berbew | 239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe
Size

96KB
MD5

90e78b13ac16ebec76f813bb8c501076
SHA1

073ce41644f8e63d1e38f09f1431e16895972a42
SHA256

239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751
SHA512

d51cc4b17886a8172e9de6355c7a2d20a57c7fe3c671c1a63594c6feed0e230a83d284a9da412bda2a112f138c416d7aa58374580fe4a927ebe57c87ad182ab7
SSDEEP

1536:sVlYWodFKh+GRgcmfQXHmZFGX2j2L37RZObZUUWaegPYAS:sbPodFU+GCcmfQ3mZFrA3ClUUWaef

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2920	Menjdbgj.exe
876	Mlhbal32.exe
2368	Ndokbi32.exe
1260	Ngmgne32.exe
3308	Nngokoej.exe
1020	Ndaggimg.exe
4080	Ngpccdlj.exe
3108	Njnpppkn.exe
1652	Ndcdmikd.exe
4824	Ngbpidjh.exe
2588	Nnlhfn32.exe
2236	Ndfqbhia.exe
3944	Nfgmjqop.exe
2628	Nlaegk32.exe
4232	Nckndeni.exe
2456	Oponmilc.exe
2192	Ocnjidkf.exe
1700	Ofnckp32.exe
2392	Oneklm32.exe
4964	Odocigqg.exe
1532	Ofqpqo32.exe
2704	Onhhamgg.exe
1488	Ogpmjb32.exe
1268	Olmeci32.exe
2324	Ogbipa32.exe
940	Pdfjifjo.exe
2824	Pfhfan32.exe
1064	Pqmjog32.exe
4460	Pggbkagp.exe
3768	Pnakhkol.exe
3404	Pcncpbmd.exe
1960	Pflplnlg.exe
636	Pncgmkmj.exe
3932	Pgllfp32.exe
2100	Pjjhbl32.exe
64	Pqdqof32.exe
1476	Pcbmka32.exe
2740	Pjmehkqk.exe
3532	Qnhahj32.exe
464	Qceiaa32.exe
3576	Qfcfml32.exe
4388	Qmmnjfnl.exe
2684	Qddfkd32.exe
3844	Ajanck32.exe
3956	Anmjcieo.exe
4220	Acjclpcf.exe
2660	Afhohlbj.exe
4952	Anogiicl.exe
2604	Aeiofcji.exe
3644	Agglboim.exe
1036	Ajfhnjhq.exe
704	Aqppkd32.exe
776	Agjhgngj.exe
888	Afmhck32.exe
2000	Aabmqd32.exe
1696	Aglemn32.exe
1820	Anfmjhmd.exe
1080	Aepefb32.exe
3428	Agoabn32.exe
2820	Bnhjohkb.exe
1580	Bebblb32.exe
4384	Bfdodjhm.exe
1516	Bmngqdpj.exe
2020	Beeoaapl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5164	3992	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 2920	324	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe	82
PID 324 wrote to memory of 2920	324	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe	82
PID 324 wrote to memory of 2920	324	239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe	82
PID 2920 wrote to memory of 876	2920	Menjdbgj.exe	83
PID 2920 wrote to memory of 876	2920	Menjdbgj.exe	83
PID 2920 wrote to memory of 876	2920	Menjdbgj.exe	83
PID 876 wrote to memory of 2368	876	Mlhbal32.exe	84
PID 876 wrote to memory of 2368	876	Mlhbal32.exe	84
PID 876 wrote to memory of 2368	876	Mlhbal32.exe	84
PID 2368 wrote to memory of 1260	2368	Ndokbi32.exe	85
PID 2368 wrote to memory of 1260	2368	Ndokbi32.exe	85
PID 2368 wrote to memory of 1260	2368	Ndokbi32.exe	85
PID 1260 wrote to memory of 3308	1260	Ngmgne32.exe	86
PID 1260 wrote to memory of 3308	1260	Ngmgne32.exe	86
PID 1260 wrote to memory of 3308	1260	Ngmgne32.exe	86
PID 3308 wrote to memory of 1020	3308	Nngokoej.exe	87
PID 3308 wrote to memory of 1020	3308	Nngokoej.exe	87
PID 3308 wrote to memory of 1020	3308	Nngokoej.exe	87
PID 1020 wrote to memory of 4080	1020	Ndaggimg.exe	88
PID 1020 wrote to memory of 4080	1020	Ndaggimg.exe	88
PID 1020 wrote to memory of 4080	1020	Ndaggimg.exe	88
PID 4080 wrote to memory of 3108	4080	Ngpccdlj.exe	89
PID 4080 wrote to memory of 3108	4080	Ngpccdlj.exe	89
PID 4080 wrote to memory of 3108	4080	Ngpccdlj.exe	89
PID 3108 wrote to memory of 1652	3108	Njnpppkn.exe	90
PID 3108 wrote to memory of 1652	3108	Njnpppkn.exe	90
PID 3108 wrote to memory of 1652	3108	Njnpppkn.exe	90
PID 1652 wrote to memory of 4824	1652	Ndcdmikd.exe	91
PID 1652 wrote to memory of 4824	1652	Ndcdmikd.exe	91
PID 1652 wrote to memory of 4824	1652	Ndcdmikd.exe	91
PID 4824 wrote to memory of 2588	4824	Ngbpidjh.exe	92
PID 4824 wrote to memory of 2588	4824	Ngbpidjh.exe	92
PID 4824 wrote to memory of 2588	4824	Ngbpidjh.exe	92
PID 2588 wrote to memory of 2236	2588	Nnlhfn32.exe	93
PID 2588 wrote to memory of 2236	2588	Nnlhfn32.exe	93
PID 2588 wrote to memory of 2236	2588	Nnlhfn32.exe	93
PID 2236 wrote to memory of 3944	2236	Ndfqbhia.exe	94
PID 2236 wrote to memory of 3944	2236	Ndfqbhia.exe	94
PID 2236 wrote to memory of 3944	2236	Ndfqbhia.exe	94
PID 3944 wrote to memory of 2628	3944	Nfgmjqop.exe	95
PID 3944 wrote to memory of 2628	3944	Nfgmjqop.exe	95
PID 3944 wrote to memory of 2628	3944	Nfgmjqop.exe	95
PID 2628 wrote to memory of 4232	2628	Nlaegk32.exe	96
PID 2628 wrote to memory of 4232	2628	Nlaegk32.exe	96
PID 2628 wrote to memory of 4232	2628	Nlaegk32.exe	96
PID 4232 wrote to memory of 2456	4232	Nckndeni.exe	97
PID 4232 wrote to memory of 2456	4232	Nckndeni.exe	97
PID 4232 wrote to memory of 2456	4232	Nckndeni.exe	97
PID 2456 wrote to memory of 2192	2456	Oponmilc.exe	98
PID 2456 wrote to memory of 2192	2456	Oponmilc.exe	98
PID 2456 wrote to memory of 2192	2456	Oponmilc.exe	98
PID 2192 wrote to memory of 1700	2192	Ocnjidkf.exe	99
PID 2192 wrote to memory of 1700	2192	Ocnjidkf.exe	99
PID 2192 wrote to memory of 1700	2192	Ocnjidkf.exe	99
PID 1700 wrote to memory of 2392	1700	Ofnckp32.exe	100
PID 1700 wrote to memory of 2392	1700	Ofnckp32.exe	100
PID 1700 wrote to memory of 2392	1700	Ofnckp32.exe	100
PID 2392 wrote to memory of 4964	2392	Oneklm32.exe	101
PID 2392 wrote to memory of 4964	2392	Oneklm32.exe	101
PID 2392 wrote to memory of 4964	2392	Oneklm32.exe	101
PID 4964 wrote to memory of 1532	4964	Odocigqg.exe	102
PID 4964 wrote to memory of 1532	4964	Odocigqg.exe	102
PID 4964 wrote to memory of 1532	4964	Odocigqg.exe	102
PID 1532 wrote to memory of 2704	1532	Ofqpqo32.exe	103

C:\Users\Admin\AppData\Local\Temp\239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe
"C:\Users\Admin\AppData\Local\Temp\239a44b914409b589a570f407c577c6396d4a84670de87db165aa657a719f751.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\Menjdbgj.exe
  C:\Windows\system32\Menjdbgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\Mlhbal32.exe
    C:\Windows\system32\Mlhbal32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\Ndokbi32.exe
      C:\Windows\system32\Ndokbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        55⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        57⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2276
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        77⤵
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:424
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4620
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        88⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        97⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        98⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 396
        105⤵
        Program crash
        
        PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3992 -ip 3992
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
ae30a9348268c0aed5f42245300b22cd

SHA1
68abcde231d879f1318f580a884d87bf28b16931

SHA256
8e15a85b539b59e3d6022b34d45c476fbf51e57b94a22ffb1d7167ae08a7deae

SHA512
e6d21b59a0c6ea8432d49d74c75be1b655f2a4e81b84bac02c88cce5033db5ae321918670caa96997464d5f7311051f430f4f88b723371b5f54b2d6d4751ab30

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
1647f3ae3d882c3953b4a608f6a5577b

SHA1
f2d9ef7dd629f0a9f78fd29d3faff72727925446

SHA256
ee3d7b16d2320e1fd04011d1c133217f78d5b404fb1f291d41e84f085ff71b8c

SHA512
95b514c17bda11f01f06488250d04d7945ead5681199b8fb4bdf6f8a7a3683cdaebbd7fb74bcc2aaa965e81174a86bb3279d50838494f87855cfd6a8de8f0785

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
406b4e04d434cd04c0b07c13ca0334e2

SHA1
005b9f9e7fe1dd6eb0d7d7c2b29a1df1aad12094

SHA256
f204313ebb159b1422ccb298653c668c0ef65251b7fd2024e04bc6bf6358ee72

SHA512
463fbf66118d07ae271bb953096ad1cac9ff00bfa63e7fe5a51036ea0ca9571d62d0b9c2a93bfff42ae52effca2e707a8d026453d1e656a7065a4eaf9de854fe

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
ac3f6b3d59f51c140ac98f1ee3332a8a

SHA1
ca72472e4fb552e70cb7a5e3eb9cb03ed0ecbf7d

SHA256
9255f4f4bfd9e7c7e6c78be326d9fa92a025067e08e82e2f5814bb29c105a2a9

SHA512
f900844b45fbd691173a2c0059b6f576e2aec23e4b2eb9eb3f4743e5b75f6e5adb5926fdb1464f8d87c06aecef9bd6bf2b1701560cd777e69a22bc9d45fbf826

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
3715c4b2007fe21d5ae31aaee779fc23

SHA1
ce1025b85469443d02e218a33076209adf6f73e3

SHA256
add71a3726f45295416c506ecb471f6c37f7bfb184db4605a3b018cf5fdd16e2

SHA512
1130f4cea2fe4d97bf96e4376dec09d90aaecd231c8ab58a153c54184a895d338f356855f3089f8ac804bbfbd9e295d675b74a6aed720380820b1c9c4c573c1e

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
7e61fe7f12f977b069d5bb7ba22a5667

SHA1
d0d553baeef841d9e5d45b3ac70afa3e32533084

SHA256
e33d48c155a473923e6ba01a5a69ae74326d89481d2953039e5fba380746b511

SHA512
a1d6320fd15219f426e8ec7071747af87410ba9888494b03a912df851c5d4ff04712501478188cbe4ae0144a19aa8ddf4b246efe7eb75145b9dc41eb35637d52

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
96KB

MD5
7c7958529356e6014d19e2554f38f8ed

SHA1
4fe3df00204759934dbcd91da8cfce4efa39a9ad

SHA256
2e23c795ff9123286b97dddb7412e958b52444edbb68e8f56402118f57c9b40b

SHA512
5d4a1c3f13aaed2da9678f00d496c077347d62cf9f4a5e56b30f898f055bbabd5a0526d9d776fbe332565fa2661e885f9eec67263417073bdf4a5ffe40649944

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
162e5e6c5b0a2ad40264099adca9b524

SHA1
2d8d3ffcc4bd4fbb0c123b41f1138bbdf05c04e4

SHA256
d7a0cc98fda665291ad8bd1b1bd10a7384b541df6ea98a4ae881b075b7d2c83d

SHA512
dc1404e5e7c4548ff8667d3f1192269ecd7be30c6961e10192db0fe130d100865faf3be46067e0a5df26166899f63eb5228745a4be3c00463998466b20b0abe9

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
641943788241b1d76e504613e35cba46

SHA1
434d04fe8e7eb9e9422857dfdf624e97b203fd4d

SHA256
67830979e8e1e211ccf122891a8b3b7479a173ce8de13912a743e58ce2fc4b41

SHA512
27dc8a49d3d2947460db94f7543d87a78a4587be805513ce462fce16686879ae5b890c183be4963456c469349ee2ad0a7d3e89298112b47576662c8bb5f268be

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
96KB

MD5
5dc36fa8e5f15aba19240c6c417df204

SHA1
b91a1171f6cb2a3f7b44469207d4fc9ff9a8701d

SHA256
49a5de56aa1af1b3f82b00b0085ca8e061f3e7a11cb2aaad1c3c8291d9278b66

SHA512
c93e03b7df81bd8af7bf9861fe276de157c4e0ad11e904402593528dab86bc2634a63f3461052ecdc18d34716c9985272bc54e0074436aaadd05492b96445fce

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
c78f591d9a8d47b67d91d91930d09a27

SHA1
4627e53c6eeeaa1dcc4137929f3c72ac5dda908e

SHA256
fc98dfeba3598e5c320de9035db5d2ba200b6a8bbfcac83e6d85b5af5fd87fbb

SHA512
a7be9d62c207ec34f898cf9e552a5b318b6a48722c6cd41c96872553850b36dd31e802d91244f2227f03272f41ae23fcd1394e7e5d5e40f6dbf555ddeb7d0e0e

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
3e120dd0c42b80699a1c19f204b97879

SHA1
639cbf6dad6247090540003669fcb5c7b70a8e9b

SHA256
c0b9e4902655fdb085af6aab2119fa4c6119739283b02af770810c716a38259e

SHA512
41ebc17b8421f9b863776a4769c835770780ab630b29facfe1469b8e5c47a93d37a65adbb7060cb0ca194c7d77592a46928696f32233477d5dfc66e20d907509

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
4ccc0414300e9bbd6234b9330d8307fd

SHA1
50c5ab6b1ca62484560f72d99acc507fb51ec502

SHA256
55f9d9e80d15829e594a7c92edf75fd80f901a2618ef2c811455246205d80571

SHA512
c6421ff2c134a7f14066ec86264218ece842e3acdee63ec576bd5cee6fb60a469fc630f8de0c6ac4236fc282d3cde16ebeacecf7fe8a9c1f6d233df1ee52a490

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
f8a9e3ea43775a75a5ac1f8f969b404c

SHA1
88b066481dc329e7c9f9ba12dbe92430c2ee6e6a

SHA256
0775614953719922af7cb390fe41ac2b6f6d1e6c1cadd4853d696a6c44e87e26

SHA512
c4d8b7f91e97059caa383c0aefb8aa26264826466b515f1c7541182937f0b8a346ecf368aa9e6d29f692d993860faa03ea0a10586202a8bbbb1fc21fa50e224c

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
26afff2333668076037b61f9c9c154d0

SHA1
7a5351a9d96ace2ccd83aa93a292b3d658f4632f

SHA256
a09b54473b27a6f19ca924a15714bef2ae901f4f7fe26f5979266fab34bc37a3

SHA512
92203c6a27cec9d4d4d2189ed792e68cb487c41c467fd367bd372a12f61ac7c6534be1f57741de99185569dc4165940d3fbae486db74c1a20831799286e17c66

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
fe93853625d17b7ed92e683ee576dbf9

SHA1
a1b21baa6b278af4205d8555e9ece0bd3f74fb3f

SHA256
c379246d0e907434630978d1152131b8d655f01c8d9e9bfe99db90a9aebf4112

SHA512
8fe0323319bdd661aba95a04dc14ee7dcf7be4a0249bde24e7b98471f71f3bc15cacf9b80675b3ba20aa43850eeaebd57b6fd6de086f5a6a91081d70ea54455d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
c47e7e744fca4304b31867d67b838bc4

SHA1
5bb3a2560b0e5e017245684256bc2c2cf12039d4

SHA256
bfbc7ef1af673d440ceb0b85e457118875e9916fa0b0ef5cdb9238687a5e411b

SHA512
e6b89eb366dd81ef81f9c0547ebbc336af89d88bb0f53ebbfa3d4b94ecb4542a1a0b5f9a384205addd30ed50c91f9c21239039cd2405ba650a746d4354536dcc

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
d6dbf7d79f2c65b7e7adf6e643079a25

SHA1
765d7f3dea75a3a4395d2ac597a809eeaa411edd

SHA256
1107a09657848bc495e4f44e1f1c304ab2340b5a4ca926aa1094d9d0eb3dfad2

SHA512
56dbe2d8f95161aac1ef07976b7974834e2a65fff07be15d0cac12e100fd84d3ef80e093daaf0c3831a47c590ba59c23425ba43f2bd30b3e66c2e6f45274e6ac

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
96KB

MD5
e7aebea426e43ae632bed909078b77d9

SHA1
409e42c02ab0ad160f9c3f93bd2e703c7973f111

SHA256
ebfcc2b48d57dab7e6dfc78cb2c2c6badc88a01803439d1047f5993f276a970b

SHA512
7dd6d5d3162c7f32d3466be3254ecbe890c1e0d1073871e6408aab278cf710291db17546c5b42e3ca56af2a08ab445629a9ae52382cdc84bdc5bbce9481293b4

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
96KB

MD5
e8f1ef8515696c3332aece810f1e27a9

SHA1
d63d6a02485775b15f97e791a2a19cf51456cd56

SHA256
decf6b3e88f561858aa15d5c25cab7bc6f2a9f3e393712416734206b7ae81b99

SHA512
a494b0a94f12f60ea40eaa416763bb8df9d94c7c2692f9adbb209b85a41da8a7e6abe1146c1071c03d2305b8b6125fea8e7458ca35c6186c3c7f9f25b6587e3f

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
35380ab4800d0b8200dbccf3688ab692

SHA1
4fd093242cca39c42300422717864a45aa1c8895

SHA256
999ea58a6c05c8487b762385127cfbd3a40c87480f72063825a8bbd97a0dcf3d

SHA512
d84c4aacd67603f88bd4da8a73afff9e9fb004a3427b73dd199f20bb67e7b95e4b914c46bdf244cd7f18ee3db6a6c130b30f5961478e78d1be74425084936534

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
fbeedf86250c045beb0e10d3711f5813

SHA1
09adb31003390911962c179c21425019c1e4439b

SHA256
3f72df7926f434d6ca3f168c8e34c90629c6be06e7bc5502dcec106e834fb6c2

SHA512
1a6ab11fefd37c6e4a71f524d1955f029a014de69d3d6fa679611501bb9bc1bb560ebd223b90c78418e89a30146bd2a1ef4c189dadfaa0baead51df74bccc52c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
03e8d7246dce4fbe695285e9662f4d4a

SHA1
93f424125a44e180a37a331d54f55e8d00a61827

SHA256
6e04b7777a97363b8a2fc0b36a0676dfb8e145d7573587aa66e0f42b5710136a

SHA512
31d54ec7fc75ac7d104bc62291ae3960317617923933862a62467227df9f4e6a0c83e9e15590f7fa585e4104b0e3a9b39bdb4aeb1a8d126d19dbbe18bbe73e1d

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
96KB

MD5
114a5f42cac38acff1ac728726c36c65

SHA1
69674482b08573a44192ff7a1a4adcbf648649aa

SHA256
30c1d7a33c2c000217e4db206d2992b7e976425f7751a2386520f23be8f3b73a

SHA512
0e9ad5830a10718c7a1e1ebeb5446aad97582414ad775e168480ea046df17da0f81dd76e4e1de85c7d684b0f62ff9cd81c5a1436a273c2d87cbcb4ae5a0abb55

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
c2b557b0ca989209450d94f7730ee641

SHA1
b7e9981b09254c95fb01759662b1b446a755ffbf

SHA256
273026a94e18b6c0d397a2f85b2c0c1ea1e04a374e772bb03394ad594418839d

SHA512
934450b7c2d054e13083b135367b5f53558dfa6e31a7a54818890f885c34bbc24f36d4fe398eb11b9fea56ae74de9c5bc605cffcda9ff062b0e29ee9c32d66af

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
7bce12fdc196b88ff091c49da6036b67

SHA1
bfa033662ff308942dfb87d732eb498cc0703201

SHA256
40e715e72e9ed8ce69b92b8c54ba49557e980500cbb06780d8540206109427f7

SHA512
78d54aedb4add26b8c0b4e5da4720ed15b484a34d22b4d1488986b8c7968769d0252e4fe0a1fe3e1780c980ee43339659bad88acdf4dc291515e10257e3e11b0

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
7f66c52532e29573dc63a42e37226f8a

SHA1
1512c83155456e93a6b4a8b68806b8cf894790a8

SHA256
ded6d96e1a50d4f78457e0413f5b4dee9cd9d1f33b48e62feed40d07f04afc6f

SHA512
6747f92246fb1950f4c6ba7209a95c91a6e3e7b34cdd53f37e91031928c1a1ffee7c859362d7cecb24826c11fa2ffcc55f58bed3fd3d12ecf7cbbae3725f650e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
914278a82353b4a2d9e383212dcf8a5c

SHA1
8b35398bf47c0d16d2b43be075e0b0e8e6839614

SHA256
c131e15ffe4c24747f2fad0176466361f032be11f3078828375d9e209ddd0f53

SHA512
3d9d8f92ba430ba96e275d8a731727b5bc36a96e0d68095df11b629633aa3009c0f6f89acf1d9c8ef64cfbac86268967b4b559443e12d603c054615579dc16f8

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
54197c24482720930ad8b219adf84ea6

SHA1
84c2c1da5eb2ecf0df8083cdacf59d4c70908202

SHA256
3eb215a12db6e9b65667161ef4bd21279323798568657392e21a76870a8798f0

SHA512
c56efc45e04db99854303f5331d8e00fbd3c78b935e38138c4b88807a1f1201bdb95831413a06b8956e88763388631f7a8393087457c9bee49bd4cb311dc7dcf

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
70af6e85328305491a3510bd8dbe924c

SHA1
3ec176898b229c400cf9ff45818e2d7bb6fc421b

SHA256
f398ff89141ac4ed17e48531a4d6f194f6fba00e5a12698d617060ad09695691

SHA512
2a751d84155b1b7cfee5c396b6f9e6a88010e821789bf7469c7ca9c23f74df50312e2797bcf8a424b87ac28822994ba87814dd2c755bc57b000eba4c31544878

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
fd68ca26509acc6591bc87a7d51c4827

SHA1
167efb70d3182b1fea7a0ccdfedb4bdb4085649b

SHA256
0c599c0537087f7093923187ca3767664740c94e74e61213437885ed8f7e8966

SHA512
bbed235fbec89b566ff11b60487697cbe62a9984b59082e9c80433861d0d61ac85a0d55481075adec06318eabdb40f75008b0d6fe97145966c6892f05cf070fc

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
54d02ab292ce01b7ce96297cd6724822

SHA1
e643f425023a3c6254fc994a3fe943e3ef3bee90

SHA256
fd2fdd91e11a659644e158feeaa250c1d7b1618f276e7b04540cb5f2830e8e80

SHA512
dec512cdbf42cf832423cf92cde94ae75fe3ac53b8baddacfb538979b81333fee74a934f11abe3c3a2e3682adb18efa5760cfc80c60466cbc020fbfb4beb1d09

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
e3bde9bc3af642e11626ad6b4ddbed8a

SHA1
3a1be2df7b4d667c7e29bcb8db478e7e339c0b41

SHA256
814cb70a8cedde1fb53910f54053a2c082a0f0478a802a93cc84271857b38583

SHA512
30984d7d194ca9ce60f23e92357cdb401cce8989184684fff34600ef7deabd172d801723b317b9748419fec0d4a0a237845afdf3e384f82a8e0dcb168bcf4b85

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
0782a1fe105c7b65054cc1b95e3ac219

SHA1
387425232d747152abca4dbe759d9c9371027afa

SHA256
51fcb02446addbe47f380749b9381c1f02f2d1c0793d1295455ead69bf486456

SHA512
e8a3c9ba534d511dc7f5d78245b411cb9c24736f9d28185556c427abfd48ae9b65fbdbadde13544666fd1cb9ccd8873d57c506fe0da02eb8a3619dda7b72c43d

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
2e9c784c6a4674a34bc86c2fb8ea0bfd

SHA1
a507c9dbd89bdb0a1eb5507bc1aa9134938cf0cd

SHA256
73e59de338a058d140d7a95bc2b9210918b461a92637104d2186760a619c7dd3

SHA512
e4581fba1e11d1780e6ce9477c4e88c6aac97f96430145f4ec1ea4866da2e604aaab5386b12ff6513afca8cdb59a9a5cb7337fc6e1ec2fabf3a88460921c0ef6

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
55a88ca92966eb4e9cf5049e11c818b5

SHA1
a05ecd14035f9bf41c85bb5fd544b8d9625a7623

SHA256
988fa212d6dc05ef9f3fa2db44331c4710d263b58bda83cc40100ef5d6c5e675

SHA512
cd86ab4d534c0efbb3d3e3115461f2d3920b9f3c264fe55a884a0cd2aa47b99451c2a6a34b6d5e6ac8a4fe1ede44de9ef2e72172387342fd5c63bdd7cfa433cf

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
dab792a1e182dea52108043bb00643a8

SHA1
2412a79ffceb58c0b2304629d2bd51a3efa5fb65

SHA256
b6eab4f68c1425ae1f8b0c24b63160c8b20bf01923bc18a58f30c8d56617b0d5

SHA512
6a06bcd3574d3f6c80d2b1df43cd6890be4de29ae965cfbb02a710fe45194f72d07bd2246e5c4e0b1944f0b39e956ba90d7df0b6f9e3e97a8fcd84bea1336ac3

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
8a16233014c948482993431f7d3afbcd

SHA1
23c8354bd29080a18d7b7941e50022b3cec241ed

SHA256
1bfaa1fd3912e015680f5a87834bc9a0a60e49c1d7fd7f493c0082bc895ebdff

SHA512
59b0de3a21b150321a0ffe5baf4ba420481c45aa55c23d430d2f347b913ebc3554a1806c8b31061dacc8a06e034dcf0052a3e28a68702d948569e512d3705a09

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
7ca90f7baa2303091b758edf1722277d

SHA1
f52c4c70bc0d9d68277b9944c1f498ea0d5d7082

SHA256
ec18b52a08432598b02b636f07d38ba6f65695e2acf488ce4e1dbf4112b270a3

SHA512
d2b8558284523befdf67f13bac6caa54845f5d7ded65d98b55658e9e36974c4d7bf6ed72b6489a5b38d95e16ee01f581b543005a32d3b970aa2cbd1e0ffd1f6a

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
2d0653c7bb71c46547d0ee919d871bf2

SHA1
6d774e489c7babd1a66e271eb5e50ca82371dd59

SHA256
dcfebeab35e227c7bbd5f62c6dae1e950fcab2cc3df725c11a8bd62dc72f19b3

SHA512
6024ccfa730b51da99e859cdf76ca30f87b74d1011ad9d54c4eadc6c6b7713830fea491a7aed845e7ac498f88a7377f376f6bc6d8254511bbc5c0808def72322

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
bbb31d4bcdc1d3e3de7b2e0262531342

SHA1
b537f65a72d58ff1c97ef1d74560f050a2aef50b

SHA256
420a4888c700749404e94d89136fb43e8621f80a9b976e3e94d81f4958993281

SHA512
4f0476d9e4f6da7b5a203585c33a9ecceb4b9140e527bc958ca09b3ccc63e0c7793d77d9c7f17e48de4fb84b410d698115432bcab4430e1cc54d0bb23ff7b0c3

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
762797c61c910745b395b6d8bc860728

SHA1
7c941298a604de017417b0a56e732e915e1df2a1

SHA256
21a437025a2ba3441356b6046de556b525c6960832ce39f8de2883b161015b0c

SHA512
3794b90cc4ac48a5b68e4e7255ac7a02cada327a2f0fcb43f0033b0cd459dd846c9d61019972327505a86059fbefa663de31f971852f6f0f50bc0d1c1ac6066d

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
edbc979975f5bdf4c989e7f96b03cd81

SHA1
9af6ad22949048d2660347f54b6ff40ede675813

SHA256
837c41bb8b4a32cf7eb4e9f36cf80fa685c0fa9b851f0ae650800bc605712b6b

SHA512
05fcfc91bbf339a5c906a30b4a51799bae44717e51dac85e36123fcd6fcab3d8d2f7f151a066e7d511825c75531d3cff041827a805dfa41ad561ec91bb76f867

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
b882cee67aed228052a6bf0c7bb87bcf

SHA1
42c4071c51fefea12cd6c56b75d2d9fe30101130

SHA256
2ef0ce4811f70e07d16c4fbbf8fd2d658273cf46b6a393ba33b1e86ef03167b6

SHA512
3cba3a9f8b4e6a71f9dd65603c7e3e05f9eedabeb595b06c737bc7b5a511d0874a743cb0c78795c277e06b19ec7a9fdbd6bae50d3e664d0481796ccb3497394e

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
7a1e0a69746dd5cafbea539c4e70f30f

SHA1
5713f29fc7374d732d8968f7dbbfe65ce5e88b03

SHA256
c759cfd7f4c2fefb4b440e04ca26713e4932b943a84cea7db8e6bbf127689332

SHA512
9c6eedd54756661b79655351225a4ea8821ae13813db8d7284df124593941fc020ef107609b1c91494171f68536cbadb880711d5ac7a63f42503a3c093a0fb9a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
9f35a32099023b5b2bd83c61534639fd

SHA1
a16f44a21eeefffd2a044a5b70ebbdc93c87e451

SHA256
cf5aed8fd2f29ab5f4703ca8b17887d926fd290f07398342c28e458978dad937

SHA512
20dc575e3b55f5097138896d7270253cc7e9b78115077d8f197862b1fc1ee0448e7f77bca12e8daaaa3597b3bde90e949575470f29c362075bb496dbbd1c4173

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
2526cbdee9ba8f5550676a290a1a118a

SHA1
8f17d2a26f6e86f66575276c9e0719019dd8e814

SHA256
447eec8524ead0d35684e1af2d4d3391c2a276964bea332b3a04118dd2a2a01c

SHA512
e2f231b3a762d8f6e16ec5a906195997ecd4dd88d7e6addf6f22afd5957f17d8cf36ff4c2a5cea189071af4d6606782689b0b784618eeb819db0fb816c4941e7

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
6dccb23b54a6cd1a2e6bdbbd08daa510

SHA1
59b26bfbf27d758b76ec7ca31da53b776f5f2f18

SHA256
b90137cd7167fc850e7996dc7c411fc901c931e86b330d04f398025096b24c62

SHA512
7d9f00c7416aedaaf2d5ba8142c70bac914ef6cbb500732bb07fa2c9be7ed8d0f60c129038be3be94b196d3f5f5a554718b91594d75e6404d3ead2463ded482b

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
78c822bbdcba714e24f3205d8e79853e

SHA1
9922321bf663dab99fcaa556c478ae7050a25bed

SHA256
5828f8f9b3b9532e62783379d17d8c8cbc6dd7f8725be940900a7e54b994b482

SHA512
27ef2b365103461c65abff1e9f18e002f60135f6d0b5a0d33b8284b06dac03dc1e9b6cc0ba790d6fe443418d0a2a1535b2388f6ede0940905e7b45f2757eca92

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
1784e65ba35d0c99fae008c9d4412bf3

SHA1
2fb3511fe16725d331c802183b06355da2c04d19

SHA256
defba44410df9fd4792e4e6c6566a082c9da4d3db7b80878a7ba9e1bdf275172

SHA512
88c8c62e23ca8a48d01f556d42c7fa3c5f96dd569a9d652a07e55fcbac2566d6988ef91f80c2f488885c9f596d3fd55d86c7c8b3626ed7df6d4e9bfa8cd716d7

Download Submit
memory/64-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/424-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads