berbew | 5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe
Size

96KB
MD5

597980fccaf2cce430706e888be8fd75
SHA1

b65547430ea8aada12b387fc1bfdad9d44465f04
SHA256

5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8
SHA512

75f7a768f5cbc5475c9a481d448f86fa7a029b216df6a9a739eb081b32916b6f5112fccd8c63eb6fda77976bee2601e8258c9c313b140b0f1d96be549ce0bf1b
SSDEEP

1536:NARR2+caDDNtJlrfHPgu+Xb7Eq2L47RZObZUUWaegPYA:N0/TDDNjl3AU34ClUUWae

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cf6-806.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
2912	Lenamdem.exe
4996	Llgjjnlj.exe
3796	Ldoaklml.exe
3928	Lgmngglp.exe
2636	Lmgfda32.exe
1256	Ldanqkki.exe
1580	Lebkhc32.exe
928	Lphoelqn.exe
3532	Mbfkbhpa.exe
2116	Mipcob32.exe
1584	Mlopkm32.exe
2584	Mchhggno.exe
4060	Mibpda32.exe
1960	Mlampmdo.exe
3376	Mckemg32.exe
508	Mlcifmbl.exe
4924	Mcmabg32.exe
452	Migjoaaf.exe
2884	Mlefklpj.exe
4532	Mgkjhe32.exe
3912	Mlhbal32.exe
4964	Ndokbi32.exe
3724	Nepgjaeg.exe
4284	Nngokoej.exe
4832	Ncdgcf32.exe
5104	Nnjlpo32.exe
3440	Ncfdie32.exe
4184	Neeqea32.exe
3920	Nnlhfn32.exe
2236	Nfgmjqop.exe
1788	Nnneknob.exe
2132	Nckndeni.exe
4664	Njefqo32.exe
1040	Olcbmj32.exe
4616	Ocnjidkf.exe
3428	Ojgbfocc.exe
4248	Olfobjbg.exe
2704	Opakbi32.exe
1992	Ocpgod32.exe
3808	Ofnckp32.exe
2960	Olhlhjpd.exe
760	Odocigqg.exe
4288	Ognpebpj.exe
2648	Ojllan32.exe
3444	Oqfdnhfk.exe
3316	Ofcmfodb.exe
2904	Olmeci32.exe
4088	Oddmdf32.exe
4276	Pnlaml32.exe
2420	Pqknig32.exe
3392	Pgefeajb.exe
3000	Pnonbk32.exe
1536	Pqmjog32.exe
2580	Pjeoglgc.exe
4980	Pqpgdfnp.exe
408	Pgioqq32.exe
1896	Pncgmkmj.exe
2340	Pcppfaka.exe
3952	Pjjhbl32.exe
4192	Pqdqof32.exe
920	Pgnilpah.exe
3220	Qnhahj32.exe
4728	Qqfmde32.exe
4932	Qfcfml32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5384	5996	WerFault.exe	214

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Ldanqkki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2912	2280	5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe	83
PID 2280 wrote to memory of 2912	2280	5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe	83
PID 2280 wrote to memory of 2912	2280	5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe	83
PID 2912 wrote to memory of 4996	2912	Lenamdem.exe	84
PID 2912 wrote to memory of 4996	2912	Lenamdem.exe	84
PID 2912 wrote to memory of 4996	2912	Lenamdem.exe	84
PID 4996 wrote to memory of 3796	4996	Llgjjnlj.exe	85
PID 4996 wrote to memory of 3796	4996	Llgjjnlj.exe	85
PID 4996 wrote to memory of 3796	4996	Llgjjnlj.exe	85
PID 3796 wrote to memory of 3928	3796	Ldoaklml.exe	86
PID 3796 wrote to memory of 3928	3796	Ldoaklml.exe	86
PID 3796 wrote to memory of 3928	3796	Ldoaklml.exe	86
PID 3928 wrote to memory of 2636	3928	Lgmngglp.exe	87
PID 3928 wrote to memory of 2636	3928	Lgmngglp.exe	87
PID 3928 wrote to memory of 2636	3928	Lgmngglp.exe	87
PID 2636 wrote to memory of 1256	2636	Lmgfda32.exe	88
PID 2636 wrote to memory of 1256	2636	Lmgfda32.exe	88
PID 2636 wrote to memory of 1256	2636	Lmgfda32.exe	88
PID 1256 wrote to memory of 1580	1256	Ldanqkki.exe	89
PID 1256 wrote to memory of 1580	1256	Ldanqkki.exe	89
PID 1256 wrote to memory of 1580	1256	Ldanqkki.exe	89
PID 1580 wrote to memory of 928	1580	Lebkhc32.exe	90
PID 1580 wrote to memory of 928	1580	Lebkhc32.exe	90
PID 1580 wrote to memory of 928	1580	Lebkhc32.exe	90
PID 928 wrote to memory of 3532	928	Lphoelqn.exe	91
PID 928 wrote to memory of 3532	928	Lphoelqn.exe	91
PID 928 wrote to memory of 3532	928	Lphoelqn.exe	91
PID 3532 wrote to memory of 2116	3532	Mbfkbhpa.exe	93
PID 3532 wrote to memory of 2116	3532	Mbfkbhpa.exe	93
PID 3532 wrote to memory of 2116	3532	Mbfkbhpa.exe	93
PID 2116 wrote to memory of 1584	2116	Mipcob32.exe	94
PID 2116 wrote to memory of 1584	2116	Mipcob32.exe	94
PID 2116 wrote to memory of 1584	2116	Mipcob32.exe	94
PID 1584 wrote to memory of 2584	1584	Mlopkm32.exe	95
PID 1584 wrote to memory of 2584	1584	Mlopkm32.exe	95
PID 1584 wrote to memory of 2584	1584	Mlopkm32.exe	95
PID 2584 wrote to memory of 4060	2584	Mchhggno.exe	96
PID 2584 wrote to memory of 4060	2584	Mchhggno.exe	96
PID 2584 wrote to memory of 4060	2584	Mchhggno.exe	96
PID 4060 wrote to memory of 1960	4060	Mibpda32.exe	97
PID 4060 wrote to memory of 1960	4060	Mibpda32.exe	97
PID 4060 wrote to memory of 1960	4060	Mibpda32.exe	97
PID 1960 wrote to memory of 3376	1960	Mlampmdo.exe	98
PID 1960 wrote to memory of 3376	1960	Mlampmdo.exe	98
PID 1960 wrote to memory of 3376	1960	Mlampmdo.exe	98
PID 3376 wrote to memory of 508	3376	Mckemg32.exe	100
PID 3376 wrote to memory of 508	3376	Mckemg32.exe	100
PID 3376 wrote to memory of 508	3376	Mckemg32.exe	100
PID 508 wrote to memory of 4924	508	Mlcifmbl.exe	101
PID 508 wrote to memory of 4924	508	Mlcifmbl.exe	101
PID 508 wrote to memory of 4924	508	Mlcifmbl.exe	101
PID 4924 wrote to memory of 452	4924	Mcmabg32.exe	102
PID 4924 wrote to memory of 452	4924	Mcmabg32.exe	102
PID 4924 wrote to memory of 452	4924	Mcmabg32.exe	102
PID 452 wrote to memory of 2884	452	Migjoaaf.exe	103
PID 452 wrote to memory of 2884	452	Migjoaaf.exe	103
PID 452 wrote to memory of 2884	452	Migjoaaf.exe	103
PID 2884 wrote to memory of 4532	2884	Mlefklpj.exe	104
PID 2884 wrote to memory of 4532	2884	Mlefklpj.exe	104
PID 2884 wrote to memory of 4532	2884	Mlefklpj.exe	104
PID 4532 wrote to memory of 3912	4532	Mgkjhe32.exe	105
PID 4532 wrote to memory of 3912	4532	Mgkjhe32.exe	105
PID 4532 wrote to memory of 3912	4532	Mgkjhe32.exe	105
PID 3912 wrote to memory of 4964	3912	Mlhbal32.exe	106

C:\Users\Admin\AppData\Local\Temp\5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe
"C:\Users\Admin\AppData\Local\Temp\5b9893349f82cd6699bcdf8a33989607e0c6727addf666c27c3bd403bbeebfa8.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Lenamdem.exe
  C:\Windows\system32\Lenamdem.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\Llgjjnlj.exe
    C:\Windows\system32\Llgjjnlj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\SysWOW64\Ldoaklml.exe
      C:\Windows\system32\Ldoaklml.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3796
    - - C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        25⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        26⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        34⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        43⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        45⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        49⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3392
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2500
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        72⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        82⤵
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        90⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        99⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        112⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        114⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        115⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        121⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        123⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 212
        127⤵
        Program crash
        
        PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5996 -ip 5996
1⤵
PID:5252

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6056

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
ec4fe6c44dff704bf2a9984936976c97

SHA1
389b8d4bba550a0b3d239ce4f7c69bbbf8e3d800

SHA256
1fbb26dc42aee8a9bed0bbf77f00d7b0932f20b08cf7d8957af97b80072512eb

SHA512
8eb2bf370e06b12cb482d6954806ec149d2ac702153537f87d6a0928246e26bf510d8a7486611f1f946c0e10a4d2c3444e383be78312f264274a0302c00b2121

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
d12e3162e17600aabe206fa2e3672399

SHA1
9c194c08e7795610859bd413cc4ff62b973a26c8

SHA256
664146260a22395e847fa9be563f84f8aace5b4390d3eca8b58bae67bb3b12f8

SHA512
25d80935a537764a69ccf93cdada80fafea6caa326ee510f85e644c9d381bb47a88f622a0a085b657f3a5a140ceb502bb614838bed7db436a9ce4a66575edbe8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
c90eabab5ba4fd2a6f16eaa95224ddb3

SHA1
3f5429fa3f60b1d52be5fb35a066d171677ee33c

SHA256
844168ccc87d2b4e913e80d6d40b80a8daab1dfe8cd8d82f6280f0359c40f2dd

SHA512
539a1c584ce11d69baf6703a79ce9d1f57ac240703ec9708f14d49e23dd141f4770299e55119faf5ca950ad815e84011dd02ef58e1f3523bd0040e17adb301d4

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
febf44fcffa3c327a1eaf9578a9b5364

SHA1
42409be61c3ef89341694a0f1ab0621f865dfeba

SHA256
cb39f91df47f6504b152b6d001aaa5bc88b61d099b83c708c1e694e33bb4b752

SHA512
8e10b8c90df083579588ff219990e648c5b381969e9d497e8ccee4431eb88c5117beb95457bb511643a40437e81cb8b6b17c889d63954393f722f32e2d78f4ff

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
b132e69700a9ca3a41d0a643fa69336c

SHA1
e078cd8de288f65b6eb923637bb925b221a8e5b4

SHA256
88c540799065e94526bc859d7110c0023ed4df9ac1389b2f1b68fcc8495e5342

SHA512
fb0c0b6df24725b9c475e9e1db9ad4ec3239cefa7924779ab4183a36ec8287d2a3f2d472f6c95eb4c15cf681c0f0e642f277367c5aab8b3a1cf11726bf0fe5ff

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
96KB

MD5
02ea12731ebb1d74b00c62991ce6982a

SHA1
e5d79cb077cebd87e7578e9dbc084e92480ea386

SHA256
ae3cb68ce74c30484f5767d9dd1e1b196607927fc5177cd2d111c0b687329fc0

SHA512
a49593726adcfbd75720e23d74397ab6b4e0b123f75773a121571d1adf8754013d0ae101b2150caa717ac81f7a1fba5b77b5878be1718ba3648a26e8b6fc92ee

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
d72e7db4be6b1bc3e9a3fb4e4b1c53c5

SHA1
2653a05824ab8772244f1a3bec717777f77510bc

SHA256
b435f50b98c52897b7637ce9427ff70050f046bf0f01b23ced92c4ac332349e7

SHA512
da3287d5aa6f4271dfe3cdc720d75f20834de7c349ef4b7de8f25e6bbc524041eb4c67eae6ad50aa189a1edbf4f576077780a82488ce1d40d56b96b588458eb7

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
303e6911caa0c0a3fc12032e20528db5

SHA1
00414fc307690c05c2fd82203384735c4c781473

SHA256
3210f0f1efad7f7228380da1495fea257ae2e607ffc1e03cd25885c9036738bb

SHA512
10e35c8961341539e470eab0406e3d76c5eed4e728fe0a334e89856bc28ccbbcdf12a2288253e137780633ba5b3d46d9259d837061f0e52dab6cfc4868ccf8e9

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
21b0f5440a193a04bee4372ced1f8cf2

SHA1
f3eaa8fa2cb5ac255916e7f6aa1d8d381d7beb90

SHA256
d5127e78d86e6f22ccb3afc11605ed1da33adf3b06f3f2ce41ad10d48b2f1ece

SHA512
5158372b04a20d51731aa17315f5198c49d8a280c10331da9d6da0a0203628942da1fc8c3a9e67f2992674cdb632ce3f94de381b1bf231d3834c2e26726bcb0c

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
cf160baf95b26d8fed3e87686fabb6c0

SHA1
2512b18b8e58e5b27e77fb80072b0b5c054705a6

SHA256
f7d9abfa0f3b426ca3a41569780593a4f614b0e5472bf8216d826d8de16f8a3d

SHA512
b8fe84b4b507c0d799b1a87793206ce09bb0b5f396d003c2552a47fc6aae46781e0ccd2195885f38211054ff196574b8c5ca4d6713c2cc3dd313886ee42054e0

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
b28abb88beaf3fd67a9de1de4b642e47

SHA1
b50ff96b696ab67fa3eb41ab0bb3004862cf1c55

SHA256
9510bab901818fa1a818ce138aaac994adca8a0314cb406d1faaefdbd811f071

SHA512
d0780fe2d0760f37a4420fa1bb1d6507e4d6a6ce870261a44de52a58f02a3b2bc638efa5ef7ba2074363b61a993402d1ca4f1c373dafceced8dc1b6553ff4940

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
96KB

MD5
1e01026a353a606222e019f849201aa4

SHA1
22fa33d4cb82d84e308e053d1aa026aea1879071

SHA256
86b572ac106f9e29cd454c38f27c2d64e55517a8b6a2fe3f8a250e3ada6c3d70

SHA512
f5997054023e43550c392b78a6412c8d81b82a32a3a85eb336e9dc6acdda749ddbbfcd474e1af511d4b83a913cfc516a58ab585cd4ece2b802773f4bcbe32656

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
96KB

MD5
231fa35783b29da85379879689793d9d

SHA1
6beba4494c54aafc9b5f214b73b29a4ccdb25ec9

SHA256
2be86b4c90ddaec9c3c87262535342e9a548e6162efd2aeba5c2dae8378ad482

SHA512
246a2c979a9d5c6def1090b0be4035e72f67376d5c4dcfc481a7550d212eff3a2c7926873b068764a2c996fb38194c4773bd67703f488f79be3f51fd6c2392e2

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
afe225574055b545a6afbc52d8fa7d1b

SHA1
0dd334f1a55f8a580957833d7957e72686a01e8d

SHA256
da1e9e3145d155a2b4f6882f70ec8a36c77ace2f369c581f1e4b9160d650955d

SHA512
33b1b61a6c4cb97ffb9eeaa73ca78bb87804b5c0c9454d8d9d13303d7c5466d8209e5d0ed99e4866a8b3a0cf62645d13a9da7e32e05d0dd48e9b71cec613af5f

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
b38be72714c1fa2cc0cd633e874d33ad

SHA1
18db4a4f6a0a44e083e4b96400ae12cc21930600

SHA256
64aca742408cf10b41fedfce382afc078ec6b7531456118066ec12eef10b6017

SHA512
28dc6b0b73d04a7321c89929b3b431769916a4f148846c22748bf5ef1abaafe524d20c4f84b8a11b30e640c3f3966b9ffb5b9e2e306fe1428f7b87d7ad1fe7ef

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
09b1f79a3cb3b20e3c0b57ffae39360e

SHA1
73fcb84e473f26311f12c68fd4bc981578402c62

SHA256
fbb4815582defb2249890c23be817a92df518ab3436aab9f18fd7d9fcbebe526

SHA512
ae4b2f2d736409cf653097eb6a06811c3fd44153619734475d9ad4bb636d71529384b15f72e5164c767d507d97ca8dc25d553f484b1c16e2b58bfd5f48023ffe

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
32a83a3d978f805a6f0e0af8fe44c28d

SHA1
541769fa1d0a40267ed2e9704cb5edf4b0910844

SHA256
fa6d2d437dd1a493868d0c093df38e2bfd4bd5417acf7116ff31f8219ef98a11

SHA512
1fd5a6b28445141d1e157b6f3f6a8036fa9b4e6cb8141cf00b7d81f55bc9b64cb52ee7de24cfa902a9b3cebd92343617cd5387b031995f16b013603450d838bd

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
da76ee8800c5f66ea107606ede282a37

SHA1
bebc55c55ae4adc6a4c22098d7242de3a0cd08d6

SHA256
790fe1ed7e1be00a861821971547270e069380cf2661891449b70a399330708b

SHA512
53b8210a318d6ff35d7f40369b6ee10e260ff140abd8943022014fead65ffcf552b8b450d5bfbad7b2a87d826e8da38f14a1c4abf5579ea1353bd9b427687696

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
2f3563e5b78926340f47f6ea2548144f

SHA1
cabbf3b0a486bf872f19834c7d2959012a72eb38

SHA256
a970329c5d5872661e3a14399c3d8a5bf1b9f0c80f0e7999039826fe72bb62ac

SHA512
d73544b490175e181e79d8872c0283dbc92bffe6ec521c276106665f441f202a59efe1d178ba80cc8fd9e3296d360068c073d5ad34734ca76a727d340d5379b5

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
48884dfa13f4e554f33a3c0c6ebf3351

SHA1
a35d428d7ac2a8eb2f867ef0dc8894ccc9a26a4e

SHA256
96acf162d611dd4b2c25f8279e059f3d6a162b39765d7441121cdc132c40089f

SHA512
ad20190326e2e1dd94dace6ad99c416c51692f6d3688808610b89d719a7fb335fb56ae159a3f83cf44eb232d4bd8a4a21522766fc5dc7189222aef1e5f48ac7f

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
757db88de7b8cf59b9b4fe1267f0d506

SHA1
35d3ba1066399ee661e3c82a1b26369e819ca53d

SHA256
e541e65c79492ca6671448327a36fa9bbd97043946cdd44ac0d7433529a6742f

SHA512
d4233abb4f2a0693073641d2c44a0e9653d7529fe31a2a01738d4e9d9cfd595f3699a981c011fd246199425178e35148c8075e015b9e0890f700bbb05d72bb35

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
23f2780f7ef7ff9360d1eeede80a163a

SHA1
dc5ec7301c952c03d51a331000aa01c0abaa1c3f

SHA256
d837b76d3432a35a11a73ae0af0213552e0c99efd24b5269cf3961c91e7e1b22

SHA512
d0e4091aac5cf59704924bc6406d0247004be889563756bfe3e481d05a8794749adfc0e6ddf335ab9b38a52367d3da0db0d41d4aa45917ef4fc62817d4bf21a7

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
390c677c729a10516974d0a4bef2834c

SHA1
da9805bf8741776e6445ba5b8f00a2a05a174307

SHA256
e3ef1b81107f097185743489a826eaeab3b5cb056c7e2c3f6a486d5eb0b0a835

SHA512
f2735a382c31fb1058cbe80ce71cb4297e83093eb2b227146a4ea7ad76168886130955a062b98574ea02337a90dc46b6d570634677e2241e1c214172152a75a8

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
3e06fdd61ca015932a218efb69ef599a

SHA1
83bfa1f0670f3d74f8af3f2290162eaaf6aa619c

SHA256
5f60c3dd903615cb3f9a45f93df733c4eb208e43764a7a95e268de5ca2d99aaf

SHA512
25bdb13ebfe40fd32fa800355d0bccb2bd37b653f89afa1b46d8daf46fe787757486d22ccff2c1c2bb1aad99a43d42b35c678d1ef0acd05226ef34e5f7713c23

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
48b0b7c9c6a1cfae4c88a528c50a7978

SHA1
8291cacbe1acf7e7232887d269f49ebc245cf28c

SHA256
320de96a31bd27a463a8e5ba4275a2cca409afcf1d7466aff88fc61f26883cbb

SHA512
39f8a86ee62751607d569ad9824359892d71eb9b1f4f5cbc95f64ca3c13a34f3f67979934c6110becfcedb236cfae12a1917ee1b76db84f301aa33c3cc9165bb

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
f60c7ffcd6f9ad58cb60aa4d2c9679d5

SHA1
5ffd6fac32295045f8fc47608738e2eec0122fa6

SHA256
b75d1c5df3d424d10f19c86dc10c9d0be6aa3f9f1b3d1e80a9812e55b046484b

SHA512
5de3fd66d4bc6f50486d6a7997f945bd9796a409c15040094400b22d90334958ac7a42b9884260e2d8f3e9eea869b14af3c59c6ae9108ba1d0545e6d2d59d2f2

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
8b468059c8b62a6c72d957712d4e094d

SHA1
639c12fb1887380bae27985e55f9942097b31399

SHA256
0c1a1541d0d8ad9159d4061e0618e9a55930bd6130e5d46529f59fa94509394d

SHA512
44776cf9b0e8fa8a8f50acf026c0ace50b14bdb2f2deb80da76a86806a639264486d4e7ea3bfe7e0581a67185ac23b21a3b1c20a5054273a72b8d362bf42fb0e

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
a04addfc8c68035e8f7a361962e2084b

SHA1
dbd8f4e6f4d61952fc7ab9fe850794feeeb4e25b

SHA256
286bca4ebd2a9345a2d572daa4da59c8ec0a3fb2857a363138e4259af23b4133

SHA512
72c27d6332c3a50534c7bb1e76730a59360a3e7d90df2f002540ba8c0871619957d9970a545ac83cce7323ffe35184d6634c0d3ba239274c2ee06e881321389a

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
9437ff48d1da3839f94ce97dc7f2963e

SHA1
af019ecacaec7aac1cce0a61836f410d3170c073

SHA256
a8ce2af1fdd2617f43557159a76e173884898386a3149136106eb1c2704d25bd

SHA512
1c8aa7584209bb7eba991320ad6e9a97b0ed05fa2a385ba9c3e18ac388fb8f2cac4e2e5568c1ca18de508f9d97522d714f7976410df4eb5017afa0f1eef3e96c

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
96KB

MD5
951cf1c7f004f962f7e5d090495cb51b

SHA1
875e4571f413de6d7b5e662dc07d587cb96d58a0

SHA256
b8ef776ec049046a17c39b68af4eb81b62793e87249be0de426c6e252578515a

SHA512
49c0b80b83d2fc9567914be71d079cd50571ff9b1b5088019808bd8a16dfb0be06978b52d3c52a3559ae06da20b563e4bb8695e8e37068a91962e7ce75997896

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
96KB

MD5
6a90f8c4f392cb35163b51be437792af

SHA1
373c93af98dd9911717186cd4431a5390907ea51

SHA256
a6964ae3df87249ada5a060f16062fe7c6d3d3fdc28d4800b18973fd913fbd2b

SHA512
b05aacd83c07738e2b4ada707559bcb125acf99fb6bbee15a4968e2b164ff27339fe24bf7a4d3c35c985e8d325b1f1d4f9913de28f567ed0a5fabb816bded905

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
746385d5b52ee49e2a506175c3108fcb

SHA1
05af1760f64e98707b9b5416b9fbf13ac0c5eaa3

SHA256
121b80bb52309697398daddafbc886dc78c743d788e6a95be0f68f357024e09e

SHA512
9738cfe113addb1166d948a5158ff9601816a8336e72aa700ef758f1cf5003f1e7f71b55e50fc079fac9182752790043f8e438db0d3c20df8ae9791ea9e7ce44

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
96KB

MD5
c2ce6faa99e4ac730998a35508ca4c3a

SHA1
4957454c692057296a521b22cd5243c0a55b77ff

SHA256
cb0210aaaec4c7478a4c55d61c19b24d8538b4d30e5e16849af5d95632b7dfae

SHA512
4028adbf0936509fcc664715589de46b055072e0fc3be001963226b45dfa5fd782d2e8bc4548ab50c8e5c2680610034aaaa6bf89a83499ec4e6f45d20eda0e04

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
11b213965d0aa7b47274a0bcfca22098

SHA1
de98efec3519d83cfc08ad33b0a343bfc6411646

SHA256
e5976ed06a4221aa87481e20c78d101360c94d9ecca43b7c8d54840c108e5d26

SHA512
864d9e66e20826f083fb27175c81e2029479283697b4e67792c41019582d25ce2122effef31e9f8a1f67989fe3c397b2171d967fcbac1264b9571e890c962199

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
ac82af42bd5606500b4ad4e6b31fb80f

SHA1
0f9799c0fb74ded313fced6c10a8785e2b4acbae

SHA256
2615d9206edb49a43f1ab7105ac2317aba070a38b5b66d7c679d90610793383d

SHA512
4028e21babc6d86d75b095010e57e92e0b0b0f347955e5fb2308a037d2ab97314eaa94f09d4623196fc84e7c32d8cad491acce9a52489eb9f6d3da0b572cef60

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
1416d1d726efa2ec92a45f99da1d968d

SHA1
f0cf7731ae679423ed3ed63ce183d56b0d414dce

SHA256
2ec210f368bbc620bdc7668a5f7a206690a06ade307daa525328deed93c60673

SHA512
c04cf92820f32a41cda4c439c8c54283fedb3a981bb32396b0d1149744111ddeff787b8ea294dda90b51a1b6f2f10e793fc8eab17e7e4dccfdcc4c39b4e9308f

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
2d411b173de7c5910ea23213fa51a28b

SHA1
0c44aff407c73a2cff74e17c266b28ff5238c69b

SHA256
4787100ee7b19ac73f01996b155c52e563d27ff53109e1c2d6d4ec06c4d311b4

SHA512
a8f0ebdea2ef420e9f953f139857360e218dccc98ea2bac37e6a155bd168f50b4e784bd8baa093d21995e096c0e03af2d1885e9b10e0af3827eeff87cbde40cf

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
96KB

MD5
375716f5701c47e3d10b0ab10267aa46

SHA1
2e44322558b6634ff4fe046c3c952c2e9300b3eb

SHA256
4082ca8b5c90bff3417e39f7c44d8a5c01bdd22894ec547ade95ec013507bdb8

SHA512
873ce5ce0f74d7ede83a5f9d55a7259052c573bb7f4c08d98ccb3ba56ef50baa64894e63e79587ed9e55f79c0ef891d44e5e3ab3603ae7db01ab10b54506c713

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
92780dcdbc8e1ac8347bd0c0f121efce

SHA1
5ebfbb97f7b2605f9b2593298c62c8c1f0e84b65

SHA256
04ce1a584bb700c02cd481788c2e57b4d307e43c79042c93bbd469ece0e8a7ed

SHA512
9ffe5136e55edb0436d88ce7d0a51bf55292328dbdbca237213dc0708c2525d386ac58ba224aa5aff6271af6726ffbc635d5316bec069f30dbed53333407e713

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
f93f5ce8d728132c4801989cab4cc7d3

SHA1
25949821f78c56bc8165f713fbca42d6b29019d9

SHA256
61bae57e183edbc790cda78e7b2599d4ea38aad8d72dc21c3b8cce6e7c56baf5

SHA512
b584eacd4892103e80182d6caa657dc0d779b8c7729ba70f23920a8d1cf2e363095b5b23da14d5c04f666bb9ac4c5c8b1ccf154aba1a084b08d0545b4015a474

Download Submit
memory/220-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2280-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3224-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-940-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-887-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5796-900-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-871-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6132-890-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads