berbew | 55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6b

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Size

96KB
MD5

3125513feba561e73cc4a4e099986e10
SHA1

bc40ab4f8879e448cf36b72b97d43870ee4780c8
SHA256

55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6b
SHA512

5bc4cff22de615b26bef15ecc710b6425c7e3515fd941d24192f639987fba8dce8d76aff6eb178c87e6e62576451a4b3cdb9c9320d988d362b0ce712a610ed6c
SSDEEP

1536:ORqvjWGAoaH/gAo132uVNbNjsJtW2LZ7RZObZUUWaegPYAW:ORetWHnozVNbNjsP7ZClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2316	Nloiakho.exe
3976	Ncianepl.exe
4500	Nfgmjqop.exe
1920	Njciko32.exe
2560	Nnneknob.exe
3924	Nlaegk32.exe
760	Nckndeni.exe
856	Njefqo32.exe
456	Olcbmj32.exe
4704	Ocnjidkf.exe
3808	Ojgbfocc.exe
2200	Olfobjbg.exe
4404	Opakbi32.exe
1768	Ogkcpbam.exe
824	Ojjolnaq.exe
4412	Opdghh32.exe
1968	Ocbddc32.exe
1304	Ojllan32.exe
5028	Oqfdnhfk.exe
4344	Ogpmjb32.exe
4472	Olmeci32.exe
4260	Oddmdf32.exe
1600	Ofeilobp.exe
2644	Pnlaml32.exe
4092	Pqknig32.exe
3772	Pcijeb32.exe
60	Pfhfan32.exe
4784	Pqmjog32.exe
3876	Pclgkb32.exe
3440	Pjeoglgc.exe
4136	Pnakhkol.exe
4852	Pdkcde32.exe
5016	Pjhlml32.exe
1548	Pdmpje32.exe
3600	Pjjhbl32.exe
4388	Pnfdcjkg.exe
3052	Pcbmka32.exe
4464	Qqfmde32.exe
5032	Qjoankoi.exe
4992	Qddfkd32.exe
1652	Ajanck32.exe
1384	Aqkgpedc.exe
2508	Ageolo32.exe
1488	Ajckij32.exe
1248	Ambgef32.exe
4156	Aclpap32.exe
1948	Agglboim.exe
3460	Amddjegd.exe
3144	Acnlgp32.exe
2288	Afmhck32.exe
3316	Andqdh32.exe
4664	Aeniabfd.exe
1160	Acqimo32.exe
4348	Anfmjhmd.exe
3164	Aadifclh.exe
5088	Agoabn32.exe
5040	Bnhjohkb.exe
3308	Bcebhoii.exe
4856	Bnkgeg32.exe
3988	Baicac32.exe
2936	Bgcknmop.exe
2292	Bjagjhnc.exe
3904	Bmpcfdmg.exe
4112	Beglgani.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5140	3368	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 2316	5056	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe	82
PID 5056 wrote to memory of 2316	5056	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe	82
PID 5056 wrote to memory of 2316	5056	55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe	82
PID 2316 wrote to memory of 3976	2316	Nloiakho.exe	83
PID 2316 wrote to memory of 3976	2316	Nloiakho.exe	83
PID 2316 wrote to memory of 3976	2316	Nloiakho.exe	83
PID 3976 wrote to memory of 4500	3976	Ncianepl.exe	84
PID 3976 wrote to memory of 4500	3976	Ncianepl.exe	84
PID 3976 wrote to memory of 4500	3976	Ncianepl.exe	84
PID 4500 wrote to memory of 1920	4500	Nfgmjqop.exe	85
PID 4500 wrote to memory of 1920	4500	Nfgmjqop.exe	85
PID 4500 wrote to memory of 1920	4500	Nfgmjqop.exe	85
PID 1920 wrote to memory of 2560	1920	Njciko32.exe	86
PID 1920 wrote to memory of 2560	1920	Njciko32.exe	86
PID 1920 wrote to memory of 2560	1920	Njciko32.exe	86
PID 2560 wrote to memory of 3924	2560	Nnneknob.exe	87
PID 2560 wrote to memory of 3924	2560	Nnneknob.exe	87
PID 2560 wrote to memory of 3924	2560	Nnneknob.exe	87
PID 3924 wrote to memory of 760	3924	Nlaegk32.exe	88
PID 3924 wrote to memory of 760	3924	Nlaegk32.exe	88
PID 3924 wrote to memory of 760	3924	Nlaegk32.exe	88
PID 760 wrote to memory of 856	760	Nckndeni.exe	89
PID 760 wrote to memory of 856	760	Nckndeni.exe	89
PID 760 wrote to memory of 856	760	Nckndeni.exe	89
PID 856 wrote to memory of 456	856	Njefqo32.exe	90
PID 856 wrote to memory of 456	856	Njefqo32.exe	90
PID 856 wrote to memory of 456	856	Njefqo32.exe	90
PID 456 wrote to memory of 4704	456	Olcbmj32.exe	91
PID 456 wrote to memory of 4704	456	Olcbmj32.exe	91
PID 456 wrote to memory of 4704	456	Olcbmj32.exe	91
PID 4704 wrote to memory of 3808	4704	Ocnjidkf.exe	92
PID 4704 wrote to memory of 3808	4704	Ocnjidkf.exe	92
PID 4704 wrote to memory of 3808	4704	Ocnjidkf.exe	92
PID 3808 wrote to memory of 2200	3808	Ojgbfocc.exe	93
PID 3808 wrote to memory of 2200	3808	Ojgbfocc.exe	93
PID 3808 wrote to memory of 2200	3808	Ojgbfocc.exe	93
PID 2200 wrote to memory of 4404	2200	Olfobjbg.exe	94
PID 2200 wrote to memory of 4404	2200	Olfobjbg.exe	94
PID 2200 wrote to memory of 4404	2200	Olfobjbg.exe	94
PID 4404 wrote to memory of 1768	4404	Opakbi32.exe	95
PID 4404 wrote to memory of 1768	4404	Opakbi32.exe	95
PID 4404 wrote to memory of 1768	4404	Opakbi32.exe	95
PID 1768 wrote to memory of 824	1768	Ogkcpbam.exe	96
PID 1768 wrote to memory of 824	1768	Ogkcpbam.exe	96
PID 1768 wrote to memory of 824	1768	Ogkcpbam.exe	96
PID 824 wrote to memory of 4412	824	Ojjolnaq.exe	97
PID 824 wrote to memory of 4412	824	Ojjolnaq.exe	97
PID 824 wrote to memory of 4412	824	Ojjolnaq.exe	97
PID 4412 wrote to memory of 1968	4412	Opdghh32.exe	98
PID 4412 wrote to memory of 1968	4412	Opdghh32.exe	98
PID 4412 wrote to memory of 1968	4412	Opdghh32.exe	98
PID 1968 wrote to memory of 1304	1968	Ocbddc32.exe	99
PID 1968 wrote to memory of 1304	1968	Ocbddc32.exe	99
PID 1968 wrote to memory of 1304	1968	Ocbddc32.exe	99
PID 1304 wrote to memory of 5028	1304	Ojllan32.exe	100
PID 1304 wrote to memory of 5028	1304	Ojllan32.exe	100
PID 1304 wrote to memory of 5028	1304	Ojllan32.exe	100
PID 5028 wrote to memory of 4344	5028	Oqfdnhfk.exe	101
PID 5028 wrote to memory of 4344	5028	Oqfdnhfk.exe	101
PID 5028 wrote to memory of 4344	5028	Oqfdnhfk.exe	101
PID 4344 wrote to memory of 4472	4344	Ogpmjb32.exe	102
PID 4344 wrote to memory of 4472	4344	Ogpmjb32.exe	102
PID 4344 wrote to memory of 4472	4344	Ogpmjb32.exe	102
PID 4472 wrote to memory of 4260	4472	Olmeci32.exe	103

C:\Users\Admin\AppData\Local\Temp\55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe
"C:\Users\Admin\AppData\Local\Temp\55c7ad39cc4ad4673bd5a4f0bc531aeec38ebf089bd82a0036428a2ba1592a6bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\Nloiakho.exe
  C:\Windows\system32\Nloiakho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Ncianepl.exe
    C:\Windows\system32\Ncianepl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\Nfgmjqop.exe
      C:\Windows\system32\Nfgmjqop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        39⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        45⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        74⤵
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1892
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        78⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3864
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        87⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        89⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        92⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3128
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        103⤵
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        106⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 404
        107⤵
        Program crash
        
        PID:5140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3368 -ip 3368
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
d10b42ef9b49fc9029bffb3745a1a2dd

SHA1
cc13d134a48845ab16b8393e45b0d3be06cbca6f

SHA256
33e17dc96ba5830367ff4c397db736ed86d91524faf49c9f627b6b74f5d73500

SHA512
0feef98e83d7a25c25487e394f6c5481b161ddf4261dbf2666456d6a978c24c003e1bab87846d3b4b893fdaac58924e96d79248c48e3024249a450612ec005fa

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
daa1c47e4ac7a1c27a0ac8b36a34032a

SHA1
7e7ea8e7dd76fa146a99218c18c2cf97666bd794

SHA256
11275fb9b50cf3a851d5761bc5d38eca3cfbd54782805270d68cc0f3c7dca0d2

SHA512
3711bf05b62dea8c393e91a5779766bf0e41dca20cd6b0fd97293f0d479c79f6c4040c65871e140e11aa9f95e9d7f51a73258e0f2301b1a24643c9e5e39de80f

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
c6e66d6c20e69ca548712ff39c770723

SHA1
3ae8a3396dbf7229f23de5db854346c79273bb3b

SHA256
8e27b245c2c6accc0f2f37cde344b605de45177bf0b31d69fd87b7e46e6229c3

SHA512
e3caea140cb5b686b0180d6af5885bafb045114ca582453897eacf0d214c85255f01a1651d2316f58b5c42aa33e975c10da0c57131f59c567cadda4d1e3a1c16

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
1865b024ddfd4888b9926cc646b35bd6

SHA1
34d92ce011a7f3521d9630150edc30de2682cc86

SHA256
3b659e20bedc645e7bba2698af6b6377ea52935af2910451c51d0fb1f04ef2eb

SHA512
3febe37e12ddeceb1440228b15fa47f2222ef275c256b26f876af01955dc1f642aa1acf0da7e2ba792b04a7d3b1ec04c54db07e50592e51b2b91e50adea9c862

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
96KB

MD5
b508fc77a898b5c6c1149f672c127a31

SHA1
e449d9fb020b61c37cf7aae21cf0fd69aff705fa

SHA256
d8ef618e5c6c389de65c69bab3834ebda66c0b43c7fd5068d6ea6747b3073a8f

SHA512
30da2f5b4629cffeb0992bd1dd186514c56be0a772fe89f19fde527abeee195b052c9851f75aef13e02a49bf3624eb9a4250de740c3de5201d9b71f7d79b990e

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
90c635b84a65f273ebdc278225337dc8

SHA1
4e049bddb150dcb6232e3d162b9389b75d9e7f99

SHA256
3997bddad2c6bd7fbb36872f6e9f77b0821b753d20442e9ab05ed43308ea6f6f

SHA512
c7eecf9dbbc9bc1506e1d81d864f34e89ee0d25940a3883291fd06ee870a3101e742679b006fe6ef4ff9332f850327811e8a13ae0a86a417335e0dc5c045b54a

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
045b35a1b0577b03a05d6fa65b51236f

SHA1
677d10fb4a7a8dd0e35594f8773328b2f31c98d5

SHA256
b7d2fc8688d805af741ea839e7fa6911541749316b010fdbb79f247bc87925c3

SHA512
55dcf20376249f0d4ccfd763fbc9d8c4b376bb798b75d41bcf7b5afcb00412db5069053716db0fa2eaa7218f092a00d057e1854a4e835f226cba4fd383946786

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
b47bea7dacb86423ed338aec4901f615

SHA1
cc794efc58054c5cdd1918bd8b6bfb80446fdaaa

SHA256
b2d826f30ff2246be7a007537e79244368d32a38bc1b6a03fc38b3f61f6d4bce

SHA512
830711975996a348d0272d7cd5de263785cc864262e37a5bc362b7007bc30d6afbb5d83997ad59b1d4112593e5a5087163d62fbfa3d921ea6a8441f8b53a003e

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
3d13c3194138342061cf6dd5cb794428

SHA1
0f1aa42b45dced8e951b5787f595d220944d50e3

SHA256
e3d608fee2e01b79d0e6278d69b261e5aa614dbd93aef1d8c716811b9331dcb6

SHA512
2b46cf737189128a7834d8ad0df8d4bb830634affa79d09f47b348212c04a7790e754b90d43d43ad7b3f7a530a3d9e262030189c26852937f0ada5c079b75335

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
b0a133160d86132640c3aa274d8858e8

SHA1
d1aca2ede487e2ecdb6997924d4af23f8d4efa68

SHA256
41ca318eb25a1aad46b05c098294de912421803431fe2b480e84a4b603b6d39a

SHA512
7fb8c0a518c9a10d72bc98a5b50134cc69d0363d82d1928d72dfbcc0a477d0fbd15712e360a4801cfd29e6812321f0a1bd94f9ffa9751e48ba254398c768169b

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
0d082ed56845da706ee4d55ae9b18dbb

SHA1
fd2846ffc38ff440c0cdada53fc84819d6ed724d

SHA256
be340ed4c3a4fe2837e2b1c6ff4912eb0931db731f7bd380ad6acfd07e24de41

SHA512
6863113661e70d1f9578cf0060d5e11693872ad8557ca5ad2257f5d15951b438072f214914d76418257ade937da554b475c9ebf6a8a4ed969c4efd2d624fcca2

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
96KB

MD5
cfc0d69694421395c958b852aa2af3ae

SHA1
d26ff58fc1a720ce7b3de3e81533f1e48efa9a37

SHA256
2e56595136c82e13f849bd44bfb655ec98fe24f1c85744f757bae58323185cb6

SHA512
6a62d5aa605f58a223b14a52fa05e7d8d2dc37b9e64d601c18593fb708a585f54aaa9756677554d05c903287d912f7c0afab67487d48d5face9fbedcd9a4dbe8

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
96KB

MD5
51ba79647d16fc421dc5be28812e12d9

SHA1
171b1f8145ffd783b2679c9d744cfa871c8a8b33

SHA256
7af49074d562ba9d33df35f907ee0dd0e3dcea8cd531492525f4bb76aa1ef834

SHA512
1ea8ddb6b08d5c7c4181c14af1505622a09bf0dbb7b3ebc9786288a909e1e4a06b56448a27503c7ea893f7977db64c3a76c436c82c849f547066045f1769b47f

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
7e9f32a9cbff81f3dfba4adbcc46cec7

SHA1
8234c0a484c107db87e6cf606f2c087112210c65

SHA256
a462343e548785b2e43f50ddab2772d15fb0bd49d0a6ff8e3fbd2ba7ee4918eb

SHA512
a7994dc35040d2333f88cfb409d0bc3714d94c42a64e1616d9331e1a042de4fb7529eb0f1174a0a344f05c604f645600446455b937f3a3d686e82836916c947b

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
fb303de87b602779115e7cc1d9ebc4d9

SHA1
72697ff0c2893355f57b2e66bf36b79d7b0b3896

SHA256
14abb34ede0b0996c2e064da0895c19e22c09d9eef40aacd39331be839feb19a

SHA512
79a971be7fd8e01a0853ec0645bae2e238fc1e4cc8f03fba4143e8caf9504629a6f6a3fdf379d300b85cfff8dca91e64c3558a0e5d2795776c67501b7032d220

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
1a1d8b36238ec43acfa20cfe42a7730d

SHA1
328946653da2e2093c5f48a438b5721582f9a996

SHA256
57686fcc37c8200b4cbe5f9fab51131079a7e74a676d6c57523d9d96b7323d77

SHA512
c5c4fbb9af526ddc37fe0cc0ebc97fbf58db6c844be9f206a570cbd743b1c97a6d0fbef3f9389f0c8ebbc4a70ea87549a3c97e48c509e69cfbb37c87d12bda5c

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
13382edc37eaaaee3c32f61247dbb4f0

SHA1
a8bda670512b235957ef7e796c870ebddf15b456

SHA256
4b416b04e6c383039baec38b52d4c2663442e7e906c22e4f5a4c8f983c5fb569

SHA512
f4136c9826ceb4a6d283458b0f75cfe39ec3652084fe8d3c6aa678547df4d98bf85c6c68038bd950310d4bb55d9d48f113996b7b9202ba48ad49d5913ed2a96e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
90ca6ca127c18c98a1c6a10207bd1c3d

SHA1
e1f8e06c93a4fb4b789debd12a65c965b3e4fec2

SHA256
c7319dedcc952b57cc899e8286493f22b29751565a97fa3b215f85b9355c2fdf

SHA512
d233c71a49436793d997e6021011c6a6abf64a78d93e90815dfca4d915de4e51e24311a5006e19407963ce194c6e7032c4e0dd973248954e1a3b3627603e7abc

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
345fd5570f95e0360ae35786d6215fa3

SHA1
bf6873ea67c339ba1c7531d20112b20bfc3c48e3

SHA256
31830e1bed2902fb80897fef5a71e41b8b57b25835d3eb47314410013ec579e7

SHA512
74cf22f54bc0f64d54475907f6f6302f843e5b23097ab802dd8d2a10c2e294894d847521d5d3994ea146fc4ac469a9624fc9808af66b150216d8019848514fbf

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
a222085c563e182328455d188f3a7d3d

SHA1
794b9afbcc55598090e5ad370582680e0ee347b3

SHA256
336fa1f96dcce8ef558a8f3334b48fe6b5f8924fa8f2e0fdb133bb3ef9abc84e

SHA512
e0496e376590e4510db00a59121398dd90ad4530a2c8f3391ab7aedfb47931f8a78e8f5a0da04fd7190001c6f9e44af5ac7ec4a8e744454b5e989c15c51408e6

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
db5f4473088935fb17799820584830c2

SHA1
5e51c7c88c068f88044012987e0557523777c738

SHA256
7a3adff9ef87108def9df50f25596bedeb5d52a5bc4ddd8f1d8c1b813a22a120

SHA512
1a0ef7f55112ac01349422026213caf994d6a8947e9b7e1f1a7d5bba9773e3052804a91b3c393df197692d6f744ed149d0e1f91cb5ff9a24652a7cadeab0df65

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
a434ac30dfbac8fa8a86e2348fa3cf87

SHA1
a3e4ba892551ba7ee2639b364652ae37b17e7a3f

SHA256
6f632046a8636fe56b03319355ce34d577948c46de20f1c4d5dcc204a8e06cc6

SHA512
4392e736f20572f98ea382dcaa6dfe04456d5434c1991962f7317ac419279ccbd329a942b318c479899191a23d31541cfdf0761336391fb6262a292447dd6a90

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
96KB

MD5
51dcf25795c6aaaf552da68035509949

SHA1
3cea18244acb643797ae51cc03762a1c5faf2e8b

SHA256
e63a7a7ab3f29d1b6c4f72f78978e95009c75cd0fcda4f5dba47efbdf2f04760

SHA512
72a5e85d8de1d5c3911b3ffe84902bbac2c428522903a963695a9f550d3e330a9c7b6e938511b4fe87e90de6a4fb5430358b644d3ba72f8a8322abaef8bf5a6e

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
7c78df2765cc7b8da52c764e822f3f55

SHA1
d46e086fb49c7785181a0025fe603fa2f5d070cb

SHA256
1f36b5154f8ecea0a79b797d8b6ee6d014806110a4b16defee099aa94ee4defa

SHA512
38438808a097a8fb55eb704f31e656d33b8a0390d9119e278131ef347dcd17b9cd85c607da6a6fac864d7856ca1eab1f0b059eeafae9705f2866d60bce84818d

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
a3219cfac94efd17b389896740e2cc49

SHA1
0343d661385eda0936a2c463a6d3c827c7d27c60

SHA256
e69fb51d45c65c14bd19bb9d7218d38398140ace35bcfc3f8d2db90ced1be8ae

SHA512
69d0bd2ebcdab07f7f632d1137e3d197f9ed76075f8b7c7cf10a062299802b3a591fb9ec15695547488d263debd1923dc568108b450304c746cc198b921c7953

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
b99ce3dd91cc3f44850a91ac19de06b3

SHA1
c19dcf257f5ef03df47e1c4ec6cf1f7c9c2e84ba

SHA256
c8b076ad271ef596738f7eae6f38ebecb1d0595055551c7dc7d3d21cf4f61acb

SHA512
de4dd86464bf6a347b9bac27e8e1de3968252acac583f97783d1260530be8e8d2173489dabebb2e625ca8898b657e934d85ca29b8f7e37195329f9d9a7e21d0b

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
62c0ea55887da36295d39129c9e455c6

SHA1
01bbad7ff1b71f220438cfdc24645737a97eaa85

SHA256
6d96c6d1f30ddb86687d1a171ba9f7603479988a251cb5f1d2c4c56dacd0e42f

SHA512
e6aaaf9ec14be1f20c21de5c8a77ac1c20ba2c76e2be4639ea215cf7bab69cc4fd97cc86b1165749616dadf14a9fb999426b69148634616d2ff9c9c846e207ab

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
babc144a6ea3cef353697c22ac56a81d

SHA1
328a290ddceca1f748540dd79b1ae84247715acb

SHA256
ae307925e2f08c66186421d8820711b729f56d80eb0ec707b4d1eda422d5a0f7

SHA512
8648acdabc92027f4f02051fb01c73c677512395c0b79aee4ad5696529c8f69ee0369867f89008278cfc80e3e9aca72b4ad71afb6f68f91067df2cb8cf6d8d8e

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
96KB

MD5
156e1df95c7942e34e8c025945659a7c

SHA1
f9afd9c0ef4cd8ba7d80eb2e53f9b70f29c328ab

SHA256
0144c5d99affbf68f940aaa38cbadcc061febcc18f2e6a005af29fdb65e8d21e

SHA512
b677f14638ec3e8d7c0f9d66fc601e9069305e166f3114708916d6e1b3e09db1779b9a881a9cf3aa453ed9d7f4299555efa0fc06213c85a0565b41fd9930d758

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
96KB

MD5
b05f1427b5eb4c626f1e0d04cfa35d28

SHA1
ad35fd1f5cb25505d254aab183ee116bbbbc8e23

SHA256
a35734b340fe012f82a0ba87a337a5222c7f52f2eb370f1a73eb7eeda0470e4b

SHA512
a8f3f1301e50eb8a54d10a0f5d4438451570a5aa7d37259730ae4bfc30e4d8e857d6325887da9dcedb6882fc320d5a46fe42c6f31ab518c1ca47fbc3a645f910

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
c121883231ec2838a160d8ec5504c270

SHA1
698c2d3df4e38d217ad8bb0cc0c0e0cb1339adf4

SHA256
3adc986ccb1da5c60f7a15635d1c17c410541617b2cf74878b5c18643b4c9200

SHA512
96924b6db53acf42fafd6abd21d1646116b48569120ba71cf0a6f8125a0c5363eb2f603bee4b1802691189dd3835cf2b8db9ee49c9b5f6d1662d5b5fa9161b6f

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
edbe39b13ef7f2aa4b52c91b095c2fef

SHA1
118a80eae40d0d69b617de5539cc59854722fb49

SHA256
eb798dd0c7a9e06107eed2e6ff9257425bff7a53ad2ada21fa0c81e1f53d3d55

SHA512
7837a3bdf70eb4b054c532630b15e8754351a4ed4ef2d9519fff0bab60ebca82747f4989fcfd8207989903aa3843ca31fdbff1a3bc683e9c27997c683c320414

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
6e041ba67ad25d3ea0432536364b54a1

SHA1
d96a9f8cd76eef9ace20f26a4ac637640a1fcd60

SHA256
e53612402875d9350d8becdd0b9fc24752d6e2931d0a46eaf0953f77e6e151b3

SHA512
8d67fe81ea53450c6a817152668649e1d7b2da56ae3f457b67c8aa12908b13aa1b8ac414b84a19f25559d19531ad300743a7fa4e225b736f29e406089eee2399

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
e1305e73fbf07f657bd7dc24d3125352

SHA1
c9e4aa933a5af9b1c95b579d9aaec0810c9c4bdb

SHA256
0c5631bda0fb8b19af4c505e41f62cb8b017e4078896570331922810567e80d4

SHA512
ff97c8e9a2ec3cf35332a7eb89f39d8936742e2f77511b0a031419029875f804a8f4579b00b806e1b42472d85cca20f18a59b90888cb7cd17885bd24f10a5bbd

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
a07d1dc478a92064811959ed7d53581e

SHA1
bd0afff0140ca27d9fa5e3576a2fb3472177c78d

SHA256
78e35feff016697d1292e86ae4d0c4aba76c1953fa1f0e0e05ae796ed729c809

SHA512
62fcdff41e8d8ea755e5e83ed2ea1945ef829307c3fad385c474543dc208495c08f8b1f4305fec0c97581c77663a21de96632816956d22152d812ee29b29b7f5

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
8c8e2435a0d6d4979056dae9ad4dbce1

SHA1
d3ea97eb260330d41a7dad6e7cd68660dd2c1db9

SHA256
f7bec09578973292bbf34e581aa1460356354af211402cc9c69909238c56fd69

SHA512
798e65ca08ab9459bb1bdafe0086279ced12ca87a7d5483e827d6b551cd44a16001119643aa131939c0804a63998859cb98c28444cefd218b12a4ac305599744

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
9f628629ed10d8da8be781b2e229a6cc

SHA1
9d55c393ea1691a3c8607a80eff5fe53398038d5

SHA256
0b1258017ddcda01fb27c1fbf13b31d1b4754f3edd0cf93ce5558f0b36e15499

SHA512
aff660ed44a4c51e7c7299d2d3a4be276110461d1323dc06bca83358321d50bca136037c0f8cc5a8dac899a68b2ee93bdad53d893c878b95b9765c1c428d5bf5

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
b34eb463ade4583391ee4b99515fefb3

SHA1
12daa65389a9f105f03d6c35d7bdabaa7687720c

SHA256
8cce99a362c27558086c079b8adb17a66e50473787fd3858ba8060746c3498eb

SHA512
f44331d23c25f293ae826ff387b8fc244a94b5eb971db7e51a7a59347ae02bf4c2b6cca8dcbf235dc72610696fb81abadddb3b6b3b8fb3bf0bce4c8e52fbfd7b

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
87a3b9640f8388294e717045169d8b6f

SHA1
2a318fe2b7a1c3cbe75e801780e9ff3ad83affa1

SHA256
a3f4f4b2e8429e2645900416a887b458cd2bc299cae00903ada90ee5d0bbccbd

SHA512
b0b8a2bb99a91469b7e5b25ff5fc5654ab5218caa7891ca46231890ce5d2469ac09c9f67b22acbc228723a42df1d320ff68db6ca501108eabab05b93a5551908

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
0babf1a58918125dfb8a8e2b06c115aa

SHA1
553c8c85997575e13994ad45e6d1d5252fcbec99

SHA256
60e308c7f41daf87b01815701f5819cf724e50c24cd67cb23a56242f705856eb

SHA512
f97fcbde996fadc250b6a64d825260b4d7fad379a12b056d8321f6b842ad07cd4652c3500ea9d71870982709403bb8ef5a4de5b0a17368a26aa1b2969bc01f14

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
c64dc2ca82601387dbbc1d38f50f0f57

SHA1
8d188049a46bde3f822fe956c9e3a2496a20b4a0

SHA256
2fc0aca44e30de25f419e7b11b725053dbad218731f3e2111e6bb58cf67c3172

SHA512
a3d713d6ef94197a310b25bc47ab398156efd2e7cc6ad340a97907f1b92cc8291efd650d71d91dc7d2d73d4deeaa8b087188f2cdaea200313932c4662ed6bd4a

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
a75cb72ddede43bf71aceaeb03c980f0

SHA1
5be822f7a48eec78f854b143e82d14fab6055f29

SHA256
9750f1cec39ca8a67e797440a124f4b544b2c6f1a46fd1747e0ad7eebcfe17d5

SHA512
e75c8681dc8ed438f5875b347d118eb5460227519b831a80fd34d85564ba872e527453d453d01e151d5967abc40cff6ee81c1e731e40dc7337e1931af16dc2ed

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
96KB

MD5
ed128ad8922e01be344db8a599dad2f6

SHA1
8d9ac9a6bfad7e43e72228454675e0de192ec839

SHA256
89cf629cd5e3967bed9680edcbddc59032cf082602c8e11bc5d899de3e7147e1

SHA512
863eff03e972c87b534d094ffdf2b94b0213182b1427de7562a322f24aeebb6bbf7219b6ed69c79148ff7f35fc8d62c0b61ca6dfc2fae5175ddd6fa2e9bef767

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
eaeb4b4a8ea289779cbfb9bb1067c194

SHA1
bb88f4f957b066f80bd3de161a5d0808278590ca

SHA256
ed13932af216aa60cd9fcb61d343c0f7db9571d2f3cd3f43b31117a1c1dccf72

SHA512
2a81c4debc5f06d376add8ba6ae40925d21681f37b489ea3d33da4d8b8b0ce8f322817f022ed35325cf9d698a1221863f1e320eb5c08e730e979a7ce11b1769c

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
bd11844982028dbed2d82706ffadf612

SHA1
2dcd9fc0cc104f469a3be176cd69c48edfbf049a

SHA256
5f7006bd5ef8b4570f43abfc6bbca7cbbf0f8044a556ba81a66c7d0ca14ee687

SHA512
e7500e67a4dcb1476f161ae1df11c378d748e0e9239109a24c7f5d365499b5a48e19680b4730ee061c1b995bfe5879fd010ddbd444c54aa63b0c6d88a6da5c18

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
7018be2998384ac43122ba5db73ab996

SHA1
df9fb3efcf0ed116f2eaf2631e317a71f80fa3f1

SHA256
6b57a9ee5c673e993c8e965cc2cfe60bc2eafa8d739583f281515934f2be3fc4

SHA512
ffb775d021fbfe46d82516ad39104e40440ba2ae3148be51db73b9b9ae5d2cde82a34198ab30a936c6af1d0bcb8509690fb03fa97e9a04aecea4bff186f7b445

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
201acb8ff8dfe724e35f1e4e44527235

SHA1
9620acd9df011273aee348c6de226173ac291a8b

SHA256
f9bea25754a93c0934bae7e4952dcb167d74a8a10af49173feaa72bae97c5e1d

SHA512
b33e4113a96ea4aba1c9af6f74256e63075bd8c1d3e7482f2553d8ba8f4993c198b6776da1f7505e0424be1885e70990e57d73865455f64b9853df1aa7f9a5ea

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
b03a093a94ff62928afa1f440cdd6792

SHA1
6b61f3138b293cb0d587979eb59aa5435674df8f

SHA256
a5c272e77f2a55a4628fab9bca6bb7b29a74641518525498cb76fab46afda0c3

SHA512
2326f12e11f2eeace312d914a1b799ebe68c0469774cb594acb4069f6a6e1be1c3ec72d011381a2ade9f56b1e257b87254552b24a247077e1603c48ad59bf6af

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
a6523f7872443402470a5e3391d196d4

SHA1
e70c4904baf50ece7aea3a5e25ccb52b6cb931c9

SHA256
da828f487b77349bb01f8095066774eeb44c9daf28c618697205fc9c9c299dc1

SHA512
2b018c4442796552929c9284f56e23fced8fe24579cdb542eb612d009721222478e44454b9ccdf15240136d3dc2fa9e72a5107371dfcd8ae9ad2d26eba8d2a26

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
a848037e7fa0ac648db40c9326a82af9

SHA1
b16120bfa333542081540b3aa8e4a9cdda536cb6

SHA256
63b771ff8519461e25e5252e7bef322cc22fef599dff1ea09a8229ddcc08abda

SHA512
c083c6c71de755f28ab41af34eaad35d5098ece10f9ba52ac7fbf7e94f8295768f1d4a044029b74dfb2300d2a6fbc3d8cb26844da3364f45c41fc1650b28be0c

Download Submit
memory/60-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5088-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads