berbew | 9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe
Size

92KB
MD5

c31c7eb36ab08fcf0e5b839a235f7aff
SHA1

eb672578a15fb09c7f76d79b34914677cb9a9890
SHA256

9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920
SHA512

9f3963555bdb123b6703b2f13749d6707c2a4db76127ea372cceaccce89bdf71701c2333408f27d866ff65bcb1acaceee8a5d12b3509211187bdbf8f0506710a
SSDEEP

1536:QYyMht0WkZODwK+tix3+YUWmNZAbCSkaFxrktpD6FyCO0N3imnunGP+y:QYyMwWkQ0damZzWEGyl0Vbe4+y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2848	Ngpccdlj.exe
1956	Njnpppkn.exe
768	Nphhmj32.exe
1612	Ngbpidjh.exe
2988	Njqmepik.exe
4704	Npjebj32.exe
1616	Ncianepl.exe
4784	Njciko32.exe
3012	Nlaegk32.exe
3572	Nckndeni.exe
432	Nfjjppmm.exe
3640	Nnqbanmo.exe
3596	Olcbmj32.exe
4120	Odkjng32.exe
2240	Ogifjcdp.exe
4292	Oncofm32.exe
1672	Odmgcgbi.exe
2720	Ogkcpbam.exe
3912	Oneklm32.exe
3228	Odocigqg.exe
1700	Ofqpqo32.exe
532	Olkhmi32.exe
448	Ocdqjceo.exe
4912	Ofcmfodb.exe
772	Onjegled.exe
4336	Oddmdf32.exe
1808	Ogbipa32.exe
4304	Ojaelm32.exe
2512	Pmoahijl.exe
4792	Pcijeb32.exe
4428	Pjcbbmif.exe
412	Pnonbk32.exe
2060	Pdifoehl.exe
2004	Pggbkagp.exe
116	Pjeoglgc.exe
3940	Pnakhkol.exe
3188	Pdkcde32.exe
1328	Pgioqq32.exe
1068	Pjhlml32.exe
3184	Pncgmkmj.exe
2944	Pqbdjfln.exe
4728	Pgllfp32.exe
2384	Pnfdcjkg.exe
4840	Pqdqof32.exe
3956	Pcbmka32.exe
3076	Pgnilpah.exe
4504	Pjmehkqk.exe
3724	Qmkadgpo.exe
1040	Qdbiedpa.exe
4548	Qgqeappe.exe
372	Qjoankoi.exe
4384	Qmmnjfnl.exe
4532	Qddfkd32.exe
1528	Qffbbldm.exe
2276	Anmjcieo.exe
1688	Adgbpc32.exe
4444	Ageolo32.exe
1272	Ajckij32.exe
1676	Ambgef32.exe
2700	Aeiofcji.exe
2068	Afjlnk32.exe
3424	Ajfhnjhq.exe
4776	Amddjegd.exe
1864	Aeklkchg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6308	6192	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2848	4836	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe	86
PID 4836 wrote to memory of 2848	4836	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe	86
PID 4836 wrote to memory of 2848	4836	9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe	86
PID 2848 wrote to memory of 1956	2848	Ngpccdlj.exe	87
PID 2848 wrote to memory of 1956	2848	Ngpccdlj.exe	87
PID 2848 wrote to memory of 1956	2848	Ngpccdlj.exe	87
PID 1956 wrote to memory of 768	1956	Njnpppkn.exe	88
PID 1956 wrote to memory of 768	1956	Njnpppkn.exe	88
PID 1956 wrote to memory of 768	1956	Njnpppkn.exe	88
PID 768 wrote to memory of 1612	768	Nphhmj32.exe	89
PID 768 wrote to memory of 1612	768	Nphhmj32.exe	89
PID 768 wrote to memory of 1612	768	Nphhmj32.exe	89
PID 1612 wrote to memory of 2988	1612	Ngbpidjh.exe	90
PID 1612 wrote to memory of 2988	1612	Ngbpidjh.exe	90
PID 1612 wrote to memory of 2988	1612	Ngbpidjh.exe	90
PID 2988 wrote to memory of 4704	2988	Njqmepik.exe	91
PID 2988 wrote to memory of 4704	2988	Njqmepik.exe	91
PID 2988 wrote to memory of 4704	2988	Njqmepik.exe	91
PID 4704 wrote to memory of 1616	4704	Npjebj32.exe	92
PID 4704 wrote to memory of 1616	4704	Npjebj32.exe	92
PID 4704 wrote to memory of 1616	4704	Npjebj32.exe	92
PID 1616 wrote to memory of 4784	1616	Ncianepl.exe	93
PID 1616 wrote to memory of 4784	1616	Ncianepl.exe	93
PID 1616 wrote to memory of 4784	1616	Ncianepl.exe	93
PID 4784 wrote to memory of 3012	4784	Njciko32.exe	94
PID 4784 wrote to memory of 3012	4784	Njciko32.exe	94
PID 4784 wrote to memory of 3012	4784	Njciko32.exe	94
PID 3012 wrote to memory of 3572	3012	Nlaegk32.exe	95
PID 3012 wrote to memory of 3572	3012	Nlaegk32.exe	95
PID 3012 wrote to memory of 3572	3012	Nlaegk32.exe	95
PID 3572 wrote to memory of 432	3572	Nckndeni.exe	96
PID 3572 wrote to memory of 432	3572	Nckndeni.exe	96
PID 3572 wrote to memory of 432	3572	Nckndeni.exe	96
PID 432 wrote to memory of 3640	432	Nfjjppmm.exe	97
PID 432 wrote to memory of 3640	432	Nfjjppmm.exe	97
PID 432 wrote to memory of 3640	432	Nfjjppmm.exe	97
PID 3640 wrote to memory of 3596	3640	Nnqbanmo.exe	98
PID 3640 wrote to memory of 3596	3640	Nnqbanmo.exe	98
PID 3640 wrote to memory of 3596	3640	Nnqbanmo.exe	98
PID 3596 wrote to memory of 4120	3596	Olcbmj32.exe	99
PID 3596 wrote to memory of 4120	3596	Olcbmj32.exe	99
PID 3596 wrote to memory of 4120	3596	Olcbmj32.exe	99
PID 4120 wrote to memory of 2240	4120	Odkjng32.exe	101
PID 4120 wrote to memory of 2240	4120	Odkjng32.exe	101
PID 4120 wrote to memory of 2240	4120	Odkjng32.exe	101
PID 2240 wrote to memory of 4292	2240	Ogifjcdp.exe	102
PID 2240 wrote to memory of 4292	2240	Ogifjcdp.exe	102
PID 2240 wrote to memory of 4292	2240	Ogifjcdp.exe	102
PID 4292 wrote to memory of 1672	4292	Oncofm32.exe	103
PID 4292 wrote to memory of 1672	4292	Oncofm32.exe	103
PID 4292 wrote to memory of 1672	4292	Oncofm32.exe	103
PID 1672 wrote to memory of 2720	1672	Odmgcgbi.exe	104
PID 1672 wrote to memory of 2720	1672	Odmgcgbi.exe	104
PID 1672 wrote to memory of 2720	1672	Odmgcgbi.exe	104
PID 2720 wrote to memory of 3912	2720	Ogkcpbam.exe	106
PID 2720 wrote to memory of 3912	2720	Ogkcpbam.exe	106
PID 2720 wrote to memory of 3912	2720	Ogkcpbam.exe	106
PID 3912 wrote to memory of 3228	3912	Oneklm32.exe	107
PID 3912 wrote to memory of 3228	3912	Oneklm32.exe	107
PID 3912 wrote to memory of 3228	3912	Oneklm32.exe	107
PID 3228 wrote to memory of 1700	3228	Odocigqg.exe	108
PID 3228 wrote to memory of 1700	3228	Odocigqg.exe	108
PID 3228 wrote to memory of 1700	3228	Odocigqg.exe	108
PID 1700 wrote to memory of 532	1700	Ofqpqo32.exe	110

C:\Users\Admin\AppData\Local\Temp\9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe
"C:\Users\Admin\AppData\Local\Temp\9059af192797a64eddcdc70f9669f065fdf5db12b16d41806e3481f26ff0e920.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Njnpppkn.exe
    C:\Windows\system32\Njnpppkn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\Nphhmj32.exe
      C:\Windows\system32\Nphhmj32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        39⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        47⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        49⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        57⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        61⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        68⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        77⤵
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        78⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        82⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        84⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        85⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        87⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        108⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        114⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        116⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        118⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        120⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        125⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:6148
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        130⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 408
        131⤵
        Program crash
        
        PID:6308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6192 -ip 6192
1⤵
PID:6276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
92KB

MD5
1f7e337f5a1d508ea1cb01e12e16d793

SHA1
d66f225b70c0f9b15fa8534e4d9367762eed46d9

SHA256
31b3caabca6d1408dfe67f7865109704faa7a134e9f6ff2b8fe8668d85dc9d47

SHA512
57d40c4e75dc323eed0dd7635a7134b7eb0524b104b4287f0586fb594aecd016978caca0569bc51598764ef5d313622a9cab2100b54612a917b1a058ad1e4cd0

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
92KB

MD5
0a09a89451097a954606b978738e4c77

SHA1
52955926e095bc4ce376e708232b59701a7eb22f

SHA256
ae377e75936fce90c7ce8a8fdbbcb68fd027cd74a3e243c1d813b17cc3d2aaf5

SHA512
ff5e043d4ffd8b75f5f6d93d17bd8b62bbd224a8767fe92736fb5f00b8c01db462355e95664e921b3889d13ff195383fcc20d685278d684d44c2d2daf21bb157

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
92KB

MD5
361a814654d6679d4519751bd5aaeec6

SHA1
eee0dfc916278919cf7b1a54a5bcad5c144e6f66

SHA256
dffcf59cddbb2b0bf64418f24ac42cc02c53c9632adfaf4367514bd6803b20ee

SHA512
606e59cc6b8cbc69009f4f3d6c5aaa8d27aee7d31d88ea2e9fe53ce3d063bb2ee565a3518e13eaa28d390aad547c2cf51fc0cb3ade8aaa2c1812019df955dbc6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
92KB

MD5
02820665d675103e2a3b1ff08bfd7838

SHA1
af993479b4c6673716110ba24465399185837f56

SHA256
a49c45c1e7bd6ed08b0f6a2fbfe4760b59a08c15680bc3967db09e7d82c0bbbd

SHA512
233b19ca44b79e033326e4c3e4776ce6bc62c5fc7107864352f00ce9504e01edf68537664020d3aa9eb340250085493aad071873d98c97f9c8c71a4df7541e7f

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
92KB

MD5
ea8074aedaf77dee1a20b4bd2ee85864

SHA1
97b480bc42eead6c6df599f1041de7c5d8b281ae

SHA256
2027e699c27b3a161b2b3367dc2f208df30e953e560e5239c724047d0cd50b64

SHA512
f5bdf0bf90098231404a21c0a162fb1d205a2c39217d3d9752483121699a24e9f32c7c5ea00923e1da338d9872c0caec9056d601ffc8a09b6c4bf0c0baf25129

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
92KB

MD5
85fa23b99d16a3c9f3fdc092b561455f

SHA1
85b79ac6d48319223470ee2c99a1b57380d55932

SHA256
76653c9bd991134b0a8ae56344ba34e766477cf95f8edcfe70d23becb7b4dc46

SHA512
8465cb4549d252538d01eec843fa7fa8be01409dff0e3f9ccd6b395b0f507f617e25428121c2b93afd8395845404e99188e37cfd0685c9221127c79f9624a561

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
92KB

MD5
4f17965391ece98173ead0c12a9f93f0

SHA1
b602967c5c9453922b2609ade69b856ee4d11bc9

SHA256
80bcd051e1a6cf264bc4a0411c5169e2831c42e2ccb3378ecc3d201f64ab28ec

SHA512
efa471dbc32be6bb8332656a1ffba9873949d8ed3cfb43b0f8e9e1d6b2a09ea6229536384e09f6100aa5077c3bc04ef62ae98aaee5b60300a780356bf8027fac

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
92KB

MD5
2c8f047d6233c893614e54dcb1456534

SHA1
59570f5e631a56e8507f73622bea7f24192c8f46

SHA256
12de4f46a9815cbd5fdc5f1050406f0e3ae18f7d569d48c0651ff1e5d4ce265e

SHA512
3b8fe1cf03b9a3caa357441b781cf04611b5e817cb9eea5c11a31998722d7ae353c065d0be848aa509308821df567dcb4edfd02dd001cac3bb42a03969b50660

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
92KB

MD5
e5c31825ea620bc2b98d293fccc913f5

SHA1
b4a7272c4891698fc606deb6207c63700bacfbed

SHA256
9db9b7d742bd62d55268b7ca7f4bebd882cb52a201c1de98aa69ae60e7949e16

SHA512
e3d2459d8c2a5dcd3c39729ba96031f62f465d205a061611ecd704ce75d897df02df287efe00718544ed59fb7374da36b51724f55c63c3d836734edca5a53461

Download Submit
C:\Windows\SysWOW64\Gbdhjm32.dll

Filesize
7KB

MD5
78ed8112ad0b14b54d958348b6d862bf

SHA1
3dfb62633055a41dfb142cf493be10f26302384a

SHA256
722971e2ab612a6f58645c5751d65f8984f2da1238c284ffbe06351b3e1edd96

SHA512
2789a472e5437e315ce689da0bb835c9988aa669c8ace8b3b6ac511c8b36f2490d57b9cc521390d3ab674e07b0316bf92d74c0f59332e91914776d80661521b2

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
92KB

MD5
f43083f41999d6976f6971573ee84d16

SHA1
bd4988f4c6cb795661ea9e290e38a70a4977d2ce

SHA256
a1e6456073fa1daac1d2d18eb7bac28ad407bb77e3aed4c9edea3bde0dbbd900

SHA512
34a9c3de8b2d04c8b423330d16d9838c96a9b99c31e54b7b1f11395ac8c98852def4edc5522be8a144d5906c0ecb38ea5d1babd44a3a5feff27fb96f69d6cf48

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
92KB

MD5
efce04ddfc1acf339faefd338feadd44

SHA1
f4f5f78f4013e4ec7c988c0655d9dcd110229d14

SHA256
5498dae80cdb62747e6fed59a2c0c83eb443a5f066bf47e196a562d8ec6afba2

SHA512
18fe557fcdad83166c186f8a54128d3d648e13881b58ef452281e1f387fa4d1fe58588368828650b47d802d383f135af5ce17a67ce2d2e14818086b1a7d93948

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
92KB

MD5
393ad6595bbc332903028973707aeebd

SHA1
4915be94e5f02fc315f3baf92c796e6554830041

SHA256
71d140f770bec5ec42116671a65b59347954d670b834aa41c8f94a4eae3f2af8

SHA512
991f84771dbf16569e9d4017967c22b6250de7234517c1936c7d1f1f73f103cf0e5696e1db9e26ed5588454771fc332ba70490727bad403c562ab8fee009da3c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
92KB

MD5
bbdca68d8935936deeeb6bfdcb847abe

SHA1
950fb3d060a3cd0f52b15673df36581e69822176

SHA256
e372b4c0416801950c4083b4aa8309d72b09e1eaee8226fba2cddcf02e2af47b

SHA512
7956f0c939267ee0bd02a7256313a0792aeed9d187070d3005b427a4838181ecc3d2888baa43c2d374e8801edf4f45678f827ff6795a38731d108ec5842e2b33

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
92KB

MD5
76f2837cfbecfef9fc0193499f957098

SHA1
e6e2716cc897d4c463aa667c58f07490a1b9a7f4

SHA256
343c40e773833f3214269fa824bac66f7be6eb860b656086a800cc9c30bf07d4

SHA512
e7a38bcf57ee81455539d7bcb0871d7c930a1df5c8944b33a660366eb2d7ace956eba53dfe3aaafda58ec65a4357f0d1853ee87b3e0345dba1726c85119d7658

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
92KB

MD5
d0bbf848dbfd3611838903a71d421f17

SHA1
1ce8494708be72b4ccf535c6dd95cf3893bdcdc0

SHA256
9d5e4b410a4b0d6f907df42c579a77c0ed15bc97dbe7814dcff8a89c48fe0159

SHA512
db48fb04a92aa70dfdf733eb40182c61f82bbef10027088ddb693174ef32263887688fdb1ef44ebfd4caa5088801191f6e4a769e83c1cf5bb20475a8ffaf471b

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
92KB

MD5
5222e4c0adcb0dbc8b23566f3041f928

SHA1
64f9b26744c7fdcecd64118fac0dacf5c7bf1da3

SHA256
5ba5d256f156e2bdb41529a549f3946b18be95383f2774b5e9f0682da8a30276

SHA512
b0cf15ef54a56bb677af888de2c416d782b46a92988efed6a9eb56639f9493807a5fe4994b820653bcb7e496d3fcd6b4f7205f86b1154a22ef29b43d491ff861

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
92KB

MD5
bc0ac9510444b5bee16b73fe2981ccd7

SHA1
cdab7934393ef3746e5f496f76cfb7b939759cd2

SHA256
b4c85c6367df5642b2519c1401e1a9a9cffb13464b10549b6ea700ac473d3713

SHA512
b65c26404469bccf62d563d281af15ea2df4fbac0d138f49f08b7be0e246881db6d74400a3fae2de7c96511fcd2e1b802e401ed3b89fe22038ab741144f0760c

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
92KB

MD5
e64c32e78fe29ac24310fa42f0d0f2ce

SHA1
d39973f6d835ad25f6840e5138faf42bd7b98433

SHA256
00378a52650dfc3b15e0c8d8c0166a7f75f043557e3153cad1e7add7bc859687

SHA512
f1fb0e39319c00fd111452aeb70d8a011d2add5ddb4a7d48144ecad409a5557978c11fa9deefab86b17cea1a3a41040e0600ec2d1ad6d63155d7d10c3b2ef2d5

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
92KB

MD5
09c2b6eb04f48197de9d0b8def38e9d9

SHA1
9a5ce0e5e286bab8ffdc454a6f93e6c0bcf56b7f

SHA256
e0caf49854e95888bd1b3faad1fe0490945780636f69e8aa1eebb808715b2613

SHA512
6667db789b4f69f7d7bc5593536b1e33a55cf70c91e242bd567aa6b53019dc27bb3a1e431d833bdf6fb65fd4bc42b76ff4019354000a51fd7846d182460f42fd

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
92KB

MD5
08823c3b6961d78a0974d76a928b765c

SHA1
de788170a3c3288b4565ad2cf94bf5f3b36d40f8

SHA256
ec9fe4227c0569e8e7035658a932cd6f9de64078710dae8898cb300f46350d29

SHA512
14dea137f395a5633847aa676e2e48f0c6076d1ed63aaf175fc71e4aeabc71752564af9b7a0c14f5dcaa18218eb4eaea9220c2bc2059ff834f71ae06222b8e6f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
92KB

MD5
73fb9c631c3a02a448f2c533b92599a0

SHA1
9efbb11541a7e39c594c0638438a61fd15133221

SHA256
0523e7bce21c1a2703f911e341eb56fe231b26d9e88c79263f130bd311b913e2

SHA512
b2b0f3b908c71bb85a66ccd385e45562c1f32ad3696f61c7e365f4365544d1cbef025a19c5805550cb0ff53a88017f5f528c8b5ed94fbe99bd370319c3a04bbd

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
92KB

MD5
c4bb98adaeeb06b0713a4d6c571615f6

SHA1
23476b934b2a223f00724465bb1dcaaebc0a4fff

SHA256
9297e4c5a6125946bcc977cdf5aa5350356489873170abbb36f82349b6ac6a5e

SHA512
2c8ad38e30e1c3461cabc2238531f7ce84b614faf19514d89a96e3d643c789f77e66f6cc984fc65152371c75801a3a2f59f0ed853ed8f23beb9624dd8146e0f9

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
92KB

MD5
6c03b990a7df0d3045be6c4d8de78d5c

SHA1
c3839f35c047d07a2d7d9310bfc7aafcdb96561b

SHA256
0e8fd9413426848c9f97f261e9f92e1421e50ff2a4258cfb14a852f6b4dfc1a7

SHA512
16147cbd82e6e499e747d8fc667734dad9f750725a452dae591a6474a23658d0e10ca5b2f5195a1cfc1e4e7c1d8a10f70a101a9859371aa3beb98b32f287c705

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
92KB

MD5
223ec83697cb74474778b6fa88af3b94

SHA1
5d8d5fa2b87504b26038358259b960fbcb50a2eb

SHA256
01cdf3d3f72d9750cfca6fdf585cfa2f4b4634441302bd3b23c2e43670fd9fd6

SHA512
f79d47bb6c7fe7d6b4767c03ddf944f0539bf20095b9a031ce2ce4abd6ab48caf34eed19fb5818acdb0d5ead16082365fbcc739c34977fe6b0de031be1545c91

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
92KB

MD5
9229c1c4452a9453d9810f433d4dee5c

SHA1
41f8d91a77b023b614194a48fdcc6328d3c9cb12

SHA256
dd00936771946ed2b7535722e17c08bf77527d0f966c3d6eee4fd668653593fe

SHA512
b96cc18f4ed71ec539eb784ec2c3c2ef57bb8f874eeec7d7204d0d0ec552afdc25748fed91077089ca4ef941570db3a738174d19a59e9972bef70b76aae7fa21

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
92KB

MD5
84506e52a1aa4cdd66affe6a922c3625

SHA1
7d5552ed5311abcce83258d9deaf7f78c36afd88

SHA256
0a499428743114dd1c629feb6c82daeb91bdff12b48d39b0815f40a39613ab46

SHA512
114b490905e48d560c26e6e937603bceded484167f5ed52d9b161a893dea1d4089f6055eecaec0a0d17b1c210468cfcafef6ac97cbb5a1d163d1b4195003c866

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
92KB

MD5
426e9666c8cb839400e4622cff61065b

SHA1
7b7bf1c7d280c2f7ae7db4a6dfab84c755f5108d

SHA256
f10bcfea80c6701e7c83521745d4ed3af3de52f38af0329ef2392df92ecdcf0c

SHA512
8bf00c4b08dd40218d3218f261b92ccff8e8610ba0a771d1551610d8f0e0732c81e6007a24653a538e68becfae12526cdcd2bc9f65a438af5dde8771cd7f1b43

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
92KB

MD5
c12a17460236de7435d427cb3f260d08

SHA1
4af95af00018e83f8ff517827a13f0dd229eeb37

SHA256
5afa5483873bb1ecfe8c0fe256da2bd99ee45c98b98bbc197b8f697240338fea

SHA512
25725e705debb4adb486be9491594b85aba8ad1b1b91a08066f8cac9c515b24637d81b71ade83ffb6852743ffd0cd278c273ead06e85996587702ebf9831025b

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
92KB

MD5
5af6d9b13c89a2dcbfe0c790b3b77785

SHA1
5f3126f5f1809e3f58d38ecd695af909dad708cb

SHA256
cee86749eec0fc058e6c1c33f4fc24d1aa6f058e4363224e135a2573c7693102

SHA512
28d5b4db99728643de63f117d605fa72a286c0fc695e8dc7802f6039df1578ca0004c70fc225b6ae5a2b0be6c6681d00dff03428eea24b0b7fd2ef291ae5ddbc

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
92KB

MD5
1681370dc3cfc38998698cf62050ec0d

SHA1
8fcee5cbfd1de1e49176406050fb9c43ce7d3933

SHA256
21cec20bd545ae82ba9cdb86533743524a19d975cc2c06cd087af8dcb789973e

SHA512
1a7358ddea392ce564a28547f89e4a0d1fd625160267ab16cab4a9aefdf13061bb3dfd64ec3257cca82cbbedfefa7a6537f79a661e295b18b46af9ecbfb63cb2

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
92KB

MD5
4a492bfb614b41952db4b1ec6dadf69d

SHA1
556cc5376cc26764e6615e1a92a0f62b864fd487

SHA256
64a96d3758e1049ae1e9e115923c7fe016092be61fd505ba49221c300b7f7a0b

SHA512
54a71a8f3d37bb91f189be7f97b5d03f260f66c65971879700f77d334a01bf72825b9e2b0c3d325f9cfc670496152b909dd2d95301c39a3d12388100787c8899

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
92KB

MD5
91dec477e247f1e68e9996eaa927b6a8

SHA1
32c4719b24507505ee1003813556fe8f970a5a4d

SHA256
e436186df9de2eaac7c1a5daeea9d6f2fcc4f7cd1e02c9bef9dded93138fba8d

SHA512
917798276a112f02ee3d6f4297b46961ccc481c6f2579d5316c4b96a8ef183dafb3cc84130885a133abc565fd489f4878571e1201951d1da6697c13bff4d2bcd

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
92KB

MD5
abd5a44c78a606759c0c837ef623599f

SHA1
1fd810037c22c589bb15a773da9ce0e0136b1974

SHA256
310f58cd72f3197d4fd8274f105acd56f0cf77c132878390cf134af0be2fe5c2

SHA512
cc7cca01aa2115931921f9792d15104802b04f977951d62c8d8af99434460351651d5b175f167baadf067816273651f12ad790c267de2e7249ead801ed86c2cd

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
92KB

MD5
9e5951e3a4c13c66ec147a170d694957

SHA1
d0e0c95314032c0bd78486107e7ec95f295cf109

SHA256
be9b96d9442cb9d3d8e4f659a7b4e15a586581926e2709f102842079ea57fbbf

SHA512
0d3029c18c403d8e37469f9a99bf5d0abd58bd59c01d4f26ae719f0a314a25f81e1d9038a1ee49afdb70ef1327b172c911aef1dc519e130a2b1285da6f8993f4

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
92KB

MD5
6f4c7bd2eb7e94447c78ec7f2fc16a1f

SHA1
f7f87ddc6c9863824484c067610e297c2f7a383c

SHA256
9f1a49f377d1b160bc6038dc263bff8ad8c1bbf66557de8350dde1ca6df6420e

SHA512
e2af349e2d6533649f59234350e7e3c1020276d3a856ddbed7b138ea5ee8ec00c24a7c1965ff00cf70475cf9f51e65a981217eed0079b61f59af2ace0769e587

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
92KB

MD5
8757ddd6cd23b4c866d5cf3e72c6f017

SHA1
bed0e7c483351d009e899d0a447789eed13cd4f7

SHA256
69baca96c47a6ba04fbf2345fafc45c53cfa1294aa1593660a8b2f1564e1b36e

SHA512
e1a33235073eb56c7309e64351758f142da3a45b050e4985a0ed721c8fa4ac0ce4039651b5a413effe74d7f97c5e602f58647b719522255154f20f393f36feb1

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
92KB

MD5
7836450f5a014cccef911fda2c881742

SHA1
2becf4fa479da1b9f1948714e6298b213aa8669d

SHA256
ccdb46325798af098a7474a646805f8cbfc09dadfc5eec9302bf7280486e8446

SHA512
7a09c00c19ece866776c9c174056eaa5560ea95b749ee5690de54b65db2412ab4b7c76425d6a2952d85c5c8bcdffef3c7f875a1b10212160ce8f3a1fab494ea0

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
92KB

MD5
c5ae16d64d929244e1cf6e612226a41d

SHA1
3c483f43cbf7581baed46da3723503bc30d4b4a0

SHA256
674739be195c15da04d60273f056de1b62416b9489ba688066ad1be2d4a7da35

SHA512
60e93c207414100f1122090f2193d90fdc245501071987a5dd734705b9929d2f385a46405c625c98c3e0e03daca9e407ad01ddaea344350b14ae3aa0d9e1b01a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
92KB

MD5
d6825681e63b28f3fd1fc69ae29a1398

SHA1
3a1552b0c5c6297c72f7c882edecded5569be43d

SHA256
6693318e013da97b713181d99e6997859ee554e9b41391b053cf95b69e7b26a6

SHA512
3738c39c299cf08ab795e047c12042e2d17f44ac74d5841ac16b029d822c3f79320e89864a59a482a104c7d9e23f1b026edf0403d6c8c63c80315d8cd4869bc5

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
92KB

MD5
c9b50a1810057e0f47975f3ab0b7e799

SHA1
6fb42aeacc1ea7625aef629659c81656ee05b2b5

SHA256
bcdf76e8d0f1456cbb1c65d609b81528613ad2944ab1618d47baa2b11fedd28f

SHA512
f36eaef240da9a1680e40ef309b1f1ff13eef5ec918e503b9192097e5bb8a43c33f524e57f9501d040027ea4cc6c7a79bd4fd95bd1abe769b6a7ed01918148c0

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
92KB

MD5
804392f57e41857e9acc182f6656f445

SHA1
470f05f438aeb2ef8ec1ee9b6f32933ed33d19b0

SHA256
2818dcf89d539c113ebe54f14cb87f500a40276e4f11903a75d4689f3efac59b

SHA512
9262bb32d9f16bba829b52594040f79e0fa7c5eac1f4b493b04688f5837ae3558c023949d9855c08e3fa426e01d019572f6f9b6b80e7c607cea84e0348b5ed77

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
92KB

MD5
c3117d54a0b9c452539df55238b9e8fb

SHA1
d0e3d96560cbea9bb02d827936ef0c5a35b2d387

SHA256
dbb1818ca6b100be1114d7ef55767a760ca50c9c561df38ae355a45cd78c9e6a

SHA512
961cb9b769d2083360673be46fcce472ca60494b526ccff2b2e31d74cae4fe65b8391b0f47e7251c7607a1ce41f9fffbef47449d6e83d1e3903fbc6611de2f5b

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
92KB

MD5
f90fdea673e8964b981b3322ca0718d9

SHA1
5f9e979d1b004b76f3d2277ecfed9717c4ac72c4

SHA256
b814f335bb042d467c991e362ef276c4dae7c1f13854c3d0adbc3599e5331f86

SHA512
e23542772e8c6a3c890bda50c49bd8d958fcb9a14eb8397a68b4f08f8a7c2dd0a4ccf5d65a0a6ae45647a514ecb9f2800ada6c931530634dcc5616943e53cc65

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
92KB

MD5
35f54e61807f5e78300a5c34d0cd39b5

SHA1
0575252ea74ec84d706907a652d99c3a06d17b97

SHA256
23e2bac8c8a04fbc56fee767263f29917d7627fd639c93f895e82d05402a2f87

SHA512
fc8b6a6d45bf33163ea9bbc7bebc586009e6fa8cb91b5fc6ea733800360fe04b4692a8912c2ec93d4902ff07f3614dd6802c5874077f361ff1fc806f1489f93a

Download Submit
memory/116-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/412-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/432-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/532-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/556-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/772-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1068-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1236-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1272-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1612-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1672-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1676-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1700-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1956-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2276-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2312-460-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2512-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2848-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2944-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2988-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3076-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3184-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3188-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3424-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3472-526-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3556-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3572-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3596-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3824-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3940-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3956-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4120-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4196-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4336-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4548-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4728-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4776-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4792-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4840-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5136-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5176-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5236-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5288-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5328-559-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5392-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5440-573-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5484-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5528-587-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5576-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads