berbew | 79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe
Size

337KB
MD5

e6e599759268fa75c7a41fcf978f1810
SHA1

f36378f7432c8d800d7baed5b51f521a5ec31a0c
SHA256

79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811
SHA512

df3bb9efaf0dd4544e233805e06b039da42f1db9e1c2190088649fcf60c151b0fd5f14036b5aae7bbffc735f6361898990d137883d058ce9c30221b6f847c93b
SSDEEP

3072:v60S4XfsgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:rpfs1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2916	Ldleel32.exe
3428	Lfkaag32.exe
4896	Lmdina32.exe
4944	Lpcfkm32.exe
1932	Lbabgh32.exe
1856	Lpebpm32.exe
3152	Lebkhc32.exe
788	Lllcen32.exe
5104	Mbfkbhpa.exe
2964	Mpjlklok.exe
1636	Mchhggno.exe
2660	Mplhql32.exe
1468	Meiaib32.exe
4592	Mlcifmbl.exe
620	Mcmabg32.exe
1576	Melnob32.exe
632	Mdmnlj32.exe
3884	Miifeq32.exe
2080	Npcoakfp.exe
4596	Ncbknfed.exe
2600	Nljofl32.exe
3668	Ncdgcf32.exe
1116	Nebdoa32.exe
2744	Nphhmj32.exe
3828	Neeqea32.exe
1072	Nloiakho.exe
4512	Npjebj32.exe
4980	Ncianepl.exe
3716	Nfgmjqop.exe
4756	Nnneknob.exe
4000	Nlaegk32.exe
3736	Ndhmhh32.exe
2372	Nggjdc32.exe
1928	Ogifjcdp.exe
1644	Olfobjbg.exe
4032	Ocpgod32.exe
2284	Ofnckp32.exe
5116	Olhlhjpd.exe
396	Odocigqg.exe
4472	Ofqpqo32.exe
3004	Onhhamgg.exe
3036	Odapnf32.exe
4100	Ocdqjceo.exe
1376	Olmeci32.exe
4452	Ocgmpccl.exe
2956	Pnlaml32.exe
3552	Pqknig32.exe
3576	Pcijeb32.exe
1352	Pgefeajb.exe
2988	Pnonbk32.exe
2932	Pqmjog32.exe
4752	Pclgkb32.exe
4796	Pggbkagp.exe
4012	Pjeoglgc.exe
668	Pqpgdfnp.exe
2092	Pcncpbmd.exe
3544	Pjhlml32.exe
1796	Pncgmkmj.exe
1920	Pdmpje32.exe
1580	Pgllfp32.exe
4400	Pfolbmje.exe
1728	Pnfdcjkg.exe
3180	Pqdqof32.exe
3032	Pdpmpdbd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bbjiol32.dll	Mchhggno.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Lmdina32.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Lfkaag32.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6628	6520	WerFault.exe	230

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2916	4216	79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe	84
PID 4216 wrote to memory of 2916	4216	79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe	84
PID 4216 wrote to memory of 2916	4216	79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe	84
PID 2916 wrote to memory of 3428	2916	Ldleel32.exe	85
PID 2916 wrote to memory of 3428	2916	Ldleel32.exe	85
PID 2916 wrote to memory of 3428	2916	Ldleel32.exe	85
PID 3428 wrote to memory of 4896	3428	Lfkaag32.exe	86
PID 3428 wrote to memory of 4896	3428	Lfkaag32.exe	86
PID 3428 wrote to memory of 4896	3428	Lfkaag32.exe	86
PID 4896 wrote to memory of 4944	4896	Lmdina32.exe	87
PID 4896 wrote to memory of 4944	4896	Lmdina32.exe	87
PID 4896 wrote to memory of 4944	4896	Lmdina32.exe	87
PID 4944 wrote to memory of 1932	4944	Lpcfkm32.exe	88
PID 4944 wrote to memory of 1932	4944	Lpcfkm32.exe	88
PID 4944 wrote to memory of 1932	4944	Lpcfkm32.exe	88
PID 1932 wrote to memory of 1856	1932	Lbabgh32.exe	89
PID 1932 wrote to memory of 1856	1932	Lbabgh32.exe	89
PID 1932 wrote to memory of 1856	1932	Lbabgh32.exe	89
PID 1856 wrote to memory of 3152	1856	Lpebpm32.exe	90
PID 1856 wrote to memory of 3152	1856	Lpebpm32.exe	90
PID 1856 wrote to memory of 3152	1856	Lpebpm32.exe	90
PID 3152 wrote to memory of 788	3152	Lebkhc32.exe	91
PID 3152 wrote to memory of 788	3152	Lebkhc32.exe	91
PID 3152 wrote to memory of 788	3152	Lebkhc32.exe	91
PID 788 wrote to memory of 5104	788	Lllcen32.exe	92
PID 788 wrote to memory of 5104	788	Lllcen32.exe	92
PID 788 wrote to memory of 5104	788	Lllcen32.exe	92
PID 5104 wrote to memory of 2964	5104	Mbfkbhpa.exe	94
PID 5104 wrote to memory of 2964	5104	Mbfkbhpa.exe	94
PID 5104 wrote to memory of 2964	5104	Mbfkbhpa.exe	94
PID 2964 wrote to memory of 1636	2964	Mpjlklok.exe	95
PID 2964 wrote to memory of 1636	2964	Mpjlklok.exe	95
PID 2964 wrote to memory of 1636	2964	Mpjlklok.exe	95
PID 1636 wrote to memory of 2660	1636	Mchhggno.exe	97
PID 1636 wrote to memory of 2660	1636	Mchhggno.exe	97
PID 1636 wrote to memory of 2660	1636	Mchhggno.exe	97
PID 2660 wrote to memory of 1468	2660	Mplhql32.exe	98
PID 2660 wrote to memory of 1468	2660	Mplhql32.exe	98
PID 2660 wrote to memory of 1468	2660	Mplhql32.exe	98
PID 1468 wrote to memory of 4592	1468	Meiaib32.exe	99
PID 1468 wrote to memory of 4592	1468	Meiaib32.exe	99
PID 1468 wrote to memory of 4592	1468	Meiaib32.exe	99
PID 4592 wrote to memory of 620	4592	Mlcifmbl.exe	101
PID 4592 wrote to memory of 620	4592	Mlcifmbl.exe	101
PID 4592 wrote to memory of 620	4592	Mlcifmbl.exe	101
PID 620 wrote to memory of 1576	620	Mcmabg32.exe	102
PID 620 wrote to memory of 1576	620	Mcmabg32.exe	102
PID 620 wrote to memory of 1576	620	Mcmabg32.exe	102
PID 1576 wrote to memory of 632	1576	Melnob32.exe	103
PID 1576 wrote to memory of 632	1576	Melnob32.exe	103
PID 1576 wrote to memory of 632	1576	Melnob32.exe	103
PID 632 wrote to memory of 3884	632	Mdmnlj32.exe	104
PID 632 wrote to memory of 3884	632	Mdmnlj32.exe	104
PID 632 wrote to memory of 3884	632	Mdmnlj32.exe	104
PID 3884 wrote to memory of 2080	3884	Miifeq32.exe	105
PID 3884 wrote to memory of 2080	3884	Miifeq32.exe	105
PID 3884 wrote to memory of 2080	3884	Miifeq32.exe	105
PID 2080 wrote to memory of 4596	2080	Npcoakfp.exe	106
PID 2080 wrote to memory of 4596	2080	Npcoakfp.exe	106
PID 2080 wrote to memory of 4596	2080	Npcoakfp.exe	106
PID 4596 wrote to memory of 2600	4596	Ncbknfed.exe	107
PID 4596 wrote to memory of 2600	4596	Ncbknfed.exe	107
PID 4596 wrote to memory of 2600	4596	Ncbknfed.exe	107
PID 2600 wrote to memory of 3668	2600	Nljofl32.exe	108

C:\Users\Admin\AppData\Local\Temp\79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe
"C:\Users\Admin\AppData\Local\Temp\79941b40741798f433958faa1f83087fb30416d357ed354e2ff198707edb5811N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\Ldleel32.exe
  C:\Windows\system32\Ldleel32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Lfkaag32.exe
    C:\Windows\system32\Lfkaag32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\SysWOW64\Lmdina32.exe
      C:\Windows\system32\Lmdina32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
      - C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        24⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        27⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        37⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        43⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        45⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        52⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        55⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        57⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        67⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        71⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4580
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        76⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        78⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        79⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        82⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        88⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        96⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        98⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        103⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        104⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        105⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        109⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        110⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        119⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        124⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        126⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        129⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        133⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        135⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 396
        141⤵
        Program crash
        
        PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6520 -ip 6520
1⤵
PID:6604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anadoi32.exe

Filesize
337KB

MD5
25fc2f4fd5fb885549569546fd304a1d

SHA1
e862e5bd05ad3b71a9f466796cfb41da041a7d5a

SHA256
b92b0a42f2c4534fbec77325fe2bd7f478b7cd32c9e1bd4475e62685f25c39c8

SHA512
aa5d358b7ba73bfd68d4df2426b1bfa0f1cfa0068158a749a08039c40b03ff7b2bde342791ce25d557eac8563a73ff4f0ebb4885d0ae5c6221e9afda28f8906f

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
337KB

MD5
0235582a77112f119763b8ae540651b8

SHA1
db7002123441d948eb08907f44b5e18bf5a79dc9

SHA256
0d0ee1f889e7a163d02ff224cc62195a09c6df8589c2d87aee7e1724e718985c

SHA512
30b566e46276380c4b25a151ec80ac762c1bdbe298e728e055c1851fc0ad594e6280f4b114f1a229addb9a45f21ca8a9aaa9a9424a61acc7e5fa4e7ebbc369f0

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
337KB

MD5
49c496377e652f50c6fe361c0cc62e7e

SHA1
5e7f238ab3f272374340df653adae3636af9c22c

SHA256
47b60a980bad236483b413a8dde2427bf6ff30d91c1a3aff53a61ee636479965

SHA512
0e8846e1dff028b6d5d6ee9b745ab549bec18c0fa147b80573479612827ffb9bb87669c164ac16eef7fd280a0b75c9d2b8bf62e93d6ba0cf9efa15867fe6859d

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
337KB

MD5
1ab43b50cbea2f677bdc655a06d17d0d

SHA1
8618b1856d258e302c83dbb3d4fe8086133908f5

SHA256
ab83e367d03a6aa7ebfc48233348266f9176534aabeb226b7b857605d97ccc3f

SHA512
f2c41065d6f21cb9956bbe2223637e947e1defaa4ffa03ee4f3cea21777f1a2fc1a7b3300c126883b79f5450aec2c7f42333c08ac1b05fc9a0d969dd21d47f3c

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
337KB

MD5
fe4ac678e44ee0b9ac62b6c973cbaa1e

SHA1
d21b1039b3dd80e46904e0a1662b66acf22cc2f8

SHA256
1ac849ec4c26bd15945800a93f1b3f5d4ec739aa00da27e6f42b4b4b1cec6409

SHA512
25922397f263cca94b22aed0848417334f8b34ccd6058a362a2f40b7207bc0a84deb14e90ff9a5fbc42f07a79b37d3dd065e5dc1b8cd306ce8f44762db999cbf

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
337KB

MD5
81b366ec18689826acdd074d9ea7bfdf

SHA1
5752f1158f6c5a45c446692ba2473e95080917ee

SHA256
63ba38b5b85d413bda36a66e0da19ef3f0808cabe7a9ab1b0d1f1b816e10d03c

SHA512
9ca2f08f51e35d211a3b4166aec5d6d75e413c71ff8e5a55f08f66630f91b1aaff38bfd46d7f56393df06f5d93f75f2cfd8f0d664f07c6457c302f30456ca84d

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
337KB

MD5
f1dc4f6cd448e20220d616d3c02b64aa

SHA1
c60fe318500571fe14c495c4ee2583f411a7ed7f

SHA256
428b9af4bad03cce961fd42e1d4879037a7cc14e17d407bad2271a6e7b0ad43e

SHA512
4101b9362fe76736e887a30a5735e55c3e977ba53fc522cd31cd01101b77b6e9c7e83a44878c434e305e530ea6c6b29ea3eedeaf09992b1b021a0b87cdfc6b16

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
337KB

MD5
91b1eb63998a41501fa1ea134f0ca309

SHA1
b0980f8742d6bce3c6243192337b99beaee75f24

SHA256
11517848bcc39b94fe86073cfd08519d2334a14e194bb3b7138b312f4dcb1be9

SHA512
49b8e4a34a55af220c62c1cee1cd1126f9a09e2a70e19786336ed7df2b7a17d6f9d497acc50a8d6c3a65123e1240857e0dd3f204d1d10619724d6898afbf3d31

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
337KB

MD5
faa0f446b8bb238331f5fa3670fd0e7e

SHA1
3ecf3a8b68f358c9d7698ae5479a3557865a7b2a

SHA256
5f53e814086c2fa2e60cb1a3eae1ed97eeeb07e27fb01cc3847730f821b2098c

SHA512
62cb04bafea0e633ffba2bac2b86d2ea4c6b08c7a3f8b98c1a31d7aa83a0112d72ccdb2bba842f29321e55148904ed04f859ad7a9ece391f91d84e24db1f2afe

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
337KB

MD5
636bfcfc54758ce2cb51813f2f853a1f

SHA1
3845c4156c0954a8b36038e53723ea0f6ca6ecdf

SHA256
dc0d8a6a536c0c47443e9c0ad13d32b84e5eb05577faa2f29517151a9b05aff2

SHA512
3dbbcf1e2549b374cf2e2c38416b99c180fc2558fa4d8c172a2e54bfdd4c0a1b126a01d27d06e360a604633138237b0bde97366beece0eedc8f5b505f990121c

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
337KB

MD5
2747c417a1d4295867b9ad17939e0c4f

SHA1
b3fdac73295b6aaaed5c771d4099456d69e89b0e

SHA256
e87133d78169e95197f4b53d772b375b3961d52d4929449f8b4295d1030dfc12

SHA512
393f6422687615b6cf73bf7f48224c7cb0c8816a7fab37d1a9ee4d7912319edeae6fa4ec99e1cb5cfabc662d0dd36e5814af73afe6fb6a49a344d1564dbe8251

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
337KB

MD5
36860fb3285408732524b6e3772df85b

SHA1
6ee06fe0fc12ea2ba7cf5da50ed8c771c16443a4

SHA256
067e285b78c354d0b31bc0cadc303e0a651620845bed000b95fd7b67e5a04819

SHA512
4d3c99b7f85914202023d9575b18ab935c312668b273ab7bee311d2b3b5ea716cc3aeb810206352899f9f30579c96cf73804c67184afecea18153bc0e53f68b8

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
337KB

MD5
6037953d9fe49aa0b8026780a3938b7f

SHA1
02b85ca16e479c1eace29ca4a52fc14bcb0db788

SHA256
f6db4401024e1735f38478623e910dfa2094614fb3aaed51ec8a620b7ee79b9e

SHA512
df5c5426a502b0d252c139b1f4bee1e446663373827d78f9378f97f24e1cd3d3fa77e2a4106f21e799b601e549834db2402eb6b4ea94d13c10b84270fc6dde0c

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
337KB

MD5
53cc63ab91be1e013057f23dd2d43508

SHA1
8cf6f0b944bd401f21161fd94d05b387b57e1564

SHA256
5ae9c47b16e39926b55b6631ad3cabf8f8aad2e6a8ba739138c74912aecd9ed8

SHA512
d07b15cb7a799fdd0f482aed293ddece2321c4ddcb75deb9cb7a59e86c2e2ddc14e172759aed2631a54051f7a91f39b2b1e8c79a2dca5f1c7d161da0cdc53edb

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
337KB

MD5
025deab6f619d57e22ed1cc332c4f5c6

SHA1
c805dbafbdd13a4fcc53f259c6519fcc466db8ad

SHA256
21efd2de72c6cbf2b703b12c984c2d1e4719a4b29b3ed9e2db191dad5b76118e

SHA512
8beeed0d0a3b1de57cf36f83444aa6a7f19c8162f077151b41032db1c63c896e0a5916c22696407bcdc3c4f055a8df76ab525a2b79d9f650dd549343f09bb118

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
337KB

MD5
e4db578d6fd078eb89c18c21c0b3de10

SHA1
8321677fce8fae387bedc03c23dabb424cd9efa7

SHA256
fefc7ad2e88caf407943a96fc45b18404aaf09170e081151500c1c74be458c05

SHA512
37a4e7580f97c5dc7fcd783cd602c98da5e10b8565df09fb5caea1fe64cf56c849e1dd1d1e5c4f2b96b0724f63b699c46fe6ce67610f762c6c248ed42835d900

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
337KB

MD5
519f16e2a1305a7a39f7eb13747f016b

SHA1
276ceb96bd67337b2039e617175e1ece42c4b898

SHA256
9ed6a817d3e46443a210a5dcc431b68ccc2065538ec9eca8d7a6de020c7948d7

SHA512
3ac12e95ab55ab4d8879aa48471270a4637c904777266eb99b1690ebecc00998a0493f4654456f21f9fd44544d2820a7296cba54223c92b665ac497a65e2a8ad

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
337KB

MD5
23304a5ceb49d99154df4d43e54b64b4

SHA1
4decaa1e25e5b0c5f4f17c5a96becfbcf90182b6

SHA256
856421dceab21c9cb6187dd75707895f2a34d8c7e05b6355d5c764fb258d9819

SHA512
df2413a8fa7af78f671d1b4734b8a4c0df094893782464d9597c5686888d10d2859851dfd5d11ea46c75867c9da24cd07b660b4b7e0457f3a18b64796bcb0018

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
337KB

MD5
07eba1729e9db47e61d6c45d4f3e29c9

SHA1
ebe381baedb650900f6057830b133e9e663cea86

SHA256
937d86ecc8982ccc706ab714fdbd068c59ebde24a11329634dd367dd244122ac

SHA512
954f50c49defac3e74f13cd3b90c08b37f8079c6b8cdc60003db3a6ee93450fa06da179e2fb6a6c5e556ab3b25f3e339a4ff4c0eb080348d75701b49b19acdc8

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
337KB

MD5
30621a57a498bcbe35b6e0c2afa76054

SHA1
c93b1426a841c402149dde25aa04716d515277f4

SHA256
b931562164e88a758421592839a1fd00c705d88d1d220db994d8982429ebd5ef

SHA512
0ce97851ffe3de71f88bc899e6f1b8707d16d40844c00f0e7b9cbee87ec1cff113ee269fc98fb1a07e2d8d4498dcbce01e08cce16f44aaa99b9f19f04b62469c

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
337KB

MD5
5067714075c9b73a856d407c086dfff2

SHA1
ccc9299e8e75d8b590e838e055d82cc697683f7d

SHA256
11dac2d585fa48f581bf90c335e2d163270945e53477f7f84f7805eb99e5dadf

SHA512
2b548e9aed5851ae59a2907e94589d1de0c8d5051c24d1a6d8827e62fafb2cda66c65585727b7b5525c2714b1eedc238943907355036affc22f6bcc13aafbb29

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
337KB

MD5
b31498f1171240f5131dd6ba7b5b501b

SHA1
a7bafa99e9a57f0664b97155b164c8dd79928bce

SHA256
1443648de0becaf422909f51b948e76275e6f0a8c9b9014c233598709c0bbea2

SHA512
82023b5f84cf334f5ba867a72a2ea8eb35363c48c4a22d16dd195b03f9467e282e4938781137459c277df899785442cc672a19ff558ad2a984db9c583f2d0468

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
337KB

MD5
9f6ac73ebce82d2cbc4ecfc57f2aae43

SHA1
62ca56f356b3ce829d2183c29447b17ee0a2ed73

SHA256
47b6b4fd1ad5316bcb35365e292a42a9d74794538efa76d7c75bcbe8916bbf06

SHA512
252756cfc6e6b059ae883df7ffa86b78041ad48012bbaef40341b23bc41bda00fe83df3dc486a03fc20e4182e1e2df50a440371f5fcf87a6f8b54847816e37a0

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
337KB

MD5
71f8168c0a80dd635655cea2f8fb4bb9

SHA1
bbcb2bffe2b2df3dd6c42bcc73630162c23606e6

SHA256
f392f622a693bd6f1a199c2c77a484b2cc17f34a0d2ac2eb015f48135eeffe8c

SHA512
3d774c3c29b33bda7841d2c201b27b97ec1e2ff739fd3f38c6340021d580d71d3f586b5536d38cab54e8b942dfe1487e54b6ca7d3e12a39e9465aacf6abb91c9

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
337KB

MD5
17e89ab430de0c167a747f580e0c92e3

SHA1
da9852b9678100443faad24389f289e6201bf3cc

SHA256
55799dd4c8b63f0f82829b5c9cff7f799ea5ac6dcc826435378ceb30c5f50818

SHA512
ebe7490c3c807d7871b2beb19f5a54ebdb29c2c6f1b1ec8efd8b95e97559e53e59659d004e3fa9801c9321668ae601d2d95c7d8016f751d917931245f5696ee2

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
337KB

MD5
24f3836256ccc7779cebe1633f433c1c

SHA1
33e0012e7936d27d1d067cc8d31227f06111d603

SHA256
97e89f5322104040a1d30205f4e402e9a3c51b414572191e029a0684034ce409

SHA512
e49a85d49964dea404e3959ab5928f6fe9b7f3e00a0dc59205d00724cbd92647945d38ce0ba98024b8ee78bd1294aad96155907779b1a183e6b227235444660d

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
337KB

MD5
10efdcbb8d62162e6fb7dc290d8f466e

SHA1
de3a330bd0b91130621ed86c8d7ebe8b4faa0da0

SHA256
8e40ac187908525a72c9f54efd73f63bd374ff509983275da655982c23180b9c

SHA512
8d05c92bf008afbbae859471ccef69bde2e2194c4ad8f9e2d77d3c5d1ccaf0a3b36c2455e20c7d925aad479427150fb1fdae9eecbc8840505779078a1ce04d0c

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
337KB

MD5
c2e80fa9d271a062a3962c60b7a1bd4c

SHA1
8277f015381792bc93a37843b21608e4fba63bdb

SHA256
50280df207ada877dfb19abb30b068ef2fa82fc5f1af1fe4b216d1f4b0a5ebaf

SHA512
0f0a1f0a586babad8e704dc44e9f9cad411e78ffb75b3ec45e3b6a94b71e21ee6a967f05962d63858afed79bd5338d0e145bf001807ad8a6d4c69254a14411a1

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
337KB

MD5
f09780ac3d6cc624b320133d58e03f3e

SHA1
266ba08cb78032f85a16db69cd303a1ce0066159

SHA256
7fbaa31db26f1b5d9e1a939a63a5be1fa85dcaf1945ca8c6ea61262fef1557d2

SHA512
18fcd4a1f0ba63082e4982467b10dc681629352574c77720cda8d62204a96a6a13ee47820143dc8cd3b2f17a0a5b63913f704492ed524656e1ffd59f694da793

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
337KB

MD5
f907c93d10d7d4755936c03f972cf219

SHA1
2422826578be69879836cb341f7f0278d7b4af71

SHA256
437ff0dde97293689578ca163f847f64b0796148f3849a26cc1da43a95a500c2

SHA512
39acc0a2fd4a72f3d1b16634c2f1faba65d5911d2bd495c534b56fbaa60f795f0df9c1690ccfd45314b89e3aa27d22e21f9feba5558fbda0b7d9b3a0900deb70

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
337KB

MD5
c4b497869ccad5eada3e18f2efaa9e4b

SHA1
90d6891d1375035c37c61f4c8a683294e13d74e7

SHA256
54c3a503a6259d733cb31d3658850f4c0079bc3c86157d403343713f1e7c637d

SHA512
999cfb44e076db99cefc76592be3285b88096221b9e8d8ca4a1b9af4464d2d07b3119c66a2de6c8418953419e5d28dbac0ec53415da1bf70899b387131e63b8c

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
337KB

MD5
b4ed383aa3f5d39660ca52510eb71a54

SHA1
6a9df112fc0b72b00ca10a9b91e89a6fa6a62c15

SHA256
ce8e98c4d687e05614b599845c009c9751e50547f6225d4947d5b3372f3ee811

SHA512
558e6a7894e4863b1f391fa331f6c4d1c24975863afd67f48efb0bfabbf5da53a60cd1d1f02e5d234005bd5e292431f00fbc9e1df5f187cf7640b517efa9db56

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
337KB

MD5
b188445f9879bdbdaa00bc4fbcfcfa9a

SHA1
f03a6a57915e3035d5394dbb7133510da2673c43

SHA256
bad11919b9263da2bbaee293cd115a1f30ae4fbcebf88436b7ed094877d8d010

SHA512
b115b2382a38e418fba77e52f1a6e465beb8e3fa8d8a8e3bfc7d09a681df0f78b238ba788338166f8502c0e8ed24b0c8c728f295027a7f7c5cfac0381b4bf3a8

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
337KB

MD5
8ffd259ff1b1d2890a5c8a4021dfd3f7

SHA1
1b290175987df42c308dadc768bd4e2c85e5b731

SHA256
9821fbc457ec6bc83f4f4a9fe53ed26abbf31c1d1e1f36e0d098b11260902f6e

SHA512
040a9d219218128ae365814e481fe6c33101c70badf5e20983d87c9e1723dffffd7f0cdd9f6330bcf3be28e9ec4f173293e33300531aebbc7a685de3a93c798d

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
337KB

MD5
3d40bdf05cc4033fc79fbe6b5ebb2652

SHA1
e46eb08b197f56227cabddc932ee1f5ae715233e

SHA256
10065785ddddb58866faa788558efdb41c89754a572155d11c90c1050d6dda59

SHA512
edbc9320a8a398f67f54f620021d7aab11be8159c0848a281b07ac856616afb6cd1720d19403bd2dad9fc6520eb59bf667e5d7fe6f12fc1f23895984a8de86a3

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
337KB

MD5
375dfda8ff6c77622da2bb9059e00a0b

SHA1
407d35206e4708e2da1ef527da658b3d571dcd80

SHA256
37e772fdf6a1ffc450106b9f71c8040355f2f2e29eb61388a2f207624fc40ee8

SHA512
c13b62a100490a55be65b96302ebd732573fe8faf6b29307ba17d66826aacbb404f43f8bf7f4053ebb032aea48e86b4a484eba432bc64026b66113da7ec292f6

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
337KB

MD5
4e3eab7e4c2c95a57d37496c4ceabdaa

SHA1
5e4a8e370fa5ad2b26d893a880b626975cb060e3

SHA256
e523bd3c8e4da8ea440956096a593846078b5a9df75f70d629b47fdae4050f66

SHA512
56eeb81ab3cc9453f8d753c825cc6e14f2618ccb68fbeab39ea5a9e34e2f8ccca97e04a62ae02b2e7647466038f50164b5cf64c2d718b6df48ce157257d763f3

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
337KB

MD5
70a218ac11c9ed798b511197c198ee84

SHA1
3cbf6b5c849f2b2c5825a656adebc3afddf3bcd0

SHA256
0d1c6f20eafbb829abaaddccbc5d65455a9060cf9c97bf96e51e5f44cf70f037

SHA512
12ef0f50bb38af0b75d5a555a1543b4c599dd995595fc166473acce4ba5654f2d72a3fd2c23d54e31c16d19b105e89d27be863c7baebadf198cca06cfa074493

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
337KB

MD5
11b39c5f80606b5095b70f8175180ee4

SHA1
df28613fc13f0d8fbe57d20b7c7e63e1f931ee2c

SHA256
11f038b725c6c1d017c87a6c3f86e38ba0df50a83bbff75d90af514bb3df3ef7

SHA512
043828e63dba3142b6ded418963c32f81946a7d33e78d80ea13f4932cad0bd53e465bac622490e9159bfecb571229c196f6c1debfb5fd929e9d1e031cd1ec091

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
337KB

MD5
5745bac4d18a1fe391f1172c18fb5d89

SHA1
20f27dfe3d979d8e157c4c976507d7ebd708b9af

SHA256
42e95a23008d19e1737993a79d4a453becce40fb93e2e0821a34548518690a01

SHA512
6f4eab7d9ec10f7ab6e9ed8b3932ec164f11deb502e9f0ca3ffcfc1e9f85f328826a27de38be78457bafbb500c79d9d3a6a120402d2dbdc16e9aa3ae4c280d5f

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
337KB

MD5
11183d7c2b6723abe1ed5c7be01af701

SHA1
61afd05061d5b20213089bcd4e14b8d318e3673b

SHA256
899174e08877da31b41fc16c108dc4aac31b9c19b4eaf7c31f05bf2fab83821a

SHA512
21ed93357fc66a8be2f6a18690adbca9bbac81c6bab5f5698b4611a97ef878face4fca4e138f170b56075a7df4ce6a8cca0bfac6a75894e6ccbd514268b745ac

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
337KB

MD5
3e457f3938619678bdf1369e337e5469

SHA1
637638049dd8a7d657a35f7beaa710e4a1afa128

SHA256
06e7532ccbd48ee64f8c1783f3bdfaaed8c6b3bec06a2e3a0b80c3c6bf3044a3

SHA512
5b1f6915a2f7c00049e83337aba0d929345f747633653bf154474c077ebc486329db49e86457c9363402c5281949779d18dcca073863a2b1b2d27e36f274be3e

Download Submit
memory/396-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/668-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-1028-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4216-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5220-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5440-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5484-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5484-1052-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5832-1010-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads