berbew | 35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
Size

320KB
MD5

2aa9e362182557ec92c6993efadf0160
SHA1

027d0cc77cf29eb52700aa3e7865faa6744ed2d8
SHA256

35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506
SHA512

3e8ab73e41f05bba7c075b12928d19ecec0c8c0ab7646be7917430a8fc5b5309648b20d7b0403e8f5842d6d39993fffdfd39bca2918c1be244532f889979f0aa
SSDEEP

6144:ps4ngnHMtOhqagi3pv5GyZ6YugQdjGG1wsKm06D4:pnnEbhx37GyXu1jGG1ws54

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofnnkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ladpagin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heonpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heedqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aankkqfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhclqnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdihmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhfgcgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlmphp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knoaeimg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iijfoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhklha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhnemdbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmacej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqepgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqepgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknebaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddeae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knoaeimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknebaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimpcke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heonpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjjekhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbcgeilh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbedkhie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpngmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddeae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apclnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ankedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdihmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlaeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfopdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omqjgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dofnnkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egkehllh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbnnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkhdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfebdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomdoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcmpcjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbfmm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfopdk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
1760	Oqepgk32.exe
2800	Omqjgl32.exe
2784	Pkhdnh32.exe
2864	Pnimpcke.exe
2680	Qgfkchmp.exe
2224	Apclnj32.exe
2380	Ankedf32.exe
2596	Aankkqfl.exe
2948	Bmelpa32.exe
988	Binikb32.exe
868	Bdfjnkne.exe
1912	Chmibmlo.exe
2176	Cpjklo32.exe
2444	Dcmpcjcf.exe
1944	Dofnnkfg.exe
996	Enngdgim.exe
840	Eomdoj32.exe
2612	Egkehllh.exe
2552	Ecbfmm32.exe
1356	Fqhclqnc.exe
2184	Gdihmo32.exe
612	Heonpf32.exe
1744	Hbboiknb.exe
844	Hlmphp32.exe
1480	Heedqe32.exe
2316	Iaobkf32.exe
2340	Iijfoh32.exe
2872	Igpdnlgd.exe
2432	Icgdcm32.exe
3040	Jlaeab32.exe
2652	Jhhfgcgj.exe
2400	Jbcgeilh.exe
2364	Jgppmpjp.exe
2580	Jbedkhie.exe
2592	Knoaeimg.exe
2972	Kcngcp32.exe
2384	Kikokf32.exe
2372	Kfopdk32.exe
516	Lknebaba.exe
2160	Lbjjekhl.exe
2300	Llbnnq32.exe
1320	Ljgkom32.exe
1652	Lhklha32.exe
1456	Ladpagin.exe
568	Mjlejl32.exe
1164	Mmmnkglp.exe
3068	Mfebdm32.exe
1864	Mpngmb32.exe
2308	Mhikae32.exe
1588	Mbopon32.exe
2480	Nmhqokcq.exe
2932	Nhnemdbf.exe
3016	Nddeae32.exe
2660	Nknnnoph.exe
3012	Ncjbba32.exe
2600	Ndiomdde.exe
2748	Nmacej32.exe
2368	Ncnlnaim.exe
584	Opblgehg.exe

Loads dropped DLL 64 IoCs

pid	Process
2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
1760	Oqepgk32.exe
1760	Oqepgk32.exe
2800	Omqjgl32.exe
2800	Omqjgl32.exe
2784	Pkhdnh32.exe
2784	Pkhdnh32.exe
2864	Pnimpcke.exe
2864	Pnimpcke.exe
2680	Qgfkchmp.exe
2680	Qgfkchmp.exe
2224	Apclnj32.exe
2224	Apclnj32.exe
2380	Ankedf32.exe
2380	Ankedf32.exe
2596	Aankkqfl.exe
2596	Aankkqfl.exe
2948	Bmelpa32.exe
2948	Bmelpa32.exe
988	Binikb32.exe
988	Binikb32.exe
868	Bdfjnkne.exe
868	Bdfjnkne.exe
1912	Chmibmlo.exe
1912	Chmibmlo.exe
2176	Cpjklo32.exe
2176	Cpjklo32.exe
2444	Dcmpcjcf.exe
2444	Dcmpcjcf.exe
1944	Dofnnkfg.exe
1944	Dofnnkfg.exe
996	Enngdgim.exe
996	Enngdgim.exe
840	Eomdoj32.exe
840	Eomdoj32.exe
2612	Egkehllh.exe
2612	Egkehllh.exe
2552	Ecbfmm32.exe
2552	Ecbfmm32.exe
1356	Fqhclqnc.exe
1356	Fqhclqnc.exe
2184	Gdihmo32.exe
2184	Gdihmo32.exe
612	Heonpf32.exe
612	Heonpf32.exe
1744	Hbboiknb.exe
1744	Hbboiknb.exe
844	Hlmphp32.exe
844	Hlmphp32.exe
1480	Heedqe32.exe
1480	Heedqe32.exe
2316	Iaobkf32.exe
2316	Iaobkf32.exe
2340	Iijfoh32.exe
2340	Iijfoh32.exe
2872	Igpdnlgd.exe
2872	Igpdnlgd.exe
2432	Icgdcm32.exe
2432	Icgdcm32.exe
3040	Jlaeab32.exe
3040	Jlaeab32.exe
2652	Jhhfgcgj.exe
2652	Jhhfgcgj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bhhjdb32.dll	Aankkqfl.exe
File opened for modification	C:\Windows\SysWOW64\Hbboiknb.exe	Heonpf32.exe
File created	C:\Windows\SysWOW64\Jbcgeilh.exe	Jhhfgcgj.exe
File created	C:\Windows\SysWOW64\Gaegla32.dll	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Aankkqfl.exe	Ankedf32.exe
File opened for modification	C:\Windows\SysWOW64\Mbopon32.exe	Mhikae32.exe
File opened for modification	C:\Windows\SysWOW64\Nhnemdbf.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Mmmnkglp.exe	Mjlejl32.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Jbedkhie.exe	Jgppmpjp.exe
File created	C:\Windows\SysWOW64\Mfebdm32.exe	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Pbaljk32.dll	Nhnemdbf.exe
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bmelpa32.exe
File opened for modification	C:\Windows\SysWOW64\Jbcgeilh.exe	Jhhfgcgj.exe
File created	C:\Windows\SysWOW64\Cjchollj.dll	Lknebaba.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Nknnnoph.exe	Nddeae32.exe
File created	C:\Windows\SysWOW64\Agiidifg.dll	Iaobkf32.exe
File opened for modification	C:\Windows\SysWOW64\Omqjgl32.exe	Oqepgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ankedf32.exe	Apclnj32.exe
File created	C:\Windows\SysWOW64\Egkehllh.exe	Eomdoj32.exe
File created	C:\Windows\SysWOW64\Goplnb32.dll	Fqhclqnc.exe
File created	C:\Windows\SysWOW64\Lbjjekhl.exe	Lknebaba.exe
File created	C:\Windows\SysWOW64\Njhhcpnk.dll	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
File opened for modification	C:\Windows\SysWOW64\Icgdcm32.exe	Igpdnlgd.exe
File opened for modification	C:\Windows\SysWOW64\Kikokf32.exe	Kcngcp32.exe
File created	C:\Windows\SysWOW64\Mhikae32.exe	Mpngmb32.exe
File created	C:\Windows\SysWOW64\Gdihmo32.exe	Fqhclqnc.exe
File created	C:\Windows\SysWOW64\Kcmbjn32.dll	Gdihmo32.exe
File opened for modification	C:\Windows\SysWOW64\Heedqe32.exe	Hlmphp32.exe
File opened for modification	C:\Windows\SysWOW64\Mfebdm32.exe	Mmmnkglp.exe
File opened for modification	C:\Windows\SysWOW64\Fqhclqnc.exe	Ecbfmm32.exe
File created	C:\Windows\SysWOW64\Cckcjpkg.dll	Heedqe32.exe
File created	C:\Windows\SysWOW64\Jgppmpjp.exe	Jbcgeilh.exe
File opened for modification	C:\Windows\SysWOW64\Llbnnq32.exe	Lbjjekhl.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Fahpaj32.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Hqfmpi32.dll	Ecbfmm32.exe
File created	C:\Windows\SysWOW64\Hbboiknb.exe	Heonpf32.exe
File created	C:\Windows\SysWOW64\Fcdafj32.dll	Jlaeab32.exe
File created	C:\Windows\SysWOW64\Lhklha32.exe	Ljgkom32.exe
File created	C:\Windows\SysWOW64\Pgcacc32.dll	Mmmnkglp.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Pnimpcke.exe
File created	C:\Windows\SysWOW64\Llaqkn32.dll	Ankedf32.exe
File created	C:\Windows\SysWOW64\Ladpagin.exe	Lhklha32.exe
File created	C:\Windows\SysWOW64\Gibcam32.dll	Mhikae32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Aankkqfl.exe	Ankedf32.exe
File opened for modification	C:\Windows\SysWOW64\Apclnj32.exe	Qgfkchmp.exe
File opened for modification	C:\Windows\SysWOW64\Dofnnkfg.exe	Dcmpcjcf.exe
File opened for modification	C:\Windows\SysWOW64\Mpngmb32.exe	Mfebdm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndiomdde.exe	Ncjbba32.exe
File opened for modification	C:\Windows\SysWOW64\Pkhdnh32.exe	Omqjgl32.exe
File created	C:\Windows\SysWOW64\Binikb32.exe	Bmelpa32.exe
File created	C:\Windows\SysWOW64\Qoemceeo.dll	Enngdgim.exe
File created	C:\Windows\SysWOW64\Olbkimdk.dll	Llbnnq32.exe
File created	C:\Windows\SysWOW64\Opdnpmio.dll	Oqepgk32.exe
File opened for modification	C:\Windows\SysWOW64\Dcmpcjcf.exe	Cpjklo32.exe
File opened for modification	C:\Windows\SysWOW64\Eomdoj32.exe	Enngdgim.exe
File created	C:\Windows\SysWOW64\Igpdnlgd.exe	Iijfoh32.exe
File created	C:\Windows\SysWOW64\Icgdcm32.exe	Igpdnlgd.exe
File opened for modification	C:\Windows\SysWOW64\Lhklha32.exe	Ljgkom32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	584	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqhclqnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljgkom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmelpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlmphp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlaeab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkehllh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbboiknb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfebdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndiomdde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omqjgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbedkhie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjjekhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nddeae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcngcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjbba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcmpcjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikokf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpjklo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaobkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfopdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aankkqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dofnnkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladpagin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enngdgim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbfmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igpdnlgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhfgcgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbnnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmmnkglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkhdnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimpcke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgppmpjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knoaeimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhklha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhikae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apclnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eomdoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknebaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpngmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heonpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqepgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icgdcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdihmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heedqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcgeilh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll"	Oqepgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heonpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbcgeilh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchihim.dll"	Heonpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlaeab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjchollj.dll"	Lknebaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacehe32.dll"	Jhhfgcgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll"	Lbjjekhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ankedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilgcb32.dll"	Dofnnkfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igpdnlgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgefap32.dll"	Jbcgeilh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keokbali.dll"	Kikokf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmmnkglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mfebdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqfmpi32.dll"	Ecbfmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgidb32.dll"	Ladpagin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfndae32.dll"	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnhge32.dll"	Nddeae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddeae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dofnnkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlmphp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aankkqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekcqo32.dll"	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	Mhikae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmbjn32.dll"	Gdihmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhhfgcgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbjjekhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljgkom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjbba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnjdl32.dll"	Lhklha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dofnnkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfncf32.dll"	Eomdoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbokdb32.dll"	Egkehllh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecbfmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgppmpjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcngcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjlejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnimpcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ankedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll"	Bmelpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghghie32.dll"	Cpjklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enngdgim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmadmn32.dll"	Knoaeimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjlejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqepgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahpaj32.dll"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqhclqnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1760	2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe	30
PID 2128 wrote to memory of 1760	2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe	30
PID 2128 wrote to memory of 1760	2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe	30
PID 2128 wrote to memory of 1760	2128	35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe	30
PID 1760 wrote to memory of 2800	1760	Oqepgk32.exe	31
PID 1760 wrote to memory of 2800	1760	Oqepgk32.exe	31
PID 1760 wrote to memory of 2800	1760	Oqepgk32.exe	31
PID 1760 wrote to memory of 2800	1760	Oqepgk32.exe	31
PID 2800 wrote to memory of 2784	2800	Omqjgl32.exe	32
PID 2800 wrote to memory of 2784	2800	Omqjgl32.exe	32
PID 2800 wrote to memory of 2784	2800	Omqjgl32.exe	32
PID 2800 wrote to memory of 2784	2800	Omqjgl32.exe	32
PID 2784 wrote to memory of 2864	2784	Pkhdnh32.exe	33
PID 2784 wrote to memory of 2864	2784	Pkhdnh32.exe	33
PID 2784 wrote to memory of 2864	2784	Pkhdnh32.exe	33
PID 2784 wrote to memory of 2864	2784	Pkhdnh32.exe	33
PID 2864 wrote to memory of 2680	2864	Pnimpcke.exe	34
PID 2864 wrote to memory of 2680	2864	Pnimpcke.exe	34
PID 2864 wrote to memory of 2680	2864	Pnimpcke.exe	34
PID 2864 wrote to memory of 2680	2864	Pnimpcke.exe	34
PID 2680 wrote to memory of 2224	2680	Qgfkchmp.exe	35
PID 2680 wrote to memory of 2224	2680	Qgfkchmp.exe	35
PID 2680 wrote to memory of 2224	2680	Qgfkchmp.exe	35
PID 2680 wrote to memory of 2224	2680	Qgfkchmp.exe	35
PID 2224 wrote to memory of 2380	2224	Apclnj32.exe	36
PID 2224 wrote to memory of 2380	2224	Apclnj32.exe	36
PID 2224 wrote to memory of 2380	2224	Apclnj32.exe	36
PID 2224 wrote to memory of 2380	2224	Apclnj32.exe	36
PID 2380 wrote to memory of 2596	2380	Ankedf32.exe	37
PID 2380 wrote to memory of 2596	2380	Ankedf32.exe	37
PID 2380 wrote to memory of 2596	2380	Ankedf32.exe	37
PID 2380 wrote to memory of 2596	2380	Ankedf32.exe	37
PID 2596 wrote to memory of 2948	2596	Aankkqfl.exe	38
PID 2596 wrote to memory of 2948	2596	Aankkqfl.exe	38
PID 2596 wrote to memory of 2948	2596	Aankkqfl.exe	38
PID 2596 wrote to memory of 2948	2596	Aankkqfl.exe	38
PID 2948 wrote to memory of 988	2948	Bmelpa32.exe	39
PID 2948 wrote to memory of 988	2948	Bmelpa32.exe	39
PID 2948 wrote to memory of 988	2948	Bmelpa32.exe	39
PID 2948 wrote to memory of 988	2948	Bmelpa32.exe	39
PID 988 wrote to memory of 868	988	Binikb32.exe	40
PID 988 wrote to memory of 868	988	Binikb32.exe	40
PID 988 wrote to memory of 868	988	Binikb32.exe	40
PID 988 wrote to memory of 868	988	Binikb32.exe	40
PID 868 wrote to memory of 1912	868	Bdfjnkne.exe	41
PID 868 wrote to memory of 1912	868	Bdfjnkne.exe	41
PID 868 wrote to memory of 1912	868	Bdfjnkne.exe	41
PID 868 wrote to memory of 1912	868	Bdfjnkne.exe	41
PID 1912 wrote to memory of 2176	1912	Chmibmlo.exe	42
PID 1912 wrote to memory of 2176	1912	Chmibmlo.exe	42
PID 1912 wrote to memory of 2176	1912	Chmibmlo.exe	42
PID 1912 wrote to memory of 2176	1912	Chmibmlo.exe	42
PID 2176 wrote to memory of 2444	2176	Cpjklo32.exe	43
PID 2176 wrote to memory of 2444	2176	Cpjklo32.exe	43
PID 2176 wrote to memory of 2444	2176	Cpjklo32.exe	43
PID 2176 wrote to memory of 2444	2176	Cpjklo32.exe	43
PID 2444 wrote to memory of 1944	2444	Dcmpcjcf.exe	44
PID 2444 wrote to memory of 1944	2444	Dcmpcjcf.exe	44
PID 2444 wrote to memory of 1944	2444	Dcmpcjcf.exe	44
PID 2444 wrote to memory of 1944	2444	Dcmpcjcf.exe	44
PID 1944 wrote to memory of 996	1944	Dofnnkfg.exe	45
PID 1944 wrote to memory of 996	1944	Dofnnkfg.exe	45
PID 1944 wrote to memory of 996	1944	Dofnnkfg.exe	45
PID 1944 wrote to memory of 996	1944	Dofnnkfg.exe	45

C:\Users\Admin\AppData\Local\Temp\35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe
"C:\Users\Admin\AppData\Local\Temp\35582964e88cbd644d9652ef98a525a3506416d94c10828a0cc4d16da7a79506.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\Oqepgk32.exe
  C:\Windows\system32\Oqepgk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Omqjgl32.exe
    C:\Windows\system32\Omqjgl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Pkhdnh32.exe
      C:\Windows\system32\Pkhdnh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Pnimpcke.exe
        
        C:\Windows\system32\Pnimpcke.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\Qgfkchmp.exe
        
        C:\Windows\system32\Qgfkchmp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Apclnj32.exe
        
        C:\Windows\system32\Apclnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ankedf32.exe
        
        C:\Windows\system32\Ankedf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Aankkqfl.exe
        
        C:\Windows\system32\Aankkqfl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bmelpa32.exe
        
        C:\Windows\system32\Bmelpa32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Cpjklo32.exe
        
        C:\Windows\system32\Cpjklo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Dcmpcjcf.exe
        
        C:\Windows\system32\Dcmpcjcf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Dofnnkfg.exe
        
        C:\Windows\system32\Dofnnkfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Enngdgim.exe
        
        C:\Windows\system32\Enngdgim.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Eomdoj32.exe
        
        C:\Windows\system32\Eomdoj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Egkehllh.exe
        
        C:\Windows\system32\Egkehllh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ecbfmm32.exe
        
        C:\Windows\system32\Ecbfmm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Fqhclqnc.exe
        
        C:\Windows\system32\Fqhclqnc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Gdihmo32.exe
        
        C:\Windows\system32\Gdihmo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Heonpf32.exe
        
        C:\Windows\system32\Heonpf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\Hbboiknb.exe
        
        C:\Windows\system32\Hbboiknb.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Hlmphp32.exe
        
        C:\Windows\system32\Hlmphp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Heedqe32.exe
        
        C:\Windows\system32\Heedqe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Iaobkf32.exe
        
        C:\Windows\system32\Iaobkf32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Iijfoh32.exe
        
        C:\Windows\system32\Iijfoh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Igpdnlgd.exe
        
        C:\Windows\system32\Igpdnlgd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Icgdcm32.exe
        
        C:\Windows\system32\Icgdcm32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Jlaeab32.exe
        
        C:\Windows\system32\Jlaeab32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Jhhfgcgj.exe
        
        C:\Windows\system32\Jhhfgcgj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Jbcgeilh.exe
        
        C:\Windows\system32\Jbcgeilh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Jgppmpjp.exe
        
        C:\Windows\system32\Jgppmpjp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Jbedkhie.exe
        
        C:\Windows\system32\Jbedkhie.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Knoaeimg.exe
        
        C:\Windows\system32\Knoaeimg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Kcngcp32.exe
        
        C:\Windows\system32\Kcngcp32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Kikokf32.exe
        
        C:\Windows\system32\Kikokf32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Kfopdk32.exe
        
        C:\Windows\system32\Kfopdk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Lknebaba.exe
        
        C:\Windows\system32\Lknebaba.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Lbjjekhl.exe
        
        C:\Windows\system32\Lbjjekhl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Llbnnq32.exe
        
        C:\Windows\system32\Llbnnq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Ljgkom32.exe
        
        C:\Windows\system32\Ljgkom32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Lhklha32.exe
        
        C:\Windows\system32\Lhklha32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Ladpagin.exe
        
        C:\Windows\system32\Ladpagin.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Mjlejl32.exe
        
        C:\Windows\system32\Mjlejl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Mmmnkglp.exe
        
        C:\Windows\system32\Mmmnkglp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Mfebdm32.exe
        
        C:\Windows\system32\Mfebdm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Mpngmb32.exe
        
        C:\Windows\system32\Mpngmb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Mhikae32.exe
        
        C:\Windows\system32\Mhikae32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Mbopon32.exe
        
        C:\Windows\system32\Mbopon32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Nmhqokcq.exe
        
        C:\Windows\system32\Nmhqokcq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Nddeae32.exe
        
        C:\Windows\system32\Nddeae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ncjbba32.exe
        
        C:\Windows\system32\Ncjbba32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ndiomdde.exe
        
        C:\Windows\system32\Ndiomdde.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
        61⤵
        Program crash
        
        PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiffeloi.dll

Filesize
7KB

MD5
e86c0d2fe2bd69f6084dd299e4355393

SHA1
43c3e51ceecea6502ee8f67ad0138c87deb1cb9c

SHA256
8bee5f4884109ad0049046729f96d64d886745968984c83c500ae27a0590d625

SHA512
84d0f9ed7fbf4423ee4f6a2b3273f10051699abdf93e02c020a3237c020c9ff6675ac0dd04c1fb1817dce48eb9c53273704fb167b786a4e7b4a76f5933f653f1

Download Submit
C:\Windows\SysWOW64\Bdfjnkne.exe

Filesize
320KB

MD5
fbfad5cff321d9141f59ef096e838a77

SHA1
c0317611ba54b6370234bd3019961a011cbf36a3

SHA256
5882debb2e3a417c0f9e173536cc3d1d10c29116b42e838c13074f801a8c3a1e

SHA512
78339fe0a1d05d3a1db6c087ff8800b0758c09d4a678c527363014e7ba67d61c214462cf9eae1ae90e4e60a59b01f1f521ca9d07a1b4d9445335bb50e7d92565

Download Submit
C:\Windows\SysWOW64\Bmelpa32.exe

Filesize
320KB

MD5
383fc82d211b17b7aa390fb871d7642e

SHA1
516522d0bc8363a717baa1374eb3e2414f77178a

SHA256
785e1c30e6d4d12e1087f7ddfb6fbb9836b8c77a6b4287ccc0455cef68d68bf8

SHA512
49d57f13e746c69a4d1887199bf7de4b899028746da5a5341a74e1edb73f085a4687ab04d3d26a7f977ba330a355c698bbc9e3a1adef763b87e3c1999dbbf603

Download Submit
C:\Windows\SysWOW64\Ecbfmm32.exe

Filesize
320KB

MD5
91edb5ebd70a46557d358c7710bbfbdf

SHA1
93979249f37843198d2d905f0a111edf26aa5100

SHA256
082ad63642b01133aebfd4696259e65e64b1e1bba204c32871b4bef0943bc61d

SHA512
505fb8b8460a10f326424a65591b24154d563fff64997839dc070e4f8126309b6c36d71dbc4f74e886bf82ba29fbcdc24fb4ad52d6ac885d9584994e33242a2e

Download Submit
C:\Windows\SysWOW64\Egkehllh.exe

Filesize
320KB

MD5
f5fa92bb43ac1926c4b3d4f353f8b91c

SHA1
08eeb0411c48fb68fb50422f6c5a5e6d018bb511

SHA256
e73ef23e8a2ed22c0c94bc3f5f4d1a33e20d6c80b0facfbcff980540362a454d

SHA512
767ddd91f0d1d4eabca5b4770d3da7756edd0e34ff1cceee96d821def313daf7d68461821f565cb11b7c8d09af4ac1d1ad21b30737059322c769fd815a119824

Download Submit
C:\Windows\SysWOW64\Eomdoj32.exe

Filesize
320KB

MD5
dadd4518712092c282dab13f61f664cf

SHA1
118bdef722e1f7d902e5a6b60b2eae37e8f56629

SHA256
1da232e617ca9810532002c7405808eb33eaf120906373916139189215ca87f1

SHA512
3a3fcd7937208866cdb42f89a778041465cbf8c5b7494b2102cd1f4fab4fbffe82e9659c3ff91321959d69db08a8a5a49e96f0779110764f33d11dcb730a7d37

Download Submit
C:\Windows\SysWOW64\Fqhclqnc.exe

Filesize
320KB

MD5
0517f910acacbf233b50ddda274aec92

SHA1
bfcd5adbe65843d603cf1c99fd6ae4c91a33e569

SHA256
4b1b167061dda7a099babd99aad7f2783c69714ec9dc9ed40ec42f08f18eeec3

SHA512
5568310b34471a80f45b01f5cd5b467f8a3b65b7d09cb8be9757e5496a887885b45380057a2b3257144c848888b78784860566af88f3deece1b96738da594137

Download Submit
C:\Windows\SysWOW64\Gdihmo32.exe

Filesize
320KB

MD5
2b50354ac4ef6bcd2242756180986360

SHA1
19919977574968ebe7a896d97d216ccef02e2644

SHA256
2d43e935d7f6359f9f934548a5bb1bd3b107ee2d7061ba7e2aca14c40065d468

SHA512
f87f1ef96a58837f03ff652814885cb47935f0e553d5e063bf289174561ced554b475d35deab33d29a1819edef7b7006996b9be5dfc0c5865b92194c7e3dff11

Download Submit
C:\Windows\SysWOW64\Hbboiknb.exe

Filesize
320KB

MD5
34b7c1da6b0aca27229eb52c317071a1

SHA1
45215f0780e0c7cdd52331b706ce59516762ffa1

SHA256
280419f393ad8a39903512ae1f45816065f97d3239d16f0039867f0d70633a34

SHA512
fafbd699df24649f61195c63f5d10aac839fddda84a725a685e915b7e6defa4d122627bb8f47516bf6105dfbcfb3129e8ca909dd68e01c9a415715e68b652d1b

Download Submit
C:\Windows\SysWOW64\Heedqe32.exe

Filesize
320KB

MD5
f9f4d0bda63186174baa0a8035351614

SHA1
c018c787c09ce873a05af9c09546d844a1398fef

SHA256
acffd911d9bf2a0d5e593d81dcd1364ce1696f0b0e232b8997a877409460152b

SHA512
4e7804b9fd7b316cf16c0f876e9dd956d7d3d989f5ebd29c62e2ac1c057b227a278cd8bde5cb810285ba06dc799a2a6998d985f466adffe36f5af72369627ad7

Download Submit
C:\Windows\SysWOW64\Heonpf32.exe

Filesize
320KB

MD5
1cc5fa85219dc1c09e62f1e05b9cbd4b

SHA1
49d5e1aa8e75dcd24302fdc2d83fa6c5fc1abac3

SHA256
7e0cbb8bf12615d85db1dd8d39c5eaea08cfd68b5a185de70ef8e6b53727c45d

SHA512
527a03e2913033a8fd754dfbc2e449edab9809cbebed7f07f5f2d5262a4db7081472ad1d13619ff5bda9765328e8b2b11ca2d301a66fc6f0ac0f2d278dd1794b

Download Submit
C:\Windows\SysWOW64\Hlmphp32.exe

Filesize
320KB

MD5
949c1c750f852278429b8c44071be6cf

SHA1
0b5958b3ee38a23b9882ed5999b23d619d02ca04

SHA256
bfce712314469e5ad1c78eb5e67ad5451b39042ff074bd812b71bf68e80b8feb

SHA512
879a8161363642d9adff26ce4647e714363c05371427e71101a9599ac3d7dded20bf423dd474b4442b64a03a057ab68e7dd58381b8a8ccf2dc0f4228c200538f

Download Submit
C:\Windows\SysWOW64\Iaobkf32.exe

Filesize
320KB

MD5
6952615294f2241e83edee3627ce1c33

SHA1
9c53f716e744aee74d968ae9c2e5ac9ef4e79708

SHA256
f8c40e66f9db9cedfd3be68cb5cc077faf8ee15a2b7145fbd61821efc179e5fb

SHA512
97a87443f3e2f03cac979036ecddc1f37d3c34eb17af21cabcfd6b57401adeded02881e40d6636f71e1354fd71826079097ea5d8f22d634fbdab00470a6ec10d

Download Submit
C:\Windows\SysWOW64\Icgdcm32.exe

Filesize
320KB

MD5
a88d23f1224056595498e28e9d91dbe9

SHA1
4042d7de847a1550cd85b6583d526bc25567a141

SHA256
8d8c9bb75ad7e6c1d2345ca8033025be573439d601c80b0f158f056cbc9421ad

SHA512
414d1f2dfcc0e8c0e5b0d908437e4fd470f8f15052cb8df6bcf3c5dba26f2c73ae81e6bcd28c7b11fdad20029f24895b4d99bba87fe93de3df2c9bc1040fd4fd

Download Submit
C:\Windows\SysWOW64\Igpdnlgd.exe

Filesize
320KB

MD5
153b4f8ad99798e9ab15da892a81807f

SHA1
796be0e8fdcb231d8eb900811e5be4aac67fa08e

SHA256
35863444c3866a49e01553a6adfd1694fa92a6e497f0206e3062b5f73b0a9d8d

SHA512
8f0fc49fba00e0431984da6b1c1144a0c5b6d071af4aabd7cb5591e77f8b0cb99d83770188f811bbf9cfb099574eaa84c1431bafa7f1516d6d8f595c2f559be0

Download Submit
C:\Windows\SysWOW64\Iijfoh32.exe

Filesize
320KB

MD5
96aa23cbac340585b999edf2cb2d4982

SHA1
76e0effcc75a371fe1d1e3ec418a7b306feb46bf

SHA256
4afc8615b019e40a5a1f78131dc727111183202c6fe0caea2f2145cc2165e5f1

SHA512
abba0b844cca5d06d671056cb63464dd18bf154c340030615a1a7bece33b3e84610d5849ca69e8ad4b8f738a643142659f34d608d6d80063b20e586772ad6afc

Download Submit
C:\Windows\SysWOW64\Jbcgeilh.exe

Filesize
320KB

MD5
03d2ddae57b6953120b76580fb3ba141

SHA1
75f53a4946d00d76764ff16e36208113d5656d31

SHA256
c94b85745566ce905da664490bffec48eceaa2ca34f670f637a3804f5973c4a4

SHA512
badca663593b271b61843508f4a6b53959fae744af283bc2c0018f916a2aa7fa8cc50e1dd4342728c6b98e6155055f6f699e58fffb58ec7ff7bd4868ddb3cd89

Download Submit
C:\Windows\SysWOW64\Jbedkhie.exe

Filesize
320KB

MD5
71c55b768ae3c55a1ffc83305c1f5d80

SHA1
2c0158aaeb58e7fb84c9fbef352556500c8c643f

SHA256
0669e74428ed6118b37dfe19c6c208ef492ef136f3c1bc70dbb9cf6fd8b3ed9e

SHA512
026ca4413cae1b69bfdba9454ebde601b3de1fb8987153e1530323c8c8b58dbca44caecca936c8706aee0a14cf87d7435a7b6ec7dfc31eecb786a9b8c0fda085

Download Submit
C:\Windows\SysWOW64\Jgppmpjp.exe

Filesize
320KB

MD5
cb70ebdb1ecd0961680925ae7229c32e

SHA1
9c7e704cd8eed430bace70935af47151c919ca61

SHA256
74348ed3e464dea537b2b77e89d175a5d2726b25c89e386aea9da928c6c7a1e0

SHA512
19ec4633f4be81c317074a2afb9ff9cb2fea227c14d8a2d662b521f19b0a4639faa406640c95e5e6900e670ef56ebce5c0449e10e6ed183a54e0ac6d7fa2f6cf

Download Submit
C:\Windows\SysWOW64\Jhhfgcgj.exe

Filesize
320KB

MD5
5a719cd2e328967561f161d53c2686e5

SHA1
be91f01093a8abc076e013b913547cc80d8d0e0d

SHA256
6d321f75d72e3b3c08a5a0f47ee837bd14403171b17ee8eb0fb1ce78747479b4

SHA512
eb8db77d2dd55e380f60f7b4919509683d927a2e9c4fc28a431382e44d164739490a62e494a5de69b808e5d60342f539e2c3babb94e645f76de5b990b3f3f82a

Download Submit
C:\Windows\SysWOW64\Jlaeab32.exe

Filesize
320KB

MD5
046d6214f88255f5b6d492b0c1cbe235

SHA1
8cfe9ee940cd4c442a026f85b5d76e424690763a

SHA256
035c8a002a840946288b7847c9e156c124c62942ec7be1db3f46ff65393ce22c

SHA512
c99ba229374dff2432ca18f6708c85b0d963097eba3fdcfe2d3d515780e21f4750531295d4685b7b4d2bdfb506e19d06421f1a9a190d924b9747036619d6f73c

Download Submit
C:\Windows\SysWOW64\Kcngcp32.exe

Filesize
320KB

MD5
93544e10d0d96c74d230b6b2aca88fd2

SHA1
b9644c3bacbceb067d301e70dea8d959b52d7571

SHA256
7f54c27f1554c543d325db84efd7b47efbea4844f7d449c7095b3cf67202f536

SHA512
58786ce7c78b183e1ba99fa074513c34b91c5f35f23dfa4551b2e62ed0135cd84f5f064028311e4a1b8a067d9466fd66e0a4d42a574565122c0cdda2fbe7b04c

Download Submit
C:\Windows\SysWOW64\Kfopdk32.exe

Filesize
320KB

MD5
4061882d60fcbfd44d198e435a125d16

SHA1
1014a8755bfcce26c3cfb8c2219a2429199ce7f3

SHA256
ed94a140a4aa7fe70f3000292aa01735a11a07dfb210d39040cbdc1be37b1050

SHA512
356f24af8dd4bbc178ce793b854b5e9a79b0102d2caa20d6e57d5f566a10c77b21483cd1604bf0ebe3134c841c28a0fc5402ff4109c65e5169a40f792d701282

Download Submit
C:\Windows\SysWOW64\Kikokf32.exe

Filesize
320KB

MD5
c8a07ef4064190e7ee4f69cab43d4494

SHA1
71d4ff61ad0b7d96ffdfc036d8efb52b1e549135

SHA256
be19c27bd98cf3a692abdc5d4840c8b4d62c1545d211d0c413dfe28536ccea6f

SHA512
c9d07396e563b2dd05169f9dfe0c3ed542eeda25ff956a03477cb157fd1bde81472eee0d68b428e4e57ff6ed6263b2f08924e3f45634e58c752e8c6df289bb0e

Download Submit
C:\Windows\SysWOW64\Knoaeimg.exe

Filesize
320KB

MD5
88eb6c51c9841d987364690c9b357c05

SHA1
9d0fc78e276277acfe6612541e0766178106257c

SHA256
0793b057c4d447f6f53aaee227ed85f99e76206c3b8e624f0d5cd0480abab50d

SHA512
61e1a2d3003eaa10e52f35305d418100d283f0f8cce78023ea5115b38b7737c9248ff3888ac1988c095ba108a291ccb8b98d3575ba805e651222333c42683f04

Download Submit
C:\Windows\SysWOW64\Ladpagin.exe

Filesize
320KB

MD5
9c098510c7d8ef6fe3a7b4fd4797cdd7

SHA1
8ec1cc4a3b8168217aa5cd62bb6984be9c34240f

SHA256
39abb303ba3e0a8f949646bbddfe1a9ef1aeb65de285050f239960ce4d7b8c81

SHA512
b1f021f014d8ecb107afe762e5bd7cd889d8a9b795655e7da1e28ae0401a84647f72373eb579b8a0de90e16146f51daf7585b91e3c7c43584b2d9c4d53943c07

Download Submit
C:\Windows\SysWOW64\Lbjjekhl.exe

Filesize
320KB

MD5
730bc6901730358b993351e0507f221c

SHA1
e432cf59abffd1d58d5f6dd388facd9100f0b92d

SHA256
807e3cc4242be9df5bb5fb7c628a65566893b3d1a1e359bda32498ff65bb3eab

SHA512
776fc984971af2a8115a9989aadfa12ff7fd03ae31112d3812863101b99a74e8b85b49410d060513be560a5366656e65c5383408637beed675233329975c821d

Download Submit
C:\Windows\SysWOW64\Lhklha32.exe

Filesize
320KB

MD5
ca78e0c37ffb6561c010c61eafd34dd9

SHA1
c91a1134614afbbfc8bed39e661acf2286120a12

SHA256
c6872c9569bf071b514cec8856816bdc6c68ea0ef13db92e5c96894da4a7ae15

SHA512
2b306e035c4b5c5cb60e80f2ae35cfef93d930807479b8761dd163c56b39941d2a1cb2b2448fc9fdae62b90d3c144ee80d7520d06575cab239695b050bba6250

Download Submit
C:\Windows\SysWOW64\Ljgkom32.exe

Filesize
320KB

MD5
41b462ef7ce62cfc47457667bb9dc95d

SHA1
a0b81196b213645ea19893a927c78e5534390a77

SHA256
5a250b8085fb13a89483ea85ccb210f270c44bdc725916f4b714538dfd12aac6

SHA512
c1e7bae7ea84b6ec75b692869f460a5a6e575ce12d65e71ce48d8ba204449782be6c99d7728de2fd7971097e418e24216cb2cb17d55cf53c1d98e6fca1098343

Download Submit
C:\Windows\SysWOW64\Lknebaba.exe

Filesize
320KB

MD5
287731bf63a7a0882c68e98de0371f55

SHA1
c53b70f8b26f9711cde1d6e5886396c0a87becef

SHA256
78754124179ae3a46cd94722a78e8ca0d65c3ecee9c8ed25dcaccfcec63573e4

SHA512
1b1282eddfb0f6d709a750d44080ceec3ce08a52f6059eea21e5edfee9eef7d56400596dd7358419b8867741347ad396683f6876396dadec063ff93e35b6db55

Download Submit
C:\Windows\SysWOW64\Llbnnq32.exe

Filesize
320KB

MD5
eadfc6880a368ecb037a6b7ad6147866

SHA1
3133ab18ba3f43ab51186c33db1b8b30231cfbd2

SHA256
e67857d5ca323d88482164d68a6f8a408c16672c94768618323091af922ff9a5

SHA512
a6d3c6858c083893e52139efcf477a172c1eea3bd3f245431b158fdb1a6af8b2d2bd037ce6b241c30dfb334918dc88eafd4e89a856999a3307907f1850b7d7f5

Download Submit
C:\Windows\SysWOW64\Mbopon32.exe

Filesize
320KB

MD5
eac540ebf9f357bb2a7f75fa06344c7e

SHA1
6be0d5f1e70184769223e8a08743fd22faaa8c3b

SHA256
09b1cdc1703d9ceaa229a085bbb14b74fa3b4fc221341f72109501fe4a0bb21c

SHA512
88c3a8d7a224a427ee230eaf9b616f48ce4d6c42db7264f2bca9e0adfbbe7e70a074fdcb0133b55fef83276a1340b9e92a9480513decc1eec564c1733dc0098f

Download Submit
C:\Windows\SysWOW64\Mfebdm32.exe

Filesize
320KB

MD5
7652df44a68fbd2945737d5bc1e08cea

SHA1
50946fbf5341605eb7c25b0cba5ecaa852709be7

SHA256
f41e7645ee2151b4b6d107cb7ec7a1539cef4800a75b7ffb56fd0f33e894e463

SHA512
7ffe2414086b29040912690109445ce1f5eaae5e1da4c6f14a94046c4022724c3ac792741152e3d52c22e425467f5df98a3b56972735dba20b4ec42e11050c1d

Download Submit
C:\Windows\SysWOW64\Mhikae32.exe

Filesize
320KB

MD5
ed6b32c1890bb977cbe8cbf59ba91cfd

SHA1
ac5d8bdfc23db4062990055a8cfd732f3fe0545c

SHA256
5155c688a16fdf4a479cf78d4ea3990e699ecd12e26210f5a5cbc680a994987c

SHA512
68eea2a3c8d3e1ab700b548dc17eaddad29b9a48eeeb574014a4475a989df44ebf3444b56b56d4870dfcd7cb1a7b21fa86b8f125f73d9ad834c23f94bc0da148

Download Submit
C:\Windows\SysWOW64\Mjlejl32.exe

Filesize
320KB

MD5
485b5c8a3a6b14982c53bca2a0a4d197

SHA1
81ed03f42f316794a4ba821237bc8bbf2bbcf65a

SHA256
2d7cf58ef12058b60b2508328f47817cdc5f76b8df08fdff87ddfdae3fc6000b

SHA512
8efa72c62b319cfc305212379be124bda415255ad732539112e1e10a759b5a01c288d5ebd6c4f7f425463fdb84761dec52a01efd3b3c8101f6047155c1140b5d

Download Submit
C:\Windows\SysWOW64\Mmmnkglp.exe

Filesize
320KB

MD5
ac1fa06a59087720426defb98ffbf3ff

SHA1
5c3fc9436941fae70107bfb8bf1d40d71011fd46

SHA256
68fb8982d73c0e7ff7f8fff81cee80d4c8ef46abee16404bdc91594ae7da438d

SHA512
6eedbbce6cf33ec66dfb8849466e510d00fa7f939141c21d7a4596dbee38634ca84d42f3921f247868dd47e3512f6242b1510f63b9ba550ec4d4485ab4841622

Download Submit
C:\Windows\SysWOW64\Mpngmb32.exe

Filesize
320KB

MD5
694ef138e82b3a292f86ae832ac92f4c

SHA1
5683aa507c84261c8fad239379664fa63b1c60a6

SHA256
0b2417e66caf29d8c3934a17731f8436293156095ae5c6c4ee08f063d5892b99

SHA512
de5f865506fd0f6f06e71b87638bb5d8f98561ce4d9964aa5df36dec1bca7e2a3d1b0c771ebf612c36dda5e67b1ea5a3c38658c2826a48a9639f058163522695

Download Submit
C:\Windows\SysWOW64\Ncjbba32.exe

Filesize
320KB

MD5
488b2868b57684b507767121ea3b370c

SHA1
cb777b4b1b0947f7f293f80a568e3dc73c179171

SHA256
2f33474b15cb337930a50b71fe895206055fc4a5bcf6fa8de4eced856d08f2f3

SHA512
3b244406639d259d487d6b9c55b97349aa9b2a54b007f312a5fa7add01d452efe81f4be1da21b32c789087eee4da5a7486bfa66b3a6e1e9bf64dcf71cd58f089

Download Submit
C:\Windows\SysWOW64\Ncnlnaim.exe

Filesize
320KB

MD5
482e71f3a915abd97e56a2d5cdcfb3c9

SHA1
a24a61e54019a2f5e41493cc58fed7e04d384655

SHA256
5c0f78b610bb1ce59323df2b1470778f852ff119c6c7fc187a5e81ad94c0e440

SHA512
fc2c00f9078ab756b97e7f4e3316757215457fc85409e5a4c6f055f2a58c173ff3c3b5297ea4ceb4cee1f51744bcf396961c7d0baecc93fee72f8d7449d63af8

Download Submit
C:\Windows\SysWOW64\Nddeae32.exe

Filesize
320KB

MD5
d260cc60236d9d469aa9a5e4aa77269a

SHA1
358f9ff0e8ff9e10b3cf46f36a903e268482cd38

SHA256
c5331ba64e812e47d475cdb2b42d7f4f6f1f7fe864a41a5200217d2fb258f0f2

SHA512
9a2404e728449d765be3efff593f4d3564068b363d44402e9e3618c20635dfc10f5945d4e57efe64391a368eb598e11ea8df4eafe0ce2aa7cd2c0f408a0d927a

Download Submit
C:\Windows\SysWOW64\Ndiomdde.exe

Filesize
320KB

MD5
9035326cb47e5ce06d628c5a28224ceb

SHA1
ebed6091aa2ac11727228c4be7bc00f921321965

SHA256
14fc2ee4734a5075a61b5250fe9873673da2e5e8cc3174838262af33fcf80c69

SHA512
07bdd646d222c56ab70fdffae6a139027aa6942d4135edfc8457d3fdc4faa550699dfd89be11b03a03e0ddd84ad99c973fc96b8679fb792b2105c115c4509a94

Download Submit
C:\Windows\SysWOW64\Nhnemdbf.exe

Filesize
320KB

MD5
e9465c23aa3b922836b98bfe90b03a9b

SHA1
81321275298c891de6c026711bec5fc99aae47fa

SHA256
8a2230690049ca70a01341365e1439e1da168f3ee9b8c50e80be9a50d7e11fe5

SHA512
7eff106eaefba4738e80048fc21f3e95cf43567d1fdaeba9e7eec3d99a0b2c57f95b0d45aae9521657bc992673096ce4ca431bdcd318498aa7cc0cad9fcaff1d

Download Submit
C:\Windows\SysWOW64\Nknnnoph.exe

Filesize
320KB

MD5
ef8e1f396e8613b2ecd541ef2aea8bfe

SHA1
eec82e51f3cea659dafce6e760151c6aeeb7ccbe

SHA256
a211213ac4a1e93ded67f3cad5ffde9059ab5cd2802035e11a3ce583782b5b83

SHA512
70adabc31f0b969789d6243829a5706a77205715da91f3ea3d61fa4099ab252cb1fdbc9aa825f84406129af6a305b9dac9da8bc61694fb34094d4d23f047513e

Download Submit
C:\Windows\SysWOW64\Nmacej32.exe

Filesize
320KB

MD5
4a3117fcf11afe7ea003c7d125657dd8

SHA1
33e41a5500ec96c87b840f1fc090456e59f25252

SHA256
7161fa68b9119385077242732c38190c75aa33d8bff733a8c104f02ea9f4f548

SHA512
04ccb1f5f08a04651b67594ae76d1c0df2b0bc7cc908de3d8ab504f4d31a107c80ae348ac586de5dd3efebf2305c330a6e5e4d93bf046ab5bb96bb2cd0d959eb

Download Submit
C:\Windows\SysWOW64\Nmhqokcq.exe

Filesize
320KB

MD5
4d6d6f967796dbe372bf7cde70dbfc67

SHA1
83039656fee7c6eb95d92152b3d7b728e3e62311

SHA256
adbadca67b5e011c4b5cb1aae510831db78ca395042ae6d178145f04390dffa0

SHA512
00018050210f9618fbaf7733e107007dee31fc169770be05cab634fd519f0450d62a96fd3d44644585ce5dd21f497a71126fe9d159d3beb4e3b5ecebd90e2172

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
320KB

MD5
ac4a010dc61df35c3f22f1c7cb598b6e

SHA1
919cbeec9cf0bc7c8502bfd393d59e74c33930bc

SHA256
60d464173642d128c39adea145e4874d7ff4f0c3913421e29e6a27f27c8ffbdc

SHA512
83c07828869bcecbbc36d235981e4d2172d32ecc588c22ed2a620f616521929bc96643eb987907b87169e528b6922274e3d8baf8228c1179e798008b84b7c59f

Download Submit
C:\Windows\SysWOW64\Oqepgk32.exe

Filesize
320KB

MD5
cc931d3abd6c2ae7d663c2d720dd82ee

SHA1
e0e6ce99c93b9f824394593ba13396968ec42207

SHA256
419595b4d0e978c35081632d9e96cb55dada4092ff0b32d98915a508d156ba1b

SHA512
ecda175b36b571d93e9e7d29134d4d723e6cdc8c85e42fc5f15d764b99e245ac1b17d9776070ca25848aa1a90c6374a8b4a3f26fafbe03bbec00baae98d0f7ee

Download Submit
C:\Windows\SysWOW64\Pnimpcke.exe

Filesize
320KB

MD5
4a8b0bd41a4f9f52d9aa46e3a1b235c6

SHA1
99bc55137da0a78c9b0800c7bfbeb4dbc582896c

SHA256
2579877db3599599d99329577b2010ad26deab84006eedff0c85f4f4b55aca3a

SHA512
fd03cfb55ea798cf57b6a773a8f152d3bf4e25ce1b22833601fea55a5d2c3fc0b9f9ed49e69f590ced32431a731138e9f88dac698b6ff9f7b0af6fbc832deb40

Download Submit
\Windows\SysWOW64\Aankkqfl.exe

Filesize
320KB

MD5
34a1ac3dc34e82a248f92a9ac15046e1

SHA1
0fcb593d7c934d338bdfe5776312fb1172974996

SHA256
5c03f7185253c5dd48ef9b42316ab4243446cd2b62a5ef8ad8fb14a703f5a34e

SHA512
7aef5a4b0eabc14061a8e51e0bcd746194790db05bb34be2d141e1870d911ed896422572c692a097c92663fd659e597f88be3fc706f97b1e2c4a3b17fa9497f9

Download Submit
\Windows\SysWOW64\Ankedf32.exe

Filesize
320KB

MD5
e7743a29ab8698d9765baf21ce0e9adc

SHA1
387a6bbd91549f603b9d7ba3c6441a22dc65113c

SHA256
69dd29db1c219841096037b60f1e1889376a19343ff662a86f0c7bff49d29895

SHA512
8259d83a3d21b55e144b7a81851a2b293f9c486156bc2aaab8748107a886ef10075bea2345c8ec9d237b1e0206b2eb27baebac62fcd22324514940d3d4378aac

Download Submit
\Windows\SysWOW64\Apclnj32.exe

Filesize
320KB

MD5
bc02436c49e4e23113bb0a07682d0950

SHA1
5b5a25f9d12095f016d1de8f1e1cd70929bd232d

SHA256
5f4f78ac0ba4e1da62a67f376655fc3b6dd41dd7248da1cc3e84ff4a210344cb

SHA512
fab7982b6bb01f6c3455823e6016bd4b6ee71a42927a87f8eb699b0b8c38ad201625ae10f38df7cc601df4952d409321316e0783441882911959686dc336ce12

Download Submit
\Windows\SysWOW64\Binikb32.exe

Filesize
320KB

MD5
52d691d4200b863e09914c5288a56a0d

SHA1
389dedc021753fca4faa073aeac7496fe5a77637

SHA256
018658f9d58f622b8019dd387fe1fbad644eb2395e4298f9db1084cff76cb7e9

SHA512
7acd9b79368907c0e3114dc0c622031deb6f2808bf9495c4e3988673014b4231a14d2a172baec50e8f2d4c942dc640a0484351a36750e79d8a56a75a457bb125

Download Submit
\Windows\SysWOW64\Chmibmlo.exe

Filesize
320KB

MD5
2dc9b0d684b9cc71c9b63eeb3f268044

SHA1
785ea453115faef38fd06bccc9d1989c7afcae45

SHA256
56aea6943467665ea77915cfc8455eb49efaadbc418d261c02d5329e7be31339

SHA512
aa5b6a1a2043bb7c5dca731e6a59b3029b628ae1073b6c02d031569401987101a55868d3eb28b3e641cbc3961afd10e46f87ebfdcba8aaab15e1a4c3813fcf43

Download Submit
\Windows\SysWOW64\Cpjklo32.exe

Filesize
320KB

MD5
86675919e129dfbf3a33093e19b3ae2a

SHA1
b7a9447db996307478070d107f78cc9f2317c0bd

SHA256
1d97ced7c7bb1bf235296f54b351c1567c89021dad2572f794a1e13affe0ba00

SHA512
9ade3e687001ba10cd4736c6972186f29e01ab8719024dcb5a967dc132f42cb0bce66b80018f826db6ad0748b58bae917161f00671dd5a67413ce55fd341b71a

Download Submit
\Windows\SysWOW64\Dcmpcjcf.exe

Filesize
320KB

MD5
73cf43d69f9d71afe3293d837e52bc85

SHA1
f37642b8c9fb67239dfcaf4e869380b5bc426d9c

SHA256
1199123144b3024784852882a06086cc6bdc4d0a075edc7a9339cfaeac1e1b6c

SHA512
51791b1c0e9fdc8d42a013652807f2a3dd77e167f7a53c9d19b14c3b8b8750d90c500dad6d7ddd07debbaabd35cf88eebd322f27971e444b874797e57359d1e8

Download Submit
\Windows\SysWOW64\Dofnnkfg.exe

Filesize
320KB

MD5
c1bf522aa6b06dab4e600caf78971422

SHA1
67652a91341264e9c514105538b0b7a76c9f361d

SHA256
786fe509e94533075b7472a9b816f2014092330e3a895ae96b96e39c005d3640

SHA512
1fc8233673b5084128b757f4c1c78931d08e574bf941ad43524c66edfcfdd768271dc7b0f716baa2cad89c0ac9473aa53dd1fba2f88ba6e67684834673cab192

Download Submit
\Windows\SysWOW64\Enngdgim.exe

Filesize
320KB

MD5
0cd69841eb9bfc5e74aadbb26c2a4612

SHA1
a78bfa185f0bc58d2d24f0003a6393666ca6bec0

SHA256
3bb6019a77f2dcec2c05492b216b8caacbaf44c5f3a90142a9231fd18c8f9f4f

SHA512
49e7bf83f5858c1212f48b4f885b4f8e80cf23c3b67c3aebd53d101edaf655e0ec0346e37c80340e05e21f18f2a4e20546cc408ce1fbc5bb4853e435f6fe66a0

Download Submit
\Windows\SysWOW64\Omqjgl32.exe

Filesize
320KB

MD5
dd2f8d619505df634ab34aebe8f9a8a6

SHA1
5fe4fcd8966e4c82f2909b70ca3e0dd61704f291

SHA256
81bd06ecf115ca23659d716a15893b856bfb321f3707572eb95aaf0c6a2c9ecb

SHA512
408fc2f83a7ee5e9dd8f5a31d3fa0c54912e79ce77d8d815f829e8aa36012b6d722d0d5e4fbdf85168753a47e6c1a925ece44f6b979ee9b336d4e82af8f20a97

Download Submit
\Windows\SysWOW64\Pkhdnh32.exe

Filesize
320KB

MD5
ace8f147b9f25cfdaa644a31256240e4

SHA1
8f07fc2537f0170359123feadd85c2b4370dccd9

SHA256
fa7ae571110afe3579fb31b1e26e307e17b6fdf8b184b778fdd30ccc6021c3ce

SHA512
3e14797d900b690f5edd42b9c1840ccb2468088c9560d36a5fae34e97868dc4fbcff3a63935faf1551be9543f20e7f473918e33dd83586b8583d2e4f034b1de8

Download Submit
\Windows\SysWOW64\Qgfkchmp.exe

Filesize
320KB

MD5
107c842972a5248e8508c50e62f92ef7

SHA1
ec94fa428d231cb7ab041279f533fd2fb36d8d6b

SHA256
03af535b72a3d8d4fecc44c75ba48285e330287668fc8529b7fce7bf7342d2bb

SHA512
029674908911b94dccb531b6718c6ce01c642851348349fd026ffa90d4a770cc5ea107c017d3fede1c6aab5f7c27ec4c9605ae005a254c8e7de5ae9cb5d2c91d

Download Submit
memory/612-292-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/612-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/612-291-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/840-243-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/840-241-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/840-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-313-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/844-314-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/844-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-153-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/988-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-232-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/996-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-785-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-271-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1480-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-321-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1480-325-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/1744-302-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1744-303-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1744-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-382-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1760-21-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1760-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-179-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1912-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-224-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1944-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-375-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2128-374-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2128-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2128-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-13-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2128-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-789-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-189-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2184-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-281-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2224-96-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2224-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-336-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2316-332-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2316-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-347-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2340-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-343-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2364-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-416-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2372-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-802-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2372-471-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2380-106-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2380-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-459-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2384-460-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2384-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-404-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2400-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-368-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2432-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-206-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2552-259-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2552-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-438-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2592-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-124-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2596-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-77-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2680-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-55-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2800-394-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2800-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-36-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2864-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-68-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2864-417-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2872-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-358-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2872-357-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2948-138-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2948-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-448-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2972-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-383-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads