berbew | 38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe
Size

368KB
MD5

bb770c451725f56713b7cfd1e098d3a1
SHA1

b3517eaa3b1ca9081ce446120a7fe696472d7ed6
SHA256

38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9
SHA512

d35e770f1344122ddbb4d70b02633a60548182e4ae7d47ed16bbfb7516352e33a9a99289405a34bcba604ebec8566a2a1cb52942691312396ced15ba8b44e8fb
SSDEEP

6144:RnnAbHN8KQO+zrWnAdqjeOpKfduBX2QO+zrWnAdqjsqwHlGrh/tO5:abHn/+zrWAI5KFum/+zrWAIAqWia

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4752	Ncfdie32.exe
2596	Njqmepik.exe
4908	Ngdmod32.exe
3832	Npmagine.exe
4828	Nfjjppmm.exe
3588	Oponmilc.exe
2176	Oflgep32.exe
3896	Oncofm32.exe
2576	Opakbi32.exe
4964	Ocpgod32.exe
2612	Ofnckp32.exe
4020	Oneklm32.exe
4512	Opdghh32.exe
1132	Odocigqg.exe
2372	Ocbddc32.exe
4384	Ofqpqo32.exe
3516	Ojllan32.exe
3728	Olkhmi32.exe
2924	Oqfdnhfk.exe
1612	Odapnf32.exe
3652	Ogpmjb32.exe
3212	Ofcmfodb.exe
972	Onjegled.exe
5108	Olmeci32.exe
1252	Oqhacgdh.exe
2848	Oddmdf32.exe
3784	Ogbipa32.exe
3136	Ofeilobp.exe
4932	Pnlaml32.exe
3016	Pmoahijl.exe
2988	Pqknig32.exe
4976	Pcijeb32.exe
4464	Pgefeajb.exe
4296	Pfhfan32.exe
1080	Pnonbk32.exe
3620	Pqmjog32.exe
1224	Pdifoehl.exe
3244	Pggbkagp.exe
3260	Pfjcgn32.exe
1060	Pnakhkol.exe
4212	Pmdkch32.exe
3148	Pdkcde32.exe
1940	Pgioqq32.exe
1032	Pflplnlg.exe
2552	Pncgmkmj.exe
5088	Pqbdjfln.exe
3272	Pcppfaka.exe
2068	Pgllfp32.exe
4320	Pjjhbl32.exe
1220	Pmidog32.exe
4896	Pdpmpdbd.exe
2852	Pgnilpah.exe
4500	Pjmehkqk.exe
1516	Qnhahj32.exe
4840	Qqfmde32.exe
4308	Qceiaa32.exe
4740	Qgqeappe.exe
3536	Qjoankoi.exe
1964	Qmmnjfnl.exe
3180	Qqijje32.exe
4804	Qcgffqei.exe
3448	Qgcbgo32.exe
4556	Ajanck32.exe
1440	Ampkof32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4736	5836	WerFault.exe	228

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4752	4480	38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe	83
PID 4480 wrote to memory of 4752	4480	38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe	83
PID 4480 wrote to memory of 4752	4480	38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe	83
PID 4752 wrote to memory of 2596	4752	Ncfdie32.exe	84
PID 4752 wrote to memory of 2596	4752	Ncfdie32.exe	84
PID 4752 wrote to memory of 2596	4752	Ncfdie32.exe	84
PID 2596 wrote to memory of 4908	2596	Njqmepik.exe	85
PID 2596 wrote to memory of 4908	2596	Njqmepik.exe	85
PID 2596 wrote to memory of 4908	2596	Njqmepik.exe	85
PID 4908 wrote to memory of 3832	4908	Ngdmod32.exe	86
PID 4908 wrote to memory of 3832	4908	Ngdmod32.exe	86
PID 4908 wrote to memory of 3832	4908	Ngdmod32.exe	86
PID 3832 wrote to memory of 4828	3832	Npmagine.exe	87
PID 3832 wrote to memory of 4828	3832	Npmagine.exe	87
PID 3832 wrote to memory of 4828	3832	Npmagine.exe	87
PID 4828 wrote to memory of 3588	4828	Nfjjppmm.exe	88
PID 4828 wrote to memory of 3588	4828	Nfjjppmm.exe	88
PID 4828 wrote to memory of 3588	4828	Nfjjppmm.exe	88
PID 3588 wrote to memory of 2176	3588	Oponmilc.exe	89
PID 3588 wrote to memory of 2176	3588	Oponmilc.exe	89
PID 3588 wrote to memory of 2176	3588	Oponmilc.exe	89
PID 2176 wrote to memory of 3896	2176	Oflgep32.exe	90
PID 2176 wrote to memory of 3896	2176	Oflgep32.exe	90
PID 2176 wrote to memory of 3896	2176	Oflgep32.exe	90
PID 3896 wrote to memory of 2576	3896	Oncofm32.exe	91
PID 3896 wrote to memory of 2576	3896	Oncofm32.exe	91
PID 3896 wrote to memory of 2576	3896	Oncofm32.exe	91
PID 2576 wrote to memory of 4964	2576	Opakbi32.exe	92
PID 2576 wrote to memory of 4964	2576	Opakbi32.exe	92
PID 2576 wrote to memory of 4964	2576	Opakbi32.exe	92
PID 4964 wrote to memory of 2612	4964	Ocpgod32.exe	93
PID 4964 wrote to memory of 2612	4964	Ocpgod32.exe	93
PID 4964 wrote to memory of 2612	4964	Ocpgod32.exe	93
PID 2612 wrote to memory of 4020	2612	Ofnckp32.exe	94
PID 2612 wrote to memory of 4020	2612	Ofnckp32.exe	94
PID 2612 wrote to memory of 4020	2612	Ofnckp32.exe	94
PID 4020 wrote to memory of 4512	4020	Oneklm32.exe	95
PID 4020 wrote to memory of 4512	4020	Oneklm32.exe	95
PID 4020 wrote to memory of 4512	4020	Oneklm32.exe	95
PID 4512 wrote to memory of 1132	4512	Opdghh32.exe	96
PID 4512 wrote to memory of 1132	4512	Opdghh32.exe	96
PID 4512 wrote to memory of 1132	4512	Opdghh32.exe	96
PID 1132 wrote to memory of 2372	1132	Odocigqg.exe	97
PID 1132 wrote to memory of 2372	1132	Odocigqg.exe	97
PID 1132 wrote to memory of 2372	1132	Odocigqg.exe	97
PID 2372 wrote to memory of 4384	2372	Ocbddc32.exe	98
PID 2372 wrote to memory of 4384	2372	Ocbddc32.exe	98
PID 2372 wrote to memory of 4384	2372	Ocbddc32.exe	98
PID 4384 wrote to memory of 3516	4384	Ofqpqo32.exe	99
PID 4384 wrote to memory of 3516	4384	Ofqpqo32.exe	99
PID 4384 wrote to memory of 3516	4384	Ofqpqo32.exe	99
PID 3516 wrote to memory of 3728	3516	Ojllan32.exe	100
PID 3516 wrote to memory of 3728	3516	Ojllan32.exe	100
PID 3516 wrote to memory of 3728	3516	Ojllan32.exe	100
PID 3728 wrote to memory of 2924	3728	Olkhmi32.exe	101
PID 3728 wrote to memory of 2924	3728	Olkhmi32.exe	101
PID 3728 wrote to memory of 2924	3728	Olkhmi32.exe	101
PID 2924 wrote to memory of 1612	2924	Oqfdnhfk.exe	102
PID 2924 wrote to memory of 1612	2924	Oqfdnhfk.exe	102
PID 2924 wrote to memory of 1612	2924	Oqfdnhfk.exe	102
PID 1612 wrote to memory of 3652	1612	Odapnf32.exe	103
PID 1612 wrote to memory of 3652	1612	Odapnf32.exe	103
PID 1612 wrote to memory of 3652	1612	Odapnf32.exe	103
PID 3652 wrote to memory of 3212	3652	Ogpmjb32.exe	104

C:\Users\Admin\AppData\Local\Temp\38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe
"C:\Users\Admin\AppData\Local\Temp\38aa0f51bbe17dfc3159b4b433cb58339158aa68c31635cb071e6544810c54d9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Ncfdie32.exe
  C:\Windows\system32\Ncfdie32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\Njqmepik.exe
    C:\Windows\system32\Njqmepik.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Ngdmod32.exe
      C:\Windows\system32\Ngdmod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        35⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        39⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        45⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        56⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        63⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        72⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        78⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        79⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        80⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        85⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        88⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        93⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        98⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        104⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        106⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        110⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        111⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4392
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        118⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        120⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        121⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        125⤵
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        127⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        129⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        134⤵
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        135⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        136⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        141⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        143⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        145⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        147⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 408
        148⤵
        Program crash
        
        PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5836 -ip 5836
1⤵
PID:6040

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
368KB

MD5
a37661b68e88a431fa3e5cf0aba39685

SHA1
31aea86a1db6626bc76513f8bfa4a11401ec1087

SHA256
9525bc53a4cdb5cb373cbe8a319e0c37f13b19e9bf3cc6959a2e13405f44b4b1

SHA512
6b5d259681952cf82004feeb93111109f0f287765cc048ce56a6a7c62d84b4e2f8fe65b3e8982d7c59cb67c3955e151e9f75ff111b082650c49d009aa61d6ba3

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
368KB

MD5
4e65ed0d28c8ec8e77a256f610e13d9e

SHA1
73d0811c0593c6ea444f513b92778b926216c1d7

SHA256
2257cdaeb2ad61a5a0aef4ea8ce511959daf8e92a2cd018cce9e39934594eeba

SHA512
ed5cc3b4151db549ab38639a37443316b1a91deeb17347c050de9bb6ae91d4d9a84b0143b28b1b4f4996298c6af5443c03d7cc1aadc42519c8a4813f952fe041

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
368KB

MD5
a2411fd5ccbb0bfba42bd9abc0df7da6

SHA1
7448e406d4a325f85a86bf2a3a1f9039cc495db0

SHA256
9cd08ddeea41fbea9083187b29427c3f05ebac2e251c7c4303eda5d52099c5cb

SHA512
75e7545e0a80b3dd28450c685ff0de83a07866725424132e8adaa44514dbdeced226d3bf9eaf055dcd5af1583ff7379c77c676ecaf68379c0962e0fe1cc43eb6

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
368KB

MD5
889c37cb9a07781dbad48fbb2c68bf51

SHA1
a5b5e68c3546a40b1ed0f08842731220ef79c5fa

SHA256
111130bc760fa4b7768e8a3ba829883b9632fc58a9865ecb22a2dcc4cb9139ac

SHA512
f026f2548874d830a6f99a30f048b2aa6bc1f18a8e2f946405ddc93d9c6e3cc458bbd46c759201ec1beb379331d210b2fc02d97732a3a41646274684f893c35c

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
368KB

MD5
54f27a3dcbe905585f003910dde6792a

SHA1
391e1937407d91d7dbcf7b162a559cf943b3d69e

SHA256
fd894de02e3f64f31003e600badd69464b8846e4a2381a04f7ca2fa874a7e3d1

SHA512
1ac123d0f8a35bae5d022fa23a4b48ee78fb15a7086c6b854656335cccd7987fc2fe1d25194061c7662e26ceddf991a49b566321cc5ca3eecebb19b7e3e4a06a

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
368KB

MD5
7d55202c737e134f0cfdedad7f032849

SHA1
55d6736e2b9d9f5b387bb2422c68cf9e2b9dfd8e

SHA256
fae796ec7d7490d211373988a7cc03500f14437747bb6f4399b0d830ec553261

SHA512
706223f9986cc1a381f44feb106e6d0cd8862b27759409d2ab24404db001b7b1216926e5fee2d7db8cf3cb96c9295fff6b8c306f44790af76481e6ff0d724f2e

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
368KB

MD5
8569fcabd15f11954d2707daeedb98b8

SHA1
fe545ceb69d8b7cf5602ebd94b5424fdb35109f4

SHA256
3be2798e7e5f889bc4c50a9678f7bcadb1e83424c9e7c015ccd339714d1c8cbd

SHA512
4a0d0f46bc3f36e8dda84a93ecaad37b47a05d713b655c98f7b62fd0a6391a39937eb043044794b184cfed9458bbe5144c9d76629205b93f139a1b08f173f041

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
368KB

MD5
5a1dc0887b1b1cd35efefe4a3bdd5d88

SHA1
f4799d8fcc5739373d7306c334009ee74615853a

SHA256
1e61becb5a21874af03c99b3e7b23bb5c78d68fd45da1abdfe4f290c434aa66a

SHA512
61ec03ba0e9138f2ba7755f9a7c2d6005de3e7c6589892b3da493048d9e62f516c48ede227881592038e75ac0731113cb3003b960af571e737ae1471c70f9b60

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
368KB

MD5
796d3cb7d91ecc1a4a8178979867f790

SHA1
22b99b47b4c74724efdd8dbd8a888e9d6f4c65a4

SHA256
cec5de56149033713653563559a4de9c09df35de1e6edb647f7e020fb48e685e

SHA512
972ce0874509ab3893842a2999c367a3f1a250adf40ec67267505f605241fd440930649f7d755bd9cceae5e49d9345450a54f90e6dbc7e3f9b0984877879a404

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
368KB

MD5
1a71462a594d9fe9972fb5df3421a720

SHA1
92db59f6b030e898687b4a6f2f659f7fb7340f2f

SHA256
3c5528d84c01d4d4bc85026360d96b841d54f96658dc870e16d78ba5b67c43e9

SHA512
9553dda199e777957de3cba8f5163c1a0df3cdb5804999ef25ccd7d4c30bfb5650581296e1946eaad3fc7a8ff45d3d11d988fd9663f2a823a0356f1e0ee4311f

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
368KB

MD5
058ef12c5faab470a72e212f9b4e7b81

SHA1
3b1bbc0213353a0398caf3e51ed23b301ff26a57

SHA256
997f62506ea59010e7ec8d26a8072729977e48102c016db2765bb66bd2f983e7

SHA512
62232fe869a8822dae387bef91f67f813870b62ddb9f1e896c2d845a355268e2422653097e10f7fa3a5aeed5a1d4a83c36084524c86e1fab90063f00f21f10a9

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
368KB

MD5
d8943fd31f5d658303dbbd3b0fb5b644

SHA1
bbdc424c333ed1c022dfbf6be82e489c697d08b0

SHA256
6151007fc74e3538500e3d6f064078e6544dfc688206f626c7ccd246728c262c

SHA512
c0ea2f6ea14843cbfc1094e14b9b7d41d0b75fa5d851e91d7386984e576915e7e802fce1803e92340581ab607bac424c406728ada9ae150f1e2d10a9dc4fd566

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
368KB

MD5
eceb6fea47e4b47c1a352af41c360840

SHA1
e8f55fb69ef214f65c7448b61bc6bf93cad7d4c8

SHA256
ba015753e17c364d5dc20d34a4016f3b0d5ba1b6ab8e7ba2f512f0e9e34cc90c

SHA512
ca1c3ca2891308aaf00ac47193327e3c6d0e3f0fcc05a3ba22efd8a55884238d435f043985bca5bb88d7493dc35c0a7f781df042a2b9f07126201ed89dc6ceea

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
368KB

MD5
8fb6f109235f95a6e638e09ee960fea9

SHA1
991679b40169a2a1864cbc8f80a2ecd6d0d5fef4

SHA256
8ee29ec8201ddea5f124ae7dea8bedc213566f37b7b09b257bef9c1606e839e3

SHA512
79cd3997ef47b8928bf8adbf5b142dd9f52a2ef5b030df73bd156fb3861255c5a901ceba667ea1f4e8fbc7e0a026f7cb43cb8b148e3932e74cf12210e5ba71cb

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
368KB

MD5
cef602f33c60a6c764b8b0d272198be0

SHA1
2fd427300295e016e822be158b0a7ea941a6d49b

SHA256
9c82e68559184f5ce803f1b90b49ba5bf2464b8efb30df33e81d7848dab9eb5a

SHA512
bc4ed938d5ea2a594011522d48fa799f1fb646d6f44426962367ac3b50490e3afe772dda8db863b522f6bcb8abfe7723c644c145d159f9db74ac59ac3b2512f9

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
368KB

MD5
f5aeda8cec388b6953d6208d914b9365

SHA1
9c7f1e6fd4c6a406387acab0567c57baa1a4566b

SHA256
8eb9df301be6203f925103fba08ddbab58dcbb2aa2fc6d36c12a49c843c2bf8b

SHA512
03c8a4b37aecf32433a4f91b659a7a63040b9789fa55ab4db00387a401dfa345eb962b5f21acbc5b4c21e8221b37ee83f8ba321b1fdf0ed871231866877f0cb8

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
368KB

MD5
13ba4ea04627b3aa365fe01ee4c2a78f

SHA1
1a9c667ab7873dec7f61b3236147925141de9e9d

SHA256
0d5481285813166b92d14529ba856f54d2b6408f8d2986bce6cb0110e70b7e47

SHA512
82308dea95e85c235ff34bdf9248d3fffe789bc988b7185c9d5f514d5cafd3dfd632d1887ac20451e961a5838d2d70158ce7bc886ac9c6e8321dee142aa488ab

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
368KB

MD5
1f2ae46cdab280b5278611d51bfa9cbe

SHA1
8a28415d8bd9b5278804fa38be271782b7e066b9

SHA256
935a870f5d1f7c3fe459d4772260e9447297a52525e8a670fed5ee564d1ddeee

SHA512
83fc9e8cad7183f8b6bc630bb2dd4a29ec3aa62ab61c8bc99dbe98056530147219af1289207b324d39fa2fdf2d0329fbd296085ca9b7e1a4a93d1d170eb90104

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
368KB

MD5
b0e48877f8f0dff67670f9eba7ffd247

SHA1
2ac6cbb737f3369cbccf86aac22d5434e47e6e35

SHA256
e57c96ff0e7f976a5d00d828936a3d43428e115710e478fd74d7662c8814dda1

SHA512
0ad4d9a24d87b2a1f6b09bc250b2cc1f9135d0bd90ac97a8d1ac8a57dee356ba054c87f942a9c9a17405957be3665384f16de2ce92a5d96245ca735528731e91

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
368KB

MD5
42af6d67f1cddf7699c8e945e2862826

SHA1
776d573b3dc747936b9af2151b2160a528eb10ec

SHA256
895c11d1606de4e0eb8d1f96757a91d1a3146854b61f43285b7769805670e5df

SHA512
71d92cc2d7b97eea0e06015193505fff3b3c89bf0b123b2299a3161c008711c70242dbbdf824f5cc0156791c37fe3d832103ce9e018da4ea0970e8ca141273f2

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
368KB

MD5
73e66f4f5267a32ede8c62ab45965370

SHA1
f1cad27b55324e9835b815f8d78485dfd945f0fc

SHA256
01261484a6ded643b62334561f273307187bed81caa4504e088ccb7da273b926

SHA512
596bb47c3b4c8b081cf2151c499db1669113a00aec179e41906fe1a4e97491a9cd324994914e49ce7d55fffd5ee21eaf4396c7e6f91c4cb65181cbad2eb8d434

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
368KB

MD5
d030acde98618ecdb4a15f010cd07af9

SHA1
0c6220bce4f24ae635784ec26a5157299d72cf88

SHA256
a9435c46a89ca6a1c0862b72bde15939d9e8436d48488f57c5ff8e856c62007b

SHA512
da900dba3d93b9f7b1cc766811e7acd7f73ee1f26bd67d24c378494611c5b36926b336caa95e57aa975ca69ed67f3163c1bdeae546b61b166185af42558100e3

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
368KB

MD5
4e3bb41cd0d119ceb56e2e4cf97a1c2d

SHA1
b5260b08d8dcf9613c8c12bd53beebbd982e320c

SHA256
0e8d3f18cd5a05325c3228c4c005e4ae2f1b31896e309fbea8c59035fbeed9b8

SHA512
abf768946e6ac69b52116124a80501798996597903101f294c140c77fb32bf6ad25421cb7366a827928a3fa4cc865a13a7b8edf60220534e3cb52a6020139a39

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
368KB

MD5
deb9b664556ab0e1732e0d47505565ac

SHA1
adad9c05c87aad49c95ab4bc46ac5c0e95fbbad4

SHA256
0bbdc384857054b337f5b4146b12d4ef91472ef36cc0fa7d51010c9f10c80af9

SHA512
0ed13654e92f7c5fa5f9b9a4c7fb778b17e422b98204897e40a40e2a4053ce5074ced05493841b31018dc08c66d8b96e7df8490fe1cb84ac166795aab3f32dd7

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
368KB

MD5
35992b1e840507e60544a36a94b81ec9

SHA1
64014262ae9306f6290a44c6613658cca2c75d1b

SHA256
cc78e9946e309852c3de241d6e6805b589ac6453c751923e53ab6a0201b3cf59

SHA512
5399e0374e398c6b0cd10e7d7771923fa7cd0cff0ac5fe80d858efa574132c63aff3ca2c9632e113f5cee6646a726eadc35e3c9486ede469f3bb4dd22af748c5

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
368KB

MD5
8921c043d6cd9f10bf02703f121fdf08

SHA1
b8915986cc8b9947f33ec38b420d6fac7afa8ef8

SHA256
521def53187045967eeb4f919f500f767c42762a03e8f3cb25d80b3e7b276ac2

SHA512
a84ae060488c1bdc36a0b1ad7e32dc41eca828d2b7db90f4cfc41d70ffb40fdab1618d43831f2f9aeec975a095362f601d83eaaa40b5b9fe02a450c6b42dd9fe

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
368KB

MD5
e829fcc6306657bbadfe2d6fd7872792

SHA1
b4c84a6ed2ca8efab81a39ffba947ca6985e6eed

SHA256
a9bd49b75f221bbe75c78d17b667a017dd3fa3aca1dd31d197acd3766eb411d2

SHA512
27435eaac56294cca86ddfacd23cce65d4e474336f865899edfe52099a750ab269ac1f89665d6ed4c69d70b7482f1766d5454bfc43616ca809f5f652a47aae0d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
368KB

MD5
bcbd7e3257ea2bffd2c6ff243587c911

SHA1
200dc7680e2f6a0401c2b518274c19e5b4ce7292

SHA256
84b31be59ae35103a9bf6de1769fd5042bf2f46637fb879259d8dccd78a05e6c

SHA512
9630d21183e4ac86317bdde520b965f815474c850928ed1d045273d3303b147e1921b2417e80bc152295f523f7a93c5035d75b74a56d021f08b7e8c249076aae

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
368KB

MD5
6db4b42ac8f867a00d25b46cb1fcdbe6

SHA1
a7499951c1199b5e3d28ce98ae3cd8d0d5525f72

SHA256
b98cd788dec756808d59cfaf79e3edd6b6e4730717b21bb1f6f0667e25d83a7f

SHA512
b5e8a3cf93b2a5c83e7985f2061eb04e1d8e0d6fb875261cf2df3ac200de1fd9c80894961f7eb2d8e6c1c62c05c1fb7d799cb6438ebcb25ab6a586fadf155731

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
368KB

MD5
fab12f20ee6bec9335d9f26070671f30

SHA1
5eb66b5581116a245f7d23b9095558eba874324b

SHA256
d017a41c7d5e740aba43d3cbb507d3f6f40b30920a01e6bbfbcc91db1ed61575

SHA512
3fb68858290fd0a6a343ac813e22fae96a5af2091e58a721d192250ef6947e430121605885e08ca65ab2974ef3141193a203b4b2ba3d2d56d5d4cbe11f5c2b03

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
368KB

MD5
20cc022c31b20e1ae862f28e87117da6

SHA1
ecc117e1135a128a3f48c2a19dc45618be10107d

SHA256
b31b48777d7bb35796f8570f78c87990a07f528843dc81aa024f3a65835a3934

SHA512
d67dc33aafb0d59e71e74b2c60c7aeed7093dab1073c8fca5aa7edc0c06481a49e124fbf7bbac19c906bf57bf05cf978dfa256496226cc525231bfd49b0cd99f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
368KB

MD5
e8a2263ddb73ccec8d096240fcdfdcdd

SHA1
3fa409d3ee8f04d8536dfea5a4040ad2f85a28eb

SHA256
23b6807680e601bcd3ee130214071d2ceca181a701d63749dac82207ac9f7549

SHA512
2a13124eae28115581d9fd09b226ae3b84b07717d3b7746a113e42288d4bd872e1f0de81f0dffec8b43351fe2446316c4c409a7fedd2efe30ab5cd10c078e305

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
368KB

MD5
fcf07f7e576fc92163d39f2dbd3cffcc

SHA1
1391e88c030e7914630af75091c40e4785f89d80

SHA256
3d832cc32af9ba07114d2c2e1202416c7ab414aaa615af26ab919158c24e2901

SHA512
97cef55daacdf8976fdaf2c1e78d833425d37051c97f7c24a3d11114411f2178ef44a72a5104bca842e59116995a2ad527654b9066908bc8e9941cb747757e56

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
368KB

MD5
959eb1ddfeddae4c78cccedc4518b5f3

SHA1
d605790b5724bc7c60b8e531eaf8efb614679260

SHA256
66c4ddbf0adabf2db5f0c751585b4106bab8b3eb66bd44c17ce3579810f6f2f9

SHA512
ccef34e554f7e48e4fe851b0aaa62c1879d6743adb9edea3e36e8750daac0f1dd4952e468e230892d019ad764536e337d90668d0c35788e20a4a8fc57bd05926

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
368KB

MD5
9fa4f78f157f9ab1d4dc04444a787f74

SHA1
5024920f17b63284a3afe1c900761521f2f5e89c

SHA256
a031ada6628d1812abf5a3a3d86d2f7327b0eb306ca1fd0916c33b054758b973

SHA512
4984be358784ccb2d29fbf1d891a3586eed6121e37c808539048601589f06d5c005a1cb04ae43a14676caa1052e92602d6fafe091a2e7d68f295ebb10bdaa8fd

Download Submit
C:\Windows\SysWOW64\Pjcbnbmg.dll

Filesize
7KB

MD5
d32173e2534311c7455646b9c59a3882

SHA1
89c7d61582907fe93844f9060fe744c5096c58c3

SHA256
3bcdde92949b573ddd140b48577c54a56d1527f53b6e7fe4ff6c18e5fb33d8c5

SHA512
f820b5645f370c626312a5c4a9f94a72ef5bf6fcb4bcdd18a26acc822a8b27d627e4b99720474e6f0df2c61233a845e6d6188e891103aa13b0227a4a01db5bc6

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
368KB

MD5
36d941780c8f743de3555eebb79a5262

SHA1
75982030c16dd52030758c81f762f8d56547802b

SHA256
e6120ce1d9a603991b61d3d9d744a6209153357dc23f91de0a85ca1a0bcfe66e

SHA512
a59d370c9e3ba84dc52cd17d1ed3babff45e216ad018574182b0c4c5b22ce679f6925f1e1c60d7ec5215b0adcdfbd4ee3da3ec575714a032660b496c2b0121eb

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
368KB

MD5
fa69bf8d0af137a864389e8670b36887

SHA1
cfdd51d812380981a682320be84dc9cb381f0b75

SHA256
8cf4ec82a377b96f8e4458bdeb8556b7855ead42dfb3d09f23c338ed9801d56a

SHA512
40d171355566a0802893df34eafeb098f2b776de14c888757913c66f5fa212ea720a8ad9d33a03020904a7c3254a04ffeb8f0c22f50e05ca435466d4e0af9f02

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
368KB

MD5
65fc008f8fb7877e8b8edf640ba26c4c

SHA1
37cf1dc406477a44e3bfcd3fa070323604083794

SHA256
5e8d1f07a28dc338b161bd6da4e794d83824e58323569d1f508196e3e71ff6c8

SHA512
32d6664f26041fcedfc2d0cad7f757186abfb15d71129c55409fff189f2875d9b00687b67b26d24f6ba606db3974e2ccc96924005f348fd076b40f22e2442843

Download Submit
memory/388-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/972-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1032-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1060-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1080-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1132-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1220-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1772-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1940-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-597-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2372-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2552-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-562-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2924-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3180-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3244-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3260-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3448-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3536-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-590-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3620-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3652-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3784-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-576-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4020-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4136-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4212-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4308-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4512-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4556-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4584-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4740-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4804-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-583-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4840-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4908-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4908-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4932-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4964-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5140-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5180-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5228-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5260-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5304-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5348-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5380-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5420-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5460-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5508-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5544-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5580-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5636-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5672-570-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5712-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5760-584-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5812-591-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5844-598-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads