berbew | df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
Size

520KB
MD5

cc840959f015ddc737cc1e34a51ffaf0
SHA1

05835886003bc30eff88f94760d074e12aeb21bb
SHA256

df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6
SHA512

981b70f65396b7e5aa3f81dc16030002b702957bccd32f530216bd5c29358d83da3436b50f5fdf4ea7a1c4def2dd5d191e9585bf5c9b92a281dd56e5091952de
SSDEEP

6144:BDkKm/5DUgFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8Jc/:BDkKq3FB24lwR45FB24lJ87g7/VycgEH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1064	Llemdo32.exe
3048	Ldleel32.exe
1744	Lboeaifi.exe
1272	Lpebpm32.exe
4072	Lgokmgjm.exe
208	Lingibiq.exe
4864	Mbfkbhpa.exe
5096	Mlopkm32.exe
1900	Megdccmb.exe
4776	Meiaib32.exe
3068	Mcmabg32.exe
4092	Mpablkhc.exe
464	Mlhbal32.exe
3156	Nepgjaeg.exe
60	Ndaggimg.exe
4196	Ncdgcf32.exe
852	Nebdoa32.exe
3280	Njnpppkn.exe
384	Nlmllkja.exe
4508	Nphhmj32.exe
112	Ndcdmikd.exe
936	Ncfdie32.exe
1356	Ngbpidjh.exe
4556	Njqmepik.exe
3704	Nnlhfn32.exe
2720	Nloiakho.exe
4480	Ndfqbhia.exe
3448	Ncianepl.exe
1652	Ngdmod32.exe
5084	Nfgmjqop.exe
3228	Njciko32.exe
1168	Nnneknob.exe
704	Npmagine.exe
3564	Ndhmhh32.exe
2244	Nckndeni.exe
4232	Nfjjppmm.exe
516	Njefqo32.exe
4316	Nnqbanmo.exe
2184	Oponmilc.exe
4708	Odkjng32.exe
1364	Ocnjidkf.exe
4860	Oflgep32.exe
2224	Ojgbfocc.exe
3036	Olfobjbg.exe
2140	Opakbi32.exe
4460	Ocpgod32.exe
2600	Ogkcpbam.exe
3196	Ojjolnaq.exe
4068	Oneklm32.exe
400	Opdghh32.exe
3192	Ocbddc32.exe
4896	Ognpebpj.exe
4528	Ofqpqo32.exe
3160	Onhhamgg.exe
3264	Olkhmi32.exe
4616	Odapnf32.exe
2976	Ocdqjceo.exe
5056	Ofcmfodb.exe
3392	Ojoign32.exe
4760	Olmeci32.exe
396	Oqhacgdh.exe
2420	Ocgmpccl.exe
3984	Ogbipa32.exe
3472	Ojaelm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Kqgmgehp.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gilnhifk.dll	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Meiaib32.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Megdccmb.exe	Mlopkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5816	5732	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleecc32.dll"	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 1064	3852	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe	82
PID 3852 wrote to memory of 1064	3852	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe	82
PID 3852 wrote to memory of 1064	3852	df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe	82
PID 1064 wrote to memory of 3048	1064	Llemdo32.exe	83
PID 1064 wrote to memory of 3048	1064	Llemdo32.exe	83
PID 1064 wrote to memory of 3048	1064	Llemdo32.exe	83
PID 3048 wrote to memory of 1744	3048	Ldleel32.exe	84
PID 3048 wrote to memory of 1744	3048	Ldleel32.exe	84
PID 3048 wrote to memory of 1744	3048	Ldleel32.exe	84
PID 1744 wrote to memory of 1272	1744	Lboeaifi.exe	85
PID 1744 wrote to memory of 1272	1744	Lboeaifi.exe	85
PID 1744 wrote to memory of 1272	1744	Lboeaifi.exe	85
PID 1272 wrote to memory of 4072	1272	Lpebpm32.exe	86
PID 1272 wrote to memory of 4072	1272	Lpebpm32.exe	86
PID 1272 wrote to memory of 4072	1272	Lpebpm32.exe	86
PID 4072 wrote to memory of 208	4072	Lgokmgjm.exe	87
PID 4072 wrote to memory of 208	4072	Lgokmgjm.exe	87
PID 4072 wrote to memory of 208	4072	Lgokmgjm.exe	87
PID 208 wrote to memory of 4864	208	Lingibiq.exe	88
PID 208 wrote to memory of 4864	208	Lingibiq.exe	88
PID 208 wrote to memory of 4864	208	Lingibiq.exe	88
PID 4864 wrote to memory of 5096	4864	Mbfkbhpa.exe	89
PID 4864 wrote to memory of 5096	4864	Mbfkbhpa.exe	89
PID 4864 wrote to memory of 5096	4864	Mbfkbhpa.exe	89
PID 5096 wrote to memory of 1900	5096	Mlopkm32.exe	90
PID 5096 wrote to memory of 1900	5096	Mlopkm32.exe	90
PID 5096 wrote to memory of 1900	5096	Mlopkm32.exe	90
PID 1900 wrote to memory of 4776	1900	Megdccmb.exe	91
PID 1900 wrote to memory of 4776	1900	Megdccmb.exe	91
PID 1900 wrote to memory of 4776	1900	Megdccmb.exe	91
PID 4776 wrote to memory of 3068	4776	Meiaib32.exe	92
PID 4776 wrote to memory of 3068	4776	Meiaib32.exe	92
PID 4776 wrote to memory of 3068	4776	Meiaib32.exe	92
PID 3068 wrote to memory of 4092	3068	Mcmabg32.exe	93
PID 3068 wrote to memory of 4092	3068	Mcmabg32.exe	93
PID 3068 wrote to memory of 4092	3068	Mcmabg32.exe	93
PID 4092 wrote to memory of 464	4092	Mpablkhc.exe	94
PID 4092 wrote to memory of 464	4092	Mpablkhc.exe	94
PID 4092 wrote to memory of 464	4092	Mpablkhc.exe	94
PID 464 wrote to memory of 3156	464	Mlhbal32.exe	95
PID 464 wrote to memory of 3156	464	Mlhbal32.exe	95
PID 464 wrote to memory of 3156	464	Mlhbal32.exe	95
PID 3156 wrote to memory of 60	3156	Nepgjaeg.exe	96
PID 3156 wrote to memory of 60	3156	Nepgjaeg.exe	96
PID 3156 wrote to memory of 60	3156	Nepgjaeg.exe	96
PID 60 wrote to memory of 4196	60	Ndaggimg.exe	97
PID 60 wrote to memory of 4196	60	Ndaggimg.exe	97
PID 60 wrote to memory of 4196	60	Ndaggimg.exe	97
PID 4196 wrote to memory of 852	4196	Ncdgcf32.exe	98
PID 4196 wrote to memory of 852	4196	Ncdgcf32.exe	98
PID 4196 wrote to memory of 852	4196	Ncdgcf32.exe	98
PID 852 wrote to memory of 3280	852	Nebdoa32.exe	99
PID 852 wrote to memory of 3280	852	Nebdoa32.exe	99
PID 852 wrote to memory of 3280	852	Nebdoa32.exe	99
PID 3280 wrote to memory of 384	3280	Njnpppkn.exe	100
PID 3280 wrote to memory of 384	3280	Njnpppkn.exe	100
PID 3280 wrote to memory of 384	3280	Njnpppkn.exe	100
PID 384 wrote to memory of 4508	384	Nlmllkja.exe	101
PID 384 wrote to memory of 4508	384	Nlmllkja.exe	101
PID 384 wrote to memory of 4508	384	Nlmllkja.exe	101
PID 4508 wrote to memory of 112	4508	Nphhmj32.exe	102
PID 4508 wrote to memory of 112	4508	Nphhmj32.exe	102
PID 4508 wrote to memory of 112	4508	Nphhmj32.exe	102
PID 112 wrote to memory of 936	112	Ndcdmikd.exe	103

C:\Users\Admin\AppData\Local\Temp\df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe
"C:\Users\Admin\AppData\Local\Temp\df431c78a69a9acd3da9a0d1507028cca1f4abc3f798f51fec993b3b81dcbed6N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\Llemdo32.exe
  C:\Windows\system32\Llemdo32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\Ldleel32.exe
    C:\Windows\system32\Ldleel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Lboeaifi.exe
      C:\Windows\system32\Lboeaifi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        31⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        51⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        69⤵
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        73⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        75⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        77⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3224
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        83⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        84⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        98⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        109⤵
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        112⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        122⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        125⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        127⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 216
        128⤵
        Program crash
        
        PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5732 -ip 5732
1⤵
PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aminee32.exe

Filesize
520KB

MD5
9ba0624fb0d9d2d0451aab2f03de8dbb

SHA1
377b43bdb5d1b61e0c26d62eacb9bd71ce8cbb57

SHA256
ea93eea9c9a54e2f15e520435cdaf9862b771c54ef14828c9c66c059c88c70bd

SHA512
3ff835488339da4fee5b7c1588154e8eb657712edf031e53a411d7ab70c8c9f1194378189d26d1fa85f0a7726f51a662f2fb44f6c28536a3d6420fc85b16c00e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
520KB

MD5
5e179034597f412640634f65b38580cd

SHA1
0f6f50ad17d3e10854d9fefc33c56af372b0eb3e

SHA256
dc78c055f214db000664aa7035b93cd18db2bead6ab0825a3d6498c60be5e131

SHA512
32ca112a06a37e7cdc5cf019b54cdcfd4f31e33854c09ea8cab3ebfeee1715b6ac189abf57c6f4b9b7edf8224ecda6e941ea9bbb441c0e24bc58c16a79c5c99e

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
520KB

MD5
f283dbd5015bc8b00c9538c28ce77dc6

SHA1
432d1012eb51d0ae586aaeb7ec1438811cac607d

SHA256
6597aa1ba9935b691469923ead4c6a7046898a63cd2feb9f8695f27acf03020c

SHA512
5017e507c67dfae1b33a18bcce580c2e7f9c05eee8b5dfdf78748b4b37577a89ba093296595d52a174586a5bb3339c76244edf848f17e380328d7682e9665a5b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
520KB

MD5
7bbed3fc20a31819ea2480667bbc4413

SHA1
53a9d936a3f6a6e2d90b1b4e0c1b0180a65d1ed0

SHA256
dcc75e161d418360fe1f8b2bf232f2fc7c5b04b84730ccdc0281d9cdafa68ff2

SHA512
c5e530c9626a25d877ce681d20998431b97ced51fd29a52772bfdee908118a5bd99bf0332a4baa861b3b5d1b16edfc197a0c1b4cb0d6e0648af154731d835733

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
520KB

MD5
00136e65295f5aa5bb6a44307362f445

SHA1
231ec64583422c548d95d7e3c1fa9d69a3f7d1e1

SHA256
bf81d13978d7dd2d4c02e816681fd16e24380962dd058c420c4f1ad33f7ad59a

SHA512
3e4462fafed5d9d37cedb610bd8adb06cf8f2c6c8cc71e981446627488bc2577d0b3423ddb16991d2421206d7bfde5930777e476117946281245139b119b359d

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
520KB

MD5
a45b375e88aeeb3e2873715b4ffe8bec

SHA1
b5a8d8696aacb88c898dcbc0d0c773b90cb9796a

SHA256
4be933f0717d376c196108064835806a2c0088fa401ce2fdff5d610d6ce06a8e

SHA512
36f157ad606bca9522f32ca586e0c7be6d9e4d9562e35577ecb85fe0af2cc7fbd88071da2c30746e7093bc828ebdc781a852f078c53d778db867ad15fc952f0b

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
520KB

MD5
0d91cbc519f4221fbe94d2ca9e9798ac

SHA1
8795dde3db4bb3b86311f6a315484da85d73702d

SHA256
6d583c9684c87cd3331db5c3c2b865f94c625512d8c0be9d2e123a8257010bc6

SHA512
c4a9d55e06a5b5e2995555e9de032ea8110442048033e626861d07357ed694b820abf1523f466dd8be11bf17cc73865b0a88f5d5d0569b19a328803e889d9502

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
520KB

MD5
5692950e8509ddec6765241b90bdfcaf

SHA1
ea535b62cf7f3899a4b7f4b2213ae17ab88ed7de

SHA256
afdd2dd860b6c2fec86f9a8dc2f749ac32fd3b5bb6b948d6cc782d296a489d1b

SHA512
b0e1517d7e042d195d467bb885a3a9d395b25083a388682cf9a9edfc4eddeb1bf98573e344eed752b9b0b52ac0284091876b79143f76def69c77422f4192c3df

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
520KB

MD5
d2fe70d0a063059fd4fffc32962d2fd8

SHA1
44b55dc75e1323aa43ae056af2916a257b395d57

SHA256
91adc4fe05a877072d09cb08d959c19b69bedb127795ad4872cb6cbf5f9bbd49

SHA512
0d60249fce1631a7683a1c849b88d631c0fb50e29f48c8c6a116df7cb44dde3c19ec0088f8d5d7cca44b676dca2bef4327a0c4f5aef4ae6e61f13af2e554e06f

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
520KB

MD5
e51dbf660f66ded89a758bae9f75f22f

SHA1
7e6b547c69620583e66edf829bfc086087619ec4

SHA256
9c95be84b341575b49bb15ddedb93b0fe9c498f3c22fe3a323af4a76c1c57e6f

SHA512
b5e95acfa408069ac00c5c907a76a3dcc5abec03ea3c62118fcc1b59579a4e0a51decaad393c4f3ca0c7784e17483a1ba34016f54f48abea611cb2c2df78e689

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
520KB

MD5
0ff85d384f70913e7d15b3fe7bf27f88

SHA1
81bd0b6e16e1b5bf695435e8d1a560fc84ae1d45

SHA256
e9ff5a7eef328709387b70ef060498e7e3f973fea6fc03c050150dfac9ff8af4

SHA512
7d495a06799477fa838f58268648cd209d50e5196ef0e35234d4541b4018b623a03017e2c09b48976a7a01d0a75906a5804e251ce09c39cf84b846fcb9dd14f9

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
520KB

MD5
2a73fa99d09958aef03a913be3e554ca

SHA1
a84a379243ff6f4543326bc2fee8e3b798115221

SHA256
f1a4356fd8108f6f0387292b6b23a0ed2b4ca21145089faac8e62aa4e6fcce62

SHA512
0592657e0b2f880f1b775a698e179fe051c4594cdc0b36ad4a438f60fd7b6db6c19cd813446239ec395c62f74e0735b3734f173f46178dd72a2806a10ffe678d

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
520KB

MD5
4ccbb2168ec73601f440e79df033071e

SHA1
125cd067ba7cfcfd810472fb4ee596c23e604057

SHA256
46089dd5caead4e4bb79e1ea1bc0388784b92717aeeb7fb85ea2fa141e255bf6

SHA512
163c503bbd563a774cda2486a5bb560df961a11120b238a0517b9440b2b941159a61908602d3f1eaac198ec8639b71dd42deccc55ec26367322d2ba3fd80ed45

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
520KB

MD5
7e10afbf5ae873077d04d8558aef79e6

SHA1
182f5907f2c9a6bf0ad2708e0a290452db80d819

SHA256
87eca8a8163ef998a4f2b1dcca922e386d29b912fd44d30659c50d1685370bf1

SHA512
5a7b44f6b16a7d74db2fa998264ecf00d37c6c0ada42c5d662fc3538f89afe374414a9b216102fcc828e8d375d7ce2eaa31f8dc2a14ab2ca45db4ff46a732a24

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
520KB

MD5
82ba0347afdc7ec576ff9a5ff150284a

SHA1
5f8b1de0807b67e0bc2db9ae59eb3e04b4d61308

SHA256
61f69b6e7ab8b75dbd5cd13a57ccef70c756427950f2a74d94504766bc2e2cce

SHA512
4b685abc172c8a8e4668ede40c760fc7fcc6756b19110fcfb026a052c351d90a3906a963ea39cb76f3c3790822109142ba62c64f6fbd7673afe71648c4f94a86

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
520KB

MD5
7a3c42fc30e09d1a8a4b51f6d7b278a2

SHA1
33395f9060890e00e6d42af43423834c742fa8d3

SHA256
cf5476fcb3bc639f4b437882febf5ead7427bdafad8beecb3ded85e012beddc3

SHA512
8cd11fa42a17a7149113e8e2f73f2cffa8ed924490d60e518b3a3ffca8c73ac001f8927527422b557d619315c15292473b35321b4214c2818e8395a8871f7807

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
520KB

MD5
ce3caf6b0a05f724c8c059c345ea58be

SHA1
3913bbbb638b1eb8f8852ae8acac6be2d8e18cb2

SHA256
5835ae351b7041deb8d53516bc542bcb48114f392d36e037cd467d1c42c66cd1

SHA512
832e9c30550c07aa63d3386bcebd716c7f18c4e826f081147ba283ef1c151b717d1fb732d6fb4efce150ba4ff1c70e83cc33d7171faad9758024097f68cf9a6c

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
520KB

MD5
8f7eef633576727529c165a73df39a11

SHA1
7cee6416a5dfb6f143aa238c60d876ef4cd20bcd

SHA256
3d60d79066e89612c4e5e24a28e1442df064fec8d770a88ccedf1fbe204c72e5

SHA512
9d5133afdbd3a726389cbf702b79805a031e46c4858031d388641672c04eb9373a1dd077731f17cf2f589c759c6151bb1342986a4f14fbee23d96ea83c09bfb0

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
520KB

MD5
759b8bb97d035131e2870220fae9968c

SHA1
470916b2ab1ead876dabbd9b6300c6f9a5111d41

SHA256
27057a0861433d419e797501412345ec90ad8e83737bf69cb5327df6f782c67f

SHA512
7cc25accd204e8682da479150d4f0fe35fdbe80c0d1414488a369607193ac3af208441b119091a4ea8f35fb7eff80c2185b9cfe1ef11a70f354646510ff67936

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
520KB

MD5
f2d1d6f5f7e3539b176e0aec8aaed4cd

SHA1
9ecaf0a2f1c40263151e2557b7df0b6b5ce168cc

SHA256
3675191ef772326ebf1a2e845c0169ff49c28c53b9612f2574b126fc1e65bbff

SHA512
3fabb5c6d9ffef17780b3fc90d9e4ade6aaeb644802195a4ade397981d073a1a454ba4cb7c3ae50099ea7d51f4cc383f67d09f51a8ca5d7f7c092b27cd063d00

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
520KB

MD5
79440c8e6c193d4a56a261796806b508

SHA1
5d7f42fe955cc3703cfd8bc004955b6391739452

SHA256
070571f8d002e7fb6eac6e99b83b809e56dafed4891547ebaf0c8d51730b4923

SHA512
72b5ce794b597a5dfb25ec1da9488ec416d991d0c053e9c08dff205061c8cee0f670661fe89929830a012fa9b202927a234f717fb61244c1e135c50c4e3caf86

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
520KB

MD5
8a262aa655f21989785ea1dc4f73210b

SHA1
aa4624f07312e6ebdabcef9a6945883c04d5c155

SHA256
dbf8fe77c9cb248a1f1de8e41004ce2426fd6c2e847ee8b0cd2e2e72f6b49229

SHA512
76e5511fe7160a549d49152fbf0db095c057a34349ce624b0ed817a6c8f5b652f377e0a989ed125e0838caabe2506e5e8276fd849f0fc76587f26746750c4a23

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
520KB

MD5
8bdf801a909fee21424db242fe6a5fa2

SHA1
45734633f80bac72be426abfcd0f21daaf671ce5

SHA256
4b05cbec90bf1dab6ce55858b84de5236c39b2105592dc98c549393a0fee4e6b

SHA512
b80be85ad72a5e9b939a152e6d462e81c00db4a3b8cb7e05a3320992a5a501033d8d9ec9ddda2613cf6abf365fc9bf5c887b49dfbf949003bc00d1eab93794c3

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
520KB

MD5
a34c1b8781c78273c3e5610cb2b621a7

SHA1
107886e1262312f628c37788fc1006c84265b89a

SHA256
0593e6dcf9bf6ca0fde0c75e3ed42da354226450f4af180e6718fbed70ce9c5d

SHA512
58db79d01d2a8768506e94cd0caf1965119189793d2a64041c63d5a4b061196cf024800881403acdde583c4f4e4a471a865c34d49439a50a2070cdfa4cd398c4

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
520KB

MD5
570d83f84ab889a68be5a63147633a08

SHA1
0efb3cd32a62feef09e308f4a731c21c38e3e99d

SHA256
c5ac7bcf4c905f480c20914332c59dc28dae68a2bb38c3357c42996b378e81de

SHA512
9624e3290188ff4382bb31925b12791e691283b6bd7c56b0df50815dd3e51ae6dd658b929293f2c26c131ffbae6c43f3a7ec2f60ad01e0e6c1b0c4f970c93a82

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
520KB

MD5
c4e7b6c410716d5b831e02e4bde79961

SHA1
a7f2f164db360fe7b4d2751c48b4a0416961c80f

SHA256
d780400c5c5238c5dcaee2154fddb6c01cfc71cfb6a3582bf5e78e16caa59395

SHA512
abc94b3b841d81d84893d03deaceba94b77c536c86f5c392b1f750a8752e59a3b1a5f6ab10598ad07de8172f5401757a328a5a96efa673047e60e362a74ab359

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
520KB

MD5
57a8006e18d9833e35972fbee591bef7

SHA1
ad268714efd1db411d8192213c94fe2d14a34a0c

SHA256
f7f2fae0cb32f9197a6f229632f83d4b1d6f738a9d1faec67c462493f8518a8a

SHA512
b1d69ac198644e159a5d7bb59b38bfb0bf86fb6a3e5266ffb94b7b6ecd3e285c814d7218d24664723849d6c55dcf6cadce1f544bf6fa9eabe37aa6dcfe64bea6

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
520KB

MD5
a48bcf9cd8256da3ba7fc2b8d4de4440

SHA1
b349611ab004409396128ebc3733089d261a4188

SHA256
5ae2bb13cdba020e462ff60581edb5121b6b8df4e367ae0841939d0367dc04a6

SHA512
b98b7e90e69e2fd2161716f73ae1799caf9c4e5476537d0a80cfd3c00bd033ba967de3a62b1d112e58644e4db8344fc386a1df4e6bb881a799586c3f0bf78b97

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
448KB

MD5
2aaf3242a50e8eb2937fd5d816a3a026

SHA1
373d621f10a9e15281aea7532eb7e442dc085190

SHA256
5d87f1d227496016d1a5e445ca64d0c8789e8918f37826417564267c6350dff1

SHA512
79f83692a36f903091038361d71ab1cbe12d34233b751826920afca415828dbe5a490b3505263d682e4f31da22ba65932efe7c42589b816e16286da27b222f3c

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
520KB

MD5
6131f1a51a8ee217b1eb6eedc43bafd3

SHA1
c475ee2a32d0ee9531304903908f6efbb744d648

SHA256
98768ce7d7f37a2f442a1b133a4d3237c09d7ad4ce4c291b9884b7890a39b430

SHA512
1abaedf7d0095bbb6ae094fa402a1f344c62051e40296fb48e7a3a90f1426d91dcb314ee8a3a97d9f233fdf332d7e4f9ec877b96cc9eb49e2dc3adaaaf805f78

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
520KB

MD5
1f82ecc2ae718efc506f23f2ae752616

SHA1
604431f8df3842577fc3bd733dfa9a1fb2dbe792

SHA256
101681f7a4bbafd736894339f48dacdc23ba746edf189ca2fe2469d0b5af57ac

SHA512
91fe1db3b1e54e9afd931019400c7c715683446ec6ee2bab421eb2e5b2fc0cc3422b865d1f7650a342af8e7c309f39752e5be807f6a8a1b0d0982c8eed455955

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
520KB

MD5
dcd7433c849af0e8339ec0edd4e1fbf8

SHA1
5c5fc8530eec1667fb95803ac483a79eabfc9423

SHA256
fa4059085e66814a27f12e12e9f8030245c4a77e4ac02ea1e38fec0d9ce7a3aa

SHA512
d22c2e77b581867d7edf00367fb0361efdae2b8708a272b2d338c1a3c7ca86ded366f7d80bb870288f8160396c7f969f50b544056b060be47e873f5745911cfa

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
520KB

MD5
40e9a105902aa3cfdd8bd19f8db6bdde

SHA1
cfd1ecc78af19f72b79dd4ef136cb01014c79d36

SHA256
26c8adc933f4a085a6c4a7652c1664327a4c59c494873f0277f2ae371691eaa9

SHA512
53327375244689b04489ddf7b31e95296d8045e5396a39ef8253ae4e5489f2c29325cd48bd5c31a04cdd4063725add470a312239649c5154ac140f191aed38ee

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
520KB

MD5
a199f1a9cebcc92f19e6027fb335ae0b

SHA1
ba0af3dafe66f022f57ca3211250d09187d8b455

SHA256
1e4c14d9907714b4da987d7cf1a45bf675394b4f15620b89afa59c4a6308475c

SHA512
c5c394ff5398b427eba37d32eca7239b167d8ad5a9494b1c501bf46c911adff77bf2e0385aadd3285df4eacba8af548080fea840f3b1da69c596a4dd02631314

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
520KB

MD5
6d1c6dcec92b7ea1c6432d873b4703e4

SHA1
f21e5e0f8d1337a65f8169cd06d23cca53bccfa4

SHA256
30cd4f42644b353b47ad367416e0255925bba582ab1547d1146c6563c2467d68

SHA512
9725a948304fbbe4aee62c78d68aad03a899d48e496117db99734c155eb5d895188c93aa06a71c6771a05e7129720587c637b052bdd94df273a0fbaa108bdc91

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
520KB

MD5
ad92bdffca31617fb2a821ccef40a6cd

SHA1
d4ccb3705c880584e0e0d03d6b57acac5de3533f

SHA256
2dd9c9796914a213eb4f12f966c5772ebd018056855b3d8239f51647d61e630d

SHA512
8afec95af190f40203d0d23d37fa1c50bae798d812f7d7157892a116a6948f74d0db5c5f4fc79480d51a7b5a0c51a08d8965c11de141c1c7b921c1173a94641d

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
520KB

MD5
501bc685f30784b347d75d0552ab9af6

SHA1
d4e3a1d69fd0c3e41041a8b32acd1556d2b16b3b

SHA256
a0f7ea28a3d8e4bd79403fc145101cd711b38ab0ad890c8393ea494a0e9790a9

SHA512
14ebff3972479094b4c6d06e57d289d90c6b394b612c5e26b2afec51fdcc20273fd2782c445bdae06dc057789f2c524d8232c45a57c9ad663f5b8f870ed94a8b

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
520KB

MD5
92b8d0ec8e936ede0284870b11d1a94a

SHA1
87a85b83cff94d541def297261d7fb34ac5f73f4

SHA256
e1d5bedd33aec9f6ee71d18264b0ae84a79f5b0cb945a640e1001cb6a12862dd

SHA512
b413ca52f3b12ccb3d8955cb5a63160852683161e2af0bdd6aba53f27f993b30b1185eb78058a7a12d3127f1204beda9d0cd802a543cfe39dedcc1369360bc62

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
520KB

MD5
9a3af7a21e827b29a97664fae0dc28a4

SHA1
d8bd1671c54debe4970506ce7e81f287f3dff7d8

SHA256
62113be2755c7d20974ec51a3a303d6045e829c07604f1740a13da671c6cfc10

SHA512
b213fce3351d2d6fb18810eca441b37455988dec18290849335d87eb19307b8a6463fa42cbd7e41b593ea8d8201e632e3b982e02053cc750ce1feda81e076f71

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
520KB

MD5
98427f4e49d740868ac42ee894e4a913

SHA1
89c3a81825a5a051ada90c852614eb1516d6fb72

SHA256
635ec7c7e946cbb98417d9a9c946dedd6ef7fdfc6cd326b9637eb3a250a26760

SHA512
4bc2a1c1d5f12c04e39070f7da47935e6058c667f6edbc214e4f1fb2680e67a25bda4718aea2d0d8f5ba6b6ff257cf755cb2d21ec80caa59b0c513cca926ab7b

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
520KB

MD5
ab1ac285c06d1ac3a5c0fbbd32989b02

SHA1
361210c86a4d805dba69d19f127978bac5a00e62

SHA256
2304760b5d22c654c82371a054bfe3903e9d4afaf627540ebd17b4b98bcc86c6

SHA512
6d30f766896586093c9ccd8dbbd712d5821bee00906d6e808447bacf53c7490c402c11983bc971445c3f96673e37a85310d94630900714ed2886c5c6680572ee

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
520KB

MD5
0f5f846239e602b9ed4ee51853146b88

SHA1
976ce0b084e9632d3db8de901b0a50fed28183b8

SHA256
162f84d4d52e387bb8c0f1ca5b8d7fa7f286e5aa57aef985c892306b25ad1589

SHA512
0b9819aab14bf6c0c8db654371f0f808bab28c4adc6186c448e4f28ffb66224994153c71a1df319904b241516a5a7f654bfeb41062bf028f9be6cc7b366509d7

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
520KB

MD5
153d5646c24a5e72487dc5ea755ee9b6

SHA1
4c54973d29d4ca04bb1d37566572a75f88e210c5

SHA256
d3897853820a6bdcd3c1147f3bbe0f30afbcf334f29da4e1074573e642f5515e

SHA512
cf67b5ab2950d29de34547ba4a08eaba65cb67b88e015dcdf3712e77cf328f544f50f1bc5f3cbb8e9e738ec29c91701ceba5c7e8671d69cc07903b5dc649660a

Download Submit
C:\Windows\SysWOW64\Qncbfk32.dll

Filesize
7KB

MD5
99f94ebe9506df6d7c08f15ed33e571d

SHA1
3b970127753ef81e82aa7f2838c75b33e1e90b29

SHA256
3298b65407618def251593576d78784ec795b6c4b8312a6f105f4e0cb683bbfd

SHA512
c0e0f21c287897df15384507f4c1cf57a3dbf6382d64655cadeb8c57fe31b678d54fdd92eb418b4f54d22e1519bc7847ca5c5bcab1867f5f7063751a53433efc

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
520KB

MD5
285975b02b564de87783e7dc782d5b45

SHA1
1605d9603fb9ccf3a9337538c9195166516f27d5

SHA256
86f13e9a6fb052db8f3ae284bb0aea8e3119e5cb3b0f40e3cde12d78e939aa03

SHA512
96bc22a9e2d454b79f7b3a35513a7eb85473061509528890174ba699e5ccb37d3d79f0d1824e25cf4d21317c6c7474d7ca8b740a006f673d126eb44a0383c126

Download Submit
memory/60-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-910-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-864-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads