA512
66816862492a9f14fcb00b2a6eb6e5eb1925a1aa87f978d5a4d758b025c822a8f76ff1ab1308056214af875f32a0fc20ee0c13b5773b483d9e2bc943c42f8f68

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
163KB

MD5
0f2f195f829173c92115ce6fa6bee78c

SHA1
c43efc2c10c62c7e1d40a359c477c4827dfec692

SHA256
62767e4acc4648d475c95ed7a77d0aa4e667d4791d22073bfe154ffd8c998491

SHA512
08be63ec0313dbd7502b5d0e5c6980330095743ddf0c051576fa531ac346870f838fd4417bd29e241d17f6f60f6511b639367a0019b32944b990ae7f1e3f76cf

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
163KB

MD5
cbf9eb89ecc4adbbf58e1ecd3424a26f

SHA1
8d41971d71acb14a8adf9b8416e23ae900dece95

SHA256
96dbef29a31212276cf1e98b87949e34846e45d2b0513316cf98343816e2aecc

SHA512
f5223567ce5e31d5157b0674306cc1a9af962db7d29090926456c16fbb6dc35b7822bbe206c3b6006c9fba399566ac3d33e391539830c61e2613acacafcdecc8

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
163KB

MD5
22f57ab1f8e8d9406e219d5a44b53abd

SHA1
e6bad9af3c62b4b2519e1cde280a235a13e73e3c

SHA256
f994b0c87e5be98f3c54c28045f459c719350f799fa4a2a94c75e63fdaee25bc

SHA512
ec55bc1e6b781425bd8ae6c65e2c8eb28fac6fdd1c9d1a52b5eb5c480ff2df42f301fe69a2055ea05d9328b07ebc3ff465fc2d04929fec753a30480afc54a2cd

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
163KB

MD5
24e58e7f5b42dfebc6e85ef151b80813

SHA1
4a2569364a8d8db713baf60b2037f5fa2d2b6a0d

SHA256
d06af3209b87546ee85a532e167b7fc05d9cb5816beea7c2bcbe89ce5f0657b7

SHA512
5e3e16094e4dae8b7ff95dc6fe132b7faa9a11ab458f3c3f4dd75aa4ebad2105e195c11fece43f5181ecda3d0d0254fb23e28e2557c5dc9187c62294fa42df97

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
163KB

MD5
0c016666caa25b340f157abd0bd74a8e

SHA1
c51abeb001a236c7aa2e3c3aacc252b558a9b123

SHA256
0328d63e1dcc5b71a5f6ccb919156da8cb86455df4a51d5e2e42f83985d33727

SHA512
3800708bb6541fa8fb393c2be8d97f592bf7d0efd0ee56758769ac72cb0efbe5bbe45d73f5735871c50c946b613cace4ce5474ee8a3393ff173e7fbedfcd45a6

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
163KB

MD5
32b7890ce4da72decab6fb583c2797cf

SHA1
9360c147df009683e2787010b5aab4d0cbf5795c

SHA256
4e0a43892887151be29e5a86087066bd61c787dcc294a43bf894fc4a24b306c6

SHA512
963cfede406f8d59d32b27db95aa63594f1492193ecb038e0229af1e322b2c7af1f6103c50a581c24899206b6544d7a55be927f3c95f1621d783989e5c9164b8

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
877b9f4fb1356656c7e72165d09387b0

SHA1
e50e302ef0f3edb789685b063e5fa2056946cc0d

SHA256
eb50a0d572a55ea940efd663c2533359f3de0bf12caf9c45ab62aa59d7dfe65d

SHA512
3552bfa73afc17e724452e828222dbe1121d8cc580b39edab146627f04fb2aa2b36819cee99d16ede618ee17a1f0da9ce5c10235f71eefc489f644352c0934e2

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
217171c6adc108f437f976b979c4ada3

SHA1
910f76888a73037ae48c46501f10cb096dfb7b8c

SHA256
32dd04e6f1378d9f8d1ee1e83feb540ca67dc80594d7453ed7164e6f50d640df

SHA512
aa80c55c147e934067d9a267dfdb97c945a853733146510aac281486ec8740019eb576f690ffd1fa7c01d50fa1694d733456aeae8c5234b94c0b2e65efcd37a4

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
163KB

MD5
7c334f968d1c6964b41a36596ae45010

SHA1
6936ef73eb28d575a7b2080a329e845fa6828f74

SHA256
02b33d0795de8ffa7bce6a657048756ddd4d47e74acb35a3c29ce5fdd9dde59d

SHA512
e78968c382034a9dc67b68ddb7f11eb1fdd80e21f3e49090c08f25d929c361b1817a33727a528b051d1cba37424374844a871517faf96b9c676721721bc3b659

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
163KB

MD5
22d49be5b639dc3c974cc3f21345bb12

SHA1
f795b7ac8b58e6f689b07bd05458692bef408bb3

SHA256
e10cc01626d4c4bd30459d59e21b88d0225ffe211e7e2bd9f98a8f2217fe81ef

SHA512
d386bf2aceba79dcc8f002eb10759323de4d1db7193c42cb8405fdf578ab7cf0e30b922f9ec2481354efac9071753ce7c3101121743c0a661bd154b56e3750d1

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
163KB

MD5
2f9d5dd010f01ab67d95edea2248a61b

SHA1
30cda1d19d41a18f671cb0bb49882943e097b814

SHA256
f8d1601b58cc60a0b512f1270f149c6db58ca97ce758b552418fb655931c1dd4

SHA512
603401570037eb0f76c6af2dcf651f6aff158e2b34fbc96a3ad0194741adb8352c08fa19b4ec4e24bdde0b6003c4c5e3f81a0ea72b97305a4c62dff34f80e0e3

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
163KB

MD5
455625a1f881d250f470f124f551eda1

SHA1
d47754b4ca32789ad55b9a2de3616e7b4872a7a7

SHA256
474002e4bf1e9ecdc753ecebd36c529e48332364778b943bcd881be1e0da9a49

SHA512
95fef0719fa88d535ac2d2f468cc59848dd47a30514e8b1c5237ba07589fdc61c7380d4749f8a9ba2e3889861801d88dd7a9cd5c9119a35b3edb80d630fee1d9

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
163KB

MD5
13987f7dbe478382fcd80927847e00c0

SHA1
6ce019c4129d9de393d3d3aa49172ebf41fb333c

SHA256
196d83fa81ca5e6d99f341d245dd4289a8647d93bf9480d91688f3d848b8a01b

SHA512
e4efe5af2db002114cf12ff6febc3c928a6f23e266e2e7cef2f3fa9426de9871f954e5a31a059e99104d38b150b88b82307bac360b5b454aa7fa115dcf111af5

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
163KB

MD5
5b26a6d0165731818eee630b25995261

SHA1
1496f638e1cd40a7350bd40a06e39cfe8f73d395

SHA256
d8efd742fc1e6934f26457905fb75bc5471275de539cbfc16491a373e35b5edb

SHA512
f68d9636bb2bf096fade3e5a881d36c98798289a96ef8237a3dec3bbd59c1187c1f10bd88b81b0feee3635a9f493a8f26694a32bfe49cfafd055a464321e431e

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
163KB

MD5
9776f8ce12e3854e3bb93883dd448fd0

SHA1
ceb73c6884cdc15508cf67e11884cefdf764a3c0

SHA256
2386f11dbe5d5f8a54e1cc449be45b624a737f14aa710407047c52183dcad17b

SHA512
e213e53ed93bd9ffc4a2c1732234847941c179cdafaa6ce348beca5a1736a935f2efa190a9bf15917ca8eb356d95bc1379008633cddbd643d92ef0909438a68a

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
163KB

MD5
d7b975defcf15afc058565169c162858

SHA1
3addf97851ed4a988789b23bfe16efaefe1156df

SHA256
0a619f1714e6c77294eeea68b5d55c0ef4ffb5ac2fe3c56f64ccb3bb746e2142

SHA512
5443d0f69cda13a0bba7923074ccc656e04fb4cfa83bbabff1e6140df4c3f5574e86e95276f0b72d1a46ba7ad3af7ada2c730b1fe492a40dbc5856693376f364

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
163KB

MD5
f91ca48c4fb276d73e06f866476912b3

SHA1
491385c029e5fc48b9b018664f72914d0f6fa55a

SHA256
1bf025f166a8719d6a4fe925e2dd1cd76233f3035e115926ce193599eee14e73

SHA512
c7a5d550d1848b258764697dd88c99286eda8f1cda1cbeb3ed258d10270b24fa4e920d9f0b06aeef42d4ffc505ea5d4888763ff2e3df355d1a6b98b7b20bad4f

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
163KB

MD5
9a951d6ebf518244e062bbb0c5342234

SHA1
4174377ed3733e8c51fa99efbdd9a2d1d39082e8

SHA256
c42e4544b8725252fc0163ad597e2db7ed9bbdd31e33ed197ece066cbb27314a

SHA512
d56074c8f16d4fda11cae5b181487ceabcee9dc8d4d4bd2ff9ee2ae9272eb4553754c8edb1acb3acb45dba28bc4ed037927a11e75d480901fb61812ac01a5434

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
163KB

MD5
cdfb3e08b611fada45cdb35c246724e7

SHA1
d74661d40e2c36c35704c2a05e01fc0de6b85c27

SHA256
7162206f16d3f14d19867e7ac41861745fc81db77be3a1fc884548d523f78739

SHA512
473f3515fe3bb8b9610184d261ee5040c500c2f525a551cd2ae501c4d639d5a08acf4abc9e5046b76f008912f56a947ef594f4b3aa4133e730ecc75d49a4965d

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
163KB

MD5
95d2fff7d4501e1b4b3601178f92a558

SHA1
902c713ac56f4c78db6dbd0347faef26ab022cd5

SHA256
497ad18407403ddfa69beaa6ba5810e760e50dc900bc0bdea00d04403563b432

SHA512
8d37e776563de9798a2e76ff363c7f9a097677bb351c43d2866c1935751aa5ef182f296a7547dec3e61da9915eeb8202a4b0f1dc93a0c13a41cce40c4db6ae9d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
163KB

MD5
c06207d3a476d6111e1acebd7a6ebdb5

SHA1
80a3e3ac8f1686fd58e6362e41deac637387ded7

SHA256
e4f5b07a5470f0266594f4bffff76f057cc136b4b17cfbd9cf68ada04ecf5809

SHA512
f6225c72fa38213ac5a76afe0ed87f1f6ddebebd53b401bac80154b33259ae866595cfc494b73085ec2b031330d24a414eab46eb20f40d3206505154b7e2dfde

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
163KB

MD5
2f03d9bbd86a07eb2ae41810eb5305cb

SHA1
a689460e71beab0ca14aba1c010a0f2d977dee09

SHA256
1087359092139add180d1e63a08ea53e86792a80c399fe58c1f279ccc85ab7f7

SHA512
2e3fb7fa79e01cce23863736448aaeb58401fca56c137f0b0d6f2bbdcd40d98c8c870dc41c0b98445433eb24564672e119d5e3fa1d04f55f1f1742f9343cb3a4

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
163KB

MD5
f12054fa0213438f88200508e6b0030b

SHA1
3c0a6c32145251226250556fe19c24b23425aa9c

SHA256
d68b2d7deea94ebbac3d712c80758d4c4c934b2c529ab5263d906707602501af

SHA512
a7e7874e5b58f4c5f2c2e13d3510c93a0d3c7985e907da6bb6aa670ef2c7c44265367c3899f053d436e255ba2a5f274b4d91440dabd78353ea1b8bfd9b307dac

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
163KB

MD5
716f35f91e1852b6c8d0ac0430d9b0c1

SHA1
dcfe5d95d8a574cd6c3f38153ca02006da60be4c

SHA256
77a1794ebd1385229e0a23de046661c98d1b79d85f5bca35a9b4ac39e23c7122

SHA512
5d1c1f60769e928694ee88ed2c3ce75d74a12d75026f432569cd23653383e34cad8e8ac3f1d450e215d55efd762d64655532ef588ffb5aadbc31bed933fae350

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
163KB

MD5
f90e5fe24f75773cf2e4a9d330b4c52d

SHA1
594df74946de0075d6a6452cbd267fdbdb39fb43

SHA256
6d5c11045facaa5e173c6a3e9e862371a30ce6c1105388fc299e5ea714a82c2d

SHA512
a3275ff62f7da298a43241ef20a4787ec6c2e205de07c3b9ef129323cf34155be6584b5585a584a5b0d8285dd83f956e0ac62bccac55910cf202ee98f1ca165a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
163KB

MD5
91adcc9aab3b04f4f72c18ae4186105c

SHA1
2d7fb9b5cf9fb7355b8e6660f827a1b7e6f82260

SHA256
db724fb3e0dc26310229f6bc972adf54b88df925b2082f8e1d6b6195427c6c7b

SHA512
ae4d832c051228335646a671b9630ebfe58dd98ab6e7f8d4ae84643389bbd99624957fcf9b79503b1c0cba38b48f5ad8ef52ee710e923cc9c5c5bcd956e23bd4

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
163KB

MD5
075ff588b0e89cfd95b9265a9f52e23d

SHA1
54b6b75a1bdfb730592f710b16fac78ed85438b3

SHA256
04e7507e0c79ed28d99503c7f17ec13e36039832f2d293efc88adf355284ae63

SHA512
ca4928f6378bbf4ea0b14c4ed146fee6ca41c918d6d520794c2989ccb8d0d76f33241d5b1c1f8b75b6efc3c14b88c8c09fd4ef94f86b0808fe91eda006470c5c

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
163KB

MD5
3f35d0882340458800e8009b2064f354

SHA1
487ab5f5da4cad1db0b5baacf7c92431087249c3

SHA256
ba12e7d4cc9baa2599c09eef9a2b9b73399b6768f13dcb7804dd699ebf7fc4e3

SHA512
2af525a6a0f76fa9cff3b7cf995b5ef983de6936d9cac5c81c5ece2363a6413b38edf86043a7a62dcf5f205c694bc281fd4b745b2bef82905f9d71dc6b50283b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
163KB

MD5
d5110c349c8db8cfab17a68c1a39e921

SHA1
cfcd7b3d5579225e300ec6116c60fef5e58848d1

SHA256
c3be1d0be9b39a4e6b1c4a24444a02bbf3aa37686dacb0d10c189d7eaeb860c8

SHA512
062cf28ff587c9ed0a70e2512d8dabd30dbe047005773bc5fb088d667546ee6c98dbd963e84e00f2a2e6134f22389d267e13a871c0c4130995be29979e2711fb

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
163KB

MD5
b47dca0803916d40623ef16ba02900ac

SHA1
a62af7794c19c63871942e02eb229ec0b503e58a

SHA256
f86d52bbc7ed35e1a798cfbab5a593b12777af060ac8507974dd3fc588036a87

SHA512
40d46e8e456e2e5592cd18bb57b679227c50084ea5deab4e63fe6243849066a2fbf56d334e5e8f2ae99bb6a493c1f1f8d37e85c5d9025c0f7ec03bc98226569f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
163KB

MD5
43dfc68415f88b2f354c54ba7178631e

SHA1
ada310467d4b23cc7559053104428c297e01bff7

SHA256
559baf5d7c4fd2d8a9656de87e44ec85b83603c30e0daa84a299c6d18171fa13

SHA512
ca8e50a3cc2ae1e16433f9e8ef1dbd58b229efccb690aa2350961033988874fc9a9637eae34605812380f54f697115bb66f0c8c84bbd5937abdf84c0f8f0b797

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
163KB

MD5
186ba042029f93868f80a5d458153f57

SHA1
d51122b2341982e59c6af06fa6718fa53283ca46

SHA256
1534b2edc9fdbf4aadaff5c3764e14cfceb36c2ac43be8eec466d6bf23be7f1a

SHA512
32034328860e77cfe38d902244a4c8d0878915655d776e3200489a31efa012deafd21d2759d3728f0f43fe877bf234c63cab4b75fcb060a6b92c7a71d9b35c66

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
163KB

MD5
7af438b2e2d3af53dd791418f2599e91

SHA1
072f6e1765d564eb30b965e9f45d0cabceaf3eb7

SHA256
e7466f7902b7e83180f3579a5cbe71b7310d9f4370f308469389ec32079ffadb

SHA512
e8b65ed5c8e2764e23e032d373c6030009dcd078485a0838a39b1cd31423ff6259753a1675c35b0008395213dd3201ad692d97a85e65177797f13d91bc4b0670

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
0655e4b861f741bff41ff4e989fe567c

SHA1
33ac9f1d032c898d2dbffa84042340afa4577b7c

SHA256
7fe403517fb888a531b0c3e0a7e3439e20b950628d3f9732db6d404253a281ed

SHA512
e554fb69fbe905b4c60a4a5f59db20dcfce63df29203a820da4360aaf744191a2a29c75208b94e2c9fded1ab0f426b51c3f6eced155136b5b29b60ceaf7876cc

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
163KB

MD5
cce616035d9beb7deac002e8c7c16f83

SHA1
e617ecf27a4dc4670ea8e3656eed7c1bfe63b461

SHA256
9e740532a460684b0df53bf9cd6a8f207a46160f9fa4c72a49075b3a45078bed

SHA512
65fbc24971f6c17f68cb196c2195ef53c0f65846ad4d8c9fc578564a824c89db2cebf8687bd442d615aae8ce23e65af932fa53f8aaf72b3959a7b6dff45a171e

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
163KB

MD5
87f9c42d536eb3ba08b0287987d8fc88

SHA1
f6f31ca43aa9f305dfdf56cd4070a25b4d93e1b9

SHA256
6279d95f89d5b7c39ee204ea64285c84089faee8b7407819470d68e56654303b

SHA512
dd21ff6fb54ccec559dc70185bfd1f1981bd38b535253ac9389d1b6e40f4f52e4dc4908d9548247f7e7a22681ca3c812e7faf35fd90702e30e07e31ffb7806b0

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
163KB

MD5
1d4ac315d18deffd29ad59382371505e

SHA1
8562ca457b2ebf3b2423abeb0ed8fb7878630f2c

SHA256
4477571c4c00026b61558a7a810cf539c0c5ed6438c33653f26741dc3a8ebd1a

SHA512
febafccfe193a6081eec1570ac5b82071210c489c976f7dceef77d0ad638982d6672b06793e1f87c3100c4d3544ef61c6e6b2a01fb4e878edfa104ed122bc96e

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
163KB

MD5
09de967b538f9426ed0686e68eaf5703

SHA1
73151e4d0d8759145c61db30f07ac461d1b3d6b0

SHA256
468f6128cd00352ed30619e6bd19ad684095123535145dd606ede69d12e372f3

SHA512
ccd02cbeb4b069214bbbdc235bd9991ce43bb190c04959bff3294d201ac65b80973dccf64442dca95c6c1e7f952854d011c5590259eb946479b7210714f47024

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
163KB

MD5
9d42dbd0a5e129b4ba84057055f09634

SHA1
6c288a9d1bf2eac4b86d739ad31282520c4fc738

SHA256
95e804c98410d4f3c9d63cd0aad7a39d3e043da4384cb1e474f1d89278d0bff8

SHA512
b08094bdab80e47661ba30043c894137dd6373903b145925d1c8b7878ad59f82f8205daaec0c9f9fe698e11db8e1665c9f9698a08b8eb98dac8a65069774404a

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
163KB

MD5
d946bf5e3a25e324abb47573460deb83

SHA1
e0a7794b2bdcc93e63e27502c07447bc81272e74

SHA256
e2010e1f16987698837ba35efef9bc2e46e959bb3dc765125cddf137d482fc43

SHA512
219070d1b14d42db781aac8a545e460efde5951aefcb73308a0fe3fdf4e5db1c8ae2afb0ff6621b4257716fca7ce34b7ab7aafd53276c731a64f6b950c5266c7

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
163KB

MD5
d40636b8edd2b1b04a5d8bc834e9ba9c

SHA1
fdfe75d181f9df85182a9885a141dc0e9e47f0e0

SHA256
3200f319b5dcc9b0969e20d73ec6701f9d01076fb626f172ff1b9c8bf6347768

SHA512
554b1eabb05286791426acce78b0bc7a409d7d05a433e3abe9019e6620b7a9b38b572b7dbba963fbd2b819b3eaed341341569b4e86cfdc5e21ff907e06f5526e

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
163KB

MD5
0dd27919fc79bc130143a8b9bc325cbe

SHA1
e6adec63e9d94d3cbd05cf8a32a221cb30a62c30

SHA256
0dc6c0b34a5d98e738b5671e3627ed082f00c988744054d7154586c834b2e77e

SHA512
bacad5f468f6c8f41fdc886fd4792e2bcaea095026b255464374bd9a88e9ab98abed0bd9660bce1e8e8cd8a24c0f8bc5105bef041657aba2bc8af6e9c536c9a1

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
163KB

MD5
c546b66afb9aee45d7a4c42f37e574f4

SHA1
9891559a8dfd00cfecdd19e66fbcbe97ec5f3e06

SHA256
e7bd467efa28fb9a585296159b3d46cec0dcb3e279b35af76af797a1a8a01974

SHA512
fd58ade005eec5894c0f52b84b3336af3a8c4af5687726dad31ac8354abcc71f8aa137c9b5d99ac8a895713fa16760047a8ede2e0395fcfed357c55665abd54d

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
163KB

MD5
eca3173feffd5592e448229f960439b9

SHA1
219d7e4369b4b82d6b269690bf0bd7bf94d03bf1

SHA256
daf159b9ebdcfcfcca213e91adfc4a53c2dde901099ed948572731305c6dc3a0

SHA512
5a5422495d82d02c3f6e5f082157fbef21d8856eb99e961bdad33a66aa8ca01cb0018d2b10b685f72b3638b6084d7d662a7bf3ff0aa05b21d46b6f41611f8c1c

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
163KB

MD5
e1c15c7e143f2d8cd0811488550efb53

SHA1
8324ed1b2a543f632848c4354e111fbb264aa137

SHA256
04b7facd5e82b434631dc6c5e081b6d56247e064ca6b562bd0c62ff58eeb641d

SHA512
43b72147577e7856cd742422f8d276ad8119b5672fffa9f1dfa06bdb8da397d431d7f13375a9cf35db3ca90ae11fb771e6435ce2e006815e025a88758cb80309

Download Submit
memory/216-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/316-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/432-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/440-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/560-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/936-556-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1072-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1140-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1304-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-198-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1436-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1536-475-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1664-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1712-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1796-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1860-309-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1884-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1912-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1956-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1976-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2304-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2328-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-297-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2588-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2880-266-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2984-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2996-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-570-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3160-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3160-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3160-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3292-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3400-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3428-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3468-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3496-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3520-388-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-1007-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3588-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3664-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3904-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3964-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4084-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4100-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4116-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-205-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4160-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4376-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-273-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4456-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4544-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4576-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4604-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4656-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4668-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4784-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4864-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4880-394-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4920-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4924-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4972-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5032-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5044-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5108-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5116-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5136-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5180-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5224-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5492-891-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads