berbew | 3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe
Size

93KB
MD5

f1f16e112108d308f3758098a1f7dd6f
SHA1

f1d6608c28a5f1adf187d3d3313e0b9990dc35ff
SHA256

3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931
SHA512

d46cda5f373fc37377e8e3aae2e995f11595f6075334b8880db5ee5b351e67bbd3cda8b1c09b5a83a78eaeb20e0f3faa4d3d7be09caf0713a8fb61221c1dce78
SSDEEP

1536:zbrO2Pvly0eii6TMWnrhJAHR+qeO+sa5zwsRQdRkRLJzeLD9N0iQGRNQR8RyV+3i:zbr/PvychJsEsahvedSJdEN0s4WE+3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmbmlmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjooilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcdqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfhae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mikjfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijhnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bglepipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagoel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkbpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Celeel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajlekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdfnhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlciih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acicol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amhdab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlllof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlapgnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjfqhcei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celeel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddhhggdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmcqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndoked32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opjeee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odhmkcbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgmml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhqnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhokmgpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijhnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cakpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmicll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpgoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncdgfaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbhocegl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijckhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bglepipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbdgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhagbfnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhocegl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opjeee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pddmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalhqlbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlapgnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofijckhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhokgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dailkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplpmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhdghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfqhcei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfonbdij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djpcnbmn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnpnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhokgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfjmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dagoel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgfaol.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
548	Lbhocegl.exe
1032	Lmmcqn32.exe
3608	Lplpmi32.exe
3448	Lffhjcmb.exe
1160	Llbpbjlj.exe
4008	Lpnlbi32.exe
2148	Lghdockp.exe
3852	Lmbmlmbl.exe
4772	Ldlehg32.exe
868	Memapppg.exe
4744	Mmdiamqj.exe
4564	Mdnang32.exe
4824	Mikjfn32.exe
1696	Mccooc32.exe
764	Mmicll32.exe
2120	Mpgoig32.exe
180	Medgan32.exe
3036	Mlnpnh32.exe
840	Mgddka32.exe
2612	Megdfnhm.exe
4888	Mnnlgkho.exe
1176	Mplhdghc.exe
3964	Ndhdde32.exe
1524	Nidmml32.exe
3612	Nlciih32.exe
3940	Ndjajeni.exe
2948	Nenjgm32.exe
1344	Ndoked32.exe
1912	Njlcmk32.exe
2740	Ncdgfaol.exe
4572	Nlllof32.exe
4784	Ofeqhl32.exe
2908	Opjeee32.exe
4120	Ofgmml32.exe
4880	Odhmkcbi.exe
2896	Ofijckhg.exe
380	Onqbdihj.exe
3348	Odjjqc32.exe
448	Ojgbij32.exe
3288	Ocpgbodo.exe
3532	Ojjooilk.exe
2244	Pcbdgo32.exe
3712	Pcdqmo32.exe
4216	Pjnijihf.exe
2700	Pddmga32.exe
4084	Pnlapgnl.exe
3260	Pcijhnld.exe
4576	Pfgfdikg.exe
4964	Pdhfbacf.exe
3704	Pfjcji32.exe
224	Qdkcgqad.exe
2800	Qgiodlqh.exe
3624	Qmfhlcoo.exe
2628	Qcppimfl.exe
2752	Amhdab32.exe
3916	Acbmnmdi.exe
4608	Ajlekg32.exe
1340	Aceidl32.exe
3472	Afcfph32.exe
4268	Ammnmbig.exe
4752	Aedfnoii.exe
3568	Afebeg32.exe
1988	Anmjfe32.exe
2528	Aakfcp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Odhmkcbi.exe	Ofgmml32.exe
File created	C:\Windows\SysWOW64\Qnjnjdho.dll	Odhmkcbi.exe
File created	C:\Windows\SysWOW64\Gpfoaa32.dll	Pcbdgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldlehg32.exe	Lmbmlmbl.exe
File created	C:\Windows\SysWOW64\Cqijbj32.dll	Megdfnhm.exe
File opened for modification	C:\Windows\SysWOW64\Nlllof32.exe	Ncdgfaol.exe
File opened for modification	C:\Windows\SysWOW64\Aceidl32.exe	Ajlekg32.exe
File created	C:\Windows\SysWOW64\Cndinalo.exe	Celeel32.exe
File created	C:\Windows\SysWOW64\Mplhdghc.exe	Mnnlgkho.exe
File created	C:\Windows\SysWOW64\Koiclk32.dll	Nenjgm32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqmo32.exe	Pcbdgo32.exe
File created	C:\Windows\SysWOW64\Ikmlfgcq.dll	Bhqnki32.exe
File opened for modification	C:\Windows\SysWOW64\Baicdncn.exe	Bnkfhcdj.exe
File created	C:\Windows\SysWOW64\Cnopcb32.exe	Cfhhbe32.exe
File opened for modification	C:\Windows\SysWOW64\Cfonbdij.exe	Cabfjmkc.exe
File opened for modification	C:\Windows\SysWOW64\Lmmcqn32.exe	Lbhocegl.exe
File opened for modification	C:\Windows\SysWOW64\Lghdockp.exe	Lpnlbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aakfcp32.exe	Anmjfe32.exe
File created	C:\Windows\SysWOW64\Pcbnki32.dll	Pnlapgnl.exe
File created	C:\Windows\SysWOW64\Ddhhggdo.exe	Dailkl32.exe
File created	C:\Windows\SysWOW64\Nidmml32.exe	Ndhdde32.exe
File created	C:\Windows\SysWOW64\Nlciih32.exe	Nidmml32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjooilk.exe	Ocpgbodo.exe
File opened for modification	C:\Windows\SysWOW64\Djpcnbmn.exe	Dhagbfnj.exe
File created	C:\Windows\SysWOW64\Kojdhh32.dll	Dailkl32.exe
File created	C:\Windows\SysWOW64\Amhdab32.exe	Qcppimfl.exe
File created	C:\Windows\SysWOW64\Jjflhj32.dll	Ambgha32.exe
File created	C:\Windows\SysWOW64\Geqfeclf.dll	Cfhhbe32.exe
File created	C:\Windows\SysWOW64\Dfehoi32.dll	Ndoked32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgbodo.exe	Ojgbij32.exe
File created	C:\Windows\SysWOW64\Ljepon32.dll	Nlllof32.exe
File created	C:\Windows\SysWOW64\Fiaeni32.dll	Pddmga32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjfe32.exe	Afebeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bccfej32.exe	Bjjalepf.exe
File created	C:\Windows\SysWOW64\Kakaefma.dll	Baicdncn.exe
File created	C:\Windows\SysWOW64\Cbndlo32.dll	Llbpbjlj.exe
File created	C:\Windows\SysWOW64\Lghdockp.exe	Lpnlbi32.exe
File created	C:\Windows\SysWOW64\Qnkkpfdh.dll	Mikjfn32.exe
File created	C:\Windows\SysWOW64\Jbhfcmeh.dll	Cegljmid.exe
File opened for modification	C:\Windows\SysWOW64\Cepnqkai.exe	Cfonbdij.exe
File created	C:\Windows\SysWOW64\Ddjemgal.exe	Dalhqlbh.exe
File created	C:\Windows\SysWOW64\Cfonbdij.exe	Cabfjmkc.exe
File created	C:\Windows\SysWOW64\Hccphg32.dll	Dkbpda32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiaibap.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Danefkqe.exe	Dopijpab.exe
File opened for modification	C:\Windows\SysWOW64\Ndjajeni.exe	Nlciih32.exe
File created	C:\Windows\SysWOW64\Mpbhgidg.dll	Agglej32.exe
File opened for modification	C:\Windows\SysWOW64\Canlon32.exe	Cnopcb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfmhff32.exe	Bappnpkh.exe
File opened for modification	C:\Windows\SysWOW64\Dkbpda32.exe	Ddhhggdo.exe
File created	C:\Windows\SysWOW64\Lkbkkm32.dll	Ofgmml32.exe
File created	C:\Windows\SysWOW64\Jpoijjol.dll	Ofijckhg.exe
File opened for modification	C:\Windows\SysWOW64\Acicol32.exe	Aakfcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbij32.exe	Odjjqc32.exe
File created	C:\Windows\SysWOW64\Bfmhff32.exe	Bappnpkh.exe
File created	C:\Windows\SysWOW64\Nlllof32.exe	Ncdgfaol.exe
File created	C:\Windows\SysWOW64\Pjnijihf.exe	Pcdqmo32.exe
File created	C:\Windows\SysWOW64\Hoblolle.dll	Pjnijihf.exe
File created	C:\Windows\SysWOW64\Qgiodlqh.exe	Qdkcgqad.exe
File created	C:\Windows\SysWOW64\Bglepipb.exe	Bmfqcqql.exe
File created	C:\Windows\SysWOW64\Mhjlkk32.dll	Lffhjcmb.exe
File created	C:\Windows\SysWOW64\Kfhplg32.dll	Ldlehg32.exe
File created	C:\Windows\SysWOW64\Mmdiamqj.exe	Memapppg.exe
File created	C:\Windows\SysWOW64\Bjjalepf.exe	Bglepipb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	2388	WerFault.exe	188

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhokgme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhokmgpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djpcnbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenjgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfqhcei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepnqkai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbmnmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnang32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnpnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndoked32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnijihf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajlekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcfph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmcqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhdghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhdlhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfjmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dailkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnnlgkho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqbdihj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhfbacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgfdikg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmfhlcoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memapppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmicll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opjeee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlapgnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mccooc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afebeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhdde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdkcgqad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgiodlqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjalepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagoel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbpbjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghdockp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjjqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pddmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijhnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqcqql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmdiamqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acicol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canlon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkfhcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhmkcbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfhae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmcnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhjcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhggdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdfnhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnmbig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhqnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplpmi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifpeb32.dll"	Ddhhggdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbhocegl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lffhjcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdnang32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mccooc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndinalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dailkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Memapppg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhijdp32.dll"	Qmfhlcoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajlekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhokmgpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfoaa32.dll"	Pcbdgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajlekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Canlon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlnpnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmfhlcoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkooe32.dll"	Bjjalepf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhqnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfgfdikg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjekkmnh.dll"	Anmjfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegljmid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egckpjdo.dll"	Cabfjmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolegb32.dll"	Lbhocegl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mikjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndoked32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjnijihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acicol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bccfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccphg32.dll"	Dkbpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dalhqlbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbndlo32.dll"	Llbpbjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opjeee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnjnjdho.dll"	Odhmkcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhokgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cffkleae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Celeel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhplg32.dll"	Ldlehg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aakfcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojjooilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbdgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aedfnoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfclkak.dll"	Dagoel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mppakdik.dll"	Ammnmbig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acicol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhlhm32.dll"	Canlon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiefj32.dll"	Dopijpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lghdockp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afcfph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ammnmbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgleib32.dll"	Cnmcnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddhhggdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmilige.dll"	Ndhdde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofgmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aedfnoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjflhj32.dll"	Ambgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjjalepf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chhdlhfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlllof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjnijihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomfcogj.dll"	Bfmhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofeqhl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 548	416	3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe	81
PID 416 wrote to memory of 548	416	3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe	81
PID 416 wrote to memory of 548	416	3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe	81
PID 548 wrote to memory of 1032	548	Lbhocegl.exe	82
PID 548 wrote to memory of 1032	548	Lbhocegl.exe	82
PID 548 wrote to memory of 1032	548	Lbhocegl.exe	82
PID 1032 wrote to memory of 3608	1032	Lmmcqn32.exe	83
PID 1032 wrote to memory of 3608	1032	Lmmcqn32.exe	83
PID 1032 wrote to memory of 3608	1032	Lmmcqn32.exe	83
PID 3608 wrote to memory of 3448	3608	Lplpmi32.exe	84
PID 3608 wrote to memory of 3448	3608	Lplpmi32.exe	84
PID 3608 wrote to memory of 3448	3608	Lplpmi32.exe	84
PID 3448 wrote to memory of 1160	3448	Lffhjcmb.exe	85
PID 3448 wrote to memory of 1160	3448	Lffhjcmb.exe	85
PID 3448 wrote to memory of 1160	3448	Lffhjcmb.exe	85
PID 1160 wrote to memory of 4008	1160	Llbpbjlj.exe	86
PID 1160 wrote to memory of 4008	1160	Llbpbjlj.exe	86
PID 1160 wrote to memory of 4008	1160	Llbpbjlj.exe	86
PID 4008 wrote to memory of 2148	4008	Lpnlbi32.exe	87
PID 4008 wrote to memory of 2148	4008	Lpnlbi32.exe	87
PID 4008 wrote to memory of 2148	4008	Lpnlbi32.exe	87
PID 2148 wrote to memory of 3852	2148	Lghdockp.exe	88
PID 2148 wrote to memory of 3852	2148	Lghdockp.exe	88
PID 2148 wrote to memory of 3852	2148	Lghdockp.exe	88
PID 3852 wrote to memory of 4772	3852	Lmbmlmbl.exe	89
PID 3852 wrote to memory of 4772	3852	Lmbmlmbl.exe	89
PID 3852 wrote to memory of 4772	3852	Lmbmlmbl.exe	89
PID 4772 wrote to memory of 868	4772	Ldlehg32.exe	90
PID 4772 wrote to memory of 868	4772	Ldlehg32.exe	90
PID 4772 wrote to memory of 868	4772	Ldlehg32.exe	90
PID 868 wrote to memory of 4744	868	Memapppg.exe	91
PID 868 wrote to memory of 4744	868	Memapppg.exe	91
PID 868 wrote to memory of 4744	868	Memapppg.exe	91
PID 4744 wrote to memory of 4564	4744	Mmdiamqj.exe	92
PID 4744 wrote to memory of 4564	4744	Mmdiamqj.exe	92
PID 4744 wrote to memory of 4564	4744	Mmdiamqj.exe	92
PID 4564 wrote to memory of 4824	4564	Mdnang32.exe	93
PID 4564 wrote to memory of 4824	4564	Mdnang32.exe	93
PID 4564 wrote to memory of 4824	4564	Mdnang32.exe	93
PID 4824 wrote to memory of 1696	4824	Mikjfn32.exe	94
PID 4824 wrote to memory of 1696	4824	Mikjfn32.exe	94
PID 4824 wrote to memory of 1696	4824	Mikjfn32.exe	94
PID 1696 wrote to memory of 764	1696	Mccooc32.exe	95
PID 1696 wrote to memory of 764	1696	Mccooc32.exe	95
PID 1696 wrote to memory of 764	1696	Mccooc32.exe	95
PID 764 wrote to memory of 2120	764	Mmicll32.exe	96
PID 764 wrote to memory of 2120	764	Mmicll32.exe	96
PID 764 wrote to memory of 2120	764	Mmicll32.exe	96
PID 2120 wrote to memory of 180	2120	Mpgoig32.exe	97
PID 2120 wrote to memory of 180	2120	Mpgoig32.exe	97
PID 2120 wrote to memory of 180	2120	Mpgoig32.exe	97
PID 180 wrote to memory of 3036	180	Medgan32.exe	98
PID 180 wrote to memory of 3036	180	Medgan32.exe	98
PID 180 wrote to memory of 3036	180	Medgan32.exe	98
PID 3036 wrote to memory of 840	3036	Mlnpnh32.exe	99
PID 3036 wrote to memory of 840	3036	Mlnpnh32.exe	99
PID 3036 wrote to memory of 840	3036	Mlnpnh32.exe	99
PID 840 wrote to memory of 2612	840	Mgddka32.exe	100
PID 840 wrote to memory of 2612	840	Mgddka32.exe	100
PID 840 wrote to memory of 2612	840	Mgddka32.exe	100
PID 2612 wrote to memory of 4888	2612	Megdfnhm.exe	101
PID 2612 wrote to memory of 4888	2612	Megdfnhm.exe	101
PID 2612 wrote to memory of 4888	2612	Megdfnhm.exe	101
PID 4888 wrote to memory of 1176	4888	Mnnlgkho.exe	102

C:\Users\Admin\AppData\Local\Temp\3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe
"C:\Users\Admin\AppData\Local\Temp\3cd16ac6f35554f55fd2b44543bd5cb9079c20f0f2a760403451f5382e41e931.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\Lbhocegl.exe
  C:\Windows\system32\Lbhocegl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\Lmmcqn32.exe
    C:\Windows\system32\Lmmcqn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Lplpmi32.exe
      C:\Windows\system32\Lplpmi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Lffhjcmb.exe
        
        C:\Windows\system32\Lffhjcmb.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\Llbpbjlj.exe
        
        C:\Windows\system32\Llbpbjlj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lpnlbi32.exe
        
        C:\Windows\system32\Lpnlbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Lghdockp.exe
        
        C:\Windows\system32\Lghdockp.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Lmbmlmbl.exe
        
        C:\Windows\system32\Lmbmlmbl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Mmdiamqj.exe
        
        C:\Windows\system32\Mmdiamqj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mdnang32.exe
        
        C:\Windows\system32\Mdnang32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mikjfn32.exe
        
        C:\Windows\system32\Mikjfn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Mccooc32.exe
        
        C:\Windows\system32\Mccooc32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Mmicll32.exe
        
        C:\Windows\system32\Mmicll32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Mpgoig32.exe
        
        C:\Windows\system32\Mpgoig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Medgan32.exe
        
        C:\Windows\system32\Medgan32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:180
        
        C:\Windows\SysWOW64\Mlnpnh32.exe
        
        C:\Windows\system32\Mlnpnh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Mgddka32.exe
        
        C:\Windows\system32\Mgddka32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Megdfnhm.exe
        
        C:\Windows\system32\Megdfnhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Mnnlgkho.exe
        
        C:\Windows\system32\Mnnlgkho.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Mplhdghc.exe
        
        C:\Windows\system32\Mplhdghc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Ndhdde32.exe
        
        C:\Windows\system32\Ndhdde32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Nidmml32.exe
        
        C:\Windows\system32\Nidmml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Nlciih32.exe
        
        C:\Windows\system32\Nlciih32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ndjajeni.exe
        
        C:\Windows\system32\Ndjajeni.exe
        27⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Nenjgm32.exe
        
        C:\Windows\system32\Nenjgm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Ndoked32.exe
        
        C:\Windows\system32\Ndoked32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Njlcmk32.exe
        
        C:\Windows\system32\Njlcmk32.exe
        30⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Ncdgfaol.exe
        
        C:\Windows\system32\Ncdgfaol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Opjeee32.exe
        
        C:\Windows\system32\Opjeee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ofgmml32.exe
        
        C:\Windows\system32\Ofgmml32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Odhmkcbi.exe
        
        C:\Windows\system32\Odhmkcbi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ofijckhg.exe
        
        C:\Windows\system32\Ofijckhg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Odjjqc32.exe
        
        C:\Windows\system32\Odjjqc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Ojgbij32.exe
        
        C:\Windows\system32\Ojgbij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Ocpgbodo.exe
        
        C:\Windows\system32\Ocpgbodo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ojjooilk.exe
        
        C:\Windows\system32\Ojjooilk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Pcbdgo32.exe
        
        C:\Windows\system32\Pcbdgo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Pjnijihf.exe
        
        C:\Windows\system32\Pjnijihf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pddmga32.exe
        
        C:\Windows\system32\Pddmga32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Pnlapgnl.exe
        
        C:\Windows\system32\Pnlapgnl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Pcijhnld.exe
        
        C:\Windows\system32\Pcijhnld.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Pfgfdikg.exe
        
        C:\Windows\system32\Pfgfdikg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Pdhfbacf.exe
        
        C:\Windows\system32\Pdhfbacf.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Pfjcji32.exe
        
        C:\Windows\system32\Pfjcji32.exe
        51⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Qdkcgqad.exe
        
        C:\Windows\system32\Qdkcgqad.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Qgiodlqh.exe
        
        C:\Windows\system32\Qgiodlqh.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Qmfhlcoo.exe
        
        C:\Windows\system32\Qmfhlcoo.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Amhdab32.exe
        
        C:\Windows\system32\Amhdab32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Acbmnmdi.exe
        
        C:\Windows\system32\Acbmnmdi.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Ajlekg32.exe
        
        C:\Windows\system32\Ajlekg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Aceidl32.exe
        
        C:\Windows\system32\Aceidl32.exe
        59⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Afcfph32.exe
        
        C:\Windows\system32\Afcfph32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Ammnmbig.exe
        
        C:\Windows\system32\Ammnmbig.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Aedfnoii.exe
        
        C:\Windows\system32\Aedfnoii.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Aakfcp32.exe
        
        C:\Windows\system32\Aakfcp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Acicol32.exe
        
        C:\Windows\system32\Acicol32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Afhokgme.exe
        
        C:\Windows\system32\Afhokgme.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Agglej32.exe
        
        C:\Windows\system32\Agglej32.exe
        69⤵
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Bjfhae32.exe
        
        C:\Windows\system32\Bjfhae32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Bappnpkh.exe
        
        C:\Windows\system32\Bappnpkh.exe
        71⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bmfqcqql.exe
        
        C:\Windows\system32\Bmfqcqql.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Bglepipb.exe
        
        C:\Windows\system32\Bglepipb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Bccfej32.exe
        
        C:\Windows\system32\Bccfej32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5092
        
        C:\Windows\SysWOW64\Bhqnki32.exe
        
        C:\Windows\system32\Bhqnki32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Bnkfhcdj.exe
        
        C:\Windows\system32\Bnkfhcdj.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Baicdncn.exe
        
        C:\Windows\system32\Baicdncn.exe
        80⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        81⤵
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cnmcnb32.exe
        
        C:\Windows\system32\Cnmcnb32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Cakpjn32.exe
        
        C:\Windows\system32\Cakpjn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        86⤵
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Canlon32.exe
        
        C:\Windows\system32\Canlon32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Chhdlhfe.exe
        
        C:\Windows\system32\Chhdlhfe.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Cjfqhcei.exe
        
        C:\Windows\system32\Cjfqhcei.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Cndinalo.exe
        
        C:\Windows\system32\Cndinalo.exe
        91⤵
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Cfonbdij.exe
        
        C:\Windows\system32\Cfonbdij.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Djmgiboq.exe
        
        C:\Windows\system32\Djmgiboq.exe
        96⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Dagoel32.exe
        
        C:\Windows\system32\Dagoel32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dhagbfnj.exe
        
        C:\Windows\system32\Dhagbfnj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Djpcnbmn.exe
        
        C:\Windows\system32\Djpcnbmn.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Dailkl32.exe
        
        C:\Windows\system32\Dailkl32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Ddhhggdo.exe
        
        C:\Windows\system32\Ddhhggdo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dkbpda32.exe
        
        C:\Windows\system32\Dkbpda32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Dalhqlbh.exe
        
        C:\Windows\system32\Dalhqlbh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Dfiaibap.exe
        
        C:\Windows\system32\Dfiaibap.exe
        105⤵
        
        PID:892
        
        C:\Windows\SysWOW64\Dopijpab.exe
        
        C:\Windows\system32\Dopijpab.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 236
        108⤵
        Program crash
        
        PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2388 -ip 2388
1⤵
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aceidl32.exe

Filesize
93KB

MD5
17b6a8b811c796776c5c44e0517cc6f0

SHA1
c4d99537cee140223a3905625d345e7bb2c70d0c

SHA256
6f08cc2f83defe5c92cd1dc67e4d2ebc1f5c1bb616b30ea6e15c62d3e3c59401

SHA512
8a27f2a7721472bcccfc3be5293736ca31815e89b0b05410be1509d23599833b31ce393f07644346bdac179a27ff7dc4fa2b4923c9b4ade94f6a20ee2c4756c4

Download Submit
C:\Windows\SysWOW64\Acicol32.exe

Filesize
93KB

MD5
a5509f6dff3ff74b4591d0d660398dd7

SHA1
4af4727ab0c0a8efb5abf82b2d5f575e5eabdf77

SHA256
c3a77be8abe80bf1b702c5bbcb3b4f708cdf4a0ebe4fdb81e85ed480cffdfa6c

SHA512
cf40c0de5f4ed0453ae07d4b357005d8e232684a663cb78a06c8161d0cf2526765c41ff808a951a46427ad244b48ac53290be6b2848e13c45ad0bd1162a5dc5f

Download Submit
C:\Windows\SysWOW64\Afebeg32.exe

Filesize
93KB

MD5
5faa6dedd117d87678c784652f4bbb25

SHA1
e02e6d52d020d0730e5ab616baa9cc8126431676

SHA256
9ee8b80b73795b3d1c5f99494645566f8a5aecaa5274b58cf66d34b130a2be30

SHA512
387897cb9982268d696e1ebc11aa711b90d722e7ad90bf8dae4b5914df3b4876a5b9cf26090b3bcefce9092f23b0a9ad84ff6d33014f930fdbdb39af0bd44f58

Download Submit
C:\Windows\SysWOW64\Ammnmbig.exe

Filesize
93KB

MD5
8dc57eddb92318ff8a80fc29a7572f81

SHA1
d5e6934b22504b62d097ca42f96bbb510f36d916

SHA256
ea78442cd8e957fa19a36fcbabacc940f5656694651e823c6c8980a5b366be61

SHA512
f5af69cf81d1ed2c3b6ce662698a0a4680ae693bb1e46e0a7bcd4323a686353ba30932d29bc1ea10480ff60951537cb7f8247c63ee0d66d1a018cc362e3b9d62

Download Submit
C:\Windows\SysWOW64\Bnkfhcdj.exe

Filesize
93KB

MD5
03d46d6303023cb688bb2b7e43120539

SHA1
537bcbc16a65f05c6e8fdfd6644a6039adbe550e

SHA256
0cc2bcd880f33e682f908514c0d222a7b73830a33f1bec06f8d6edb8e211eef2

SHA512
0bb33bdf52c7d64a9051b967a7db6dc7a4a8d02372694587b23a4681800507caf94675dffddb0d219b682544fa46a7544b5f47939c1026c47023b62dc992c6d3

Download Submit
C:\Windows\SysWOW64\Cegljmid.exe

Filesize
93KB

MD5
df6f5d10d47419e27411447ef175b9ea

SHA1
b4fab66c0df2f269623f55cc6a43cb73ded3de8d

SHA256
453fd65e3c58f7798c5aa2b41a3451df00f8bfcf07ec85590a8bbc3be344fe5d

SHA512
313966af6e7914010c734337c4299645a7cdde5d29c2311a72c16c8a091acc6af910456904a2d17751cfa0e5b95b14ea80f2de1945e0887b1b52ff6f35dc6014

Download Submit
C:\Windows\SysWOW64\Cepnqkai.exe

Filesize
93KB

MD5
da9534a2ecbc8f0cde10b36322fa812a

SHA1
8e334ffa3447b1a17ff7b5beb8f3c9fd6aa0a977

SHA256
ed4070d65f85fed5b70673bb26949b17535ec3586dbe13b0fb9a36e4605d9d24

SHA512
0e91384db86efce29c97988007fcc0dcdabe4db9a6e6b3088214953769c1d11936bd0994655552cf9f9667ecee45996194867f6b7ba8b112661f1d29a4e54e2f

Download Submit
C:\Windows\SysWOW64\Cndinalo.exe

Filesize
93KB

MD5
0f2f3b624f79e695b8130cb061619ab9

SHA1
b70769e2e84ce74ee5717a92dbe970928f682fd9

SHA256
f1a0e6397bb9fe9505018209198756f4c4a775e387e5bc8526ccf9c25f1dfdae

SHA512
2ac1575218110f74a90138601859c3b047682073cf8421440b0c9d0d1cc0aae92fe59a360d9d1c01d61d2844fffb465c1560fc4163bbb8fe0176d7a6f63493fc

Download Submit
C:\Windows\SysWOW64\Ddjemgal.exe

Filesize
93KB

MD5
a8a68d0f2c6f301af6271abcc9a2bb68

SHA1
1af270865e659d7c39256df0382672673abc123e

SHA256
5949575842db66660a883fb6d1cfa7e85a3cf7557986ca0cdc2ed06006598e48

SHA512
63174924c1223ec61a55cc9073cc98d76bb6236e9cc17c6b27492ef872611c6d086d3b8dead6fc9b0fe042f39a527ab3da3808c4192ba851d7180d3a789bc681

Download Submit
C:\Windows\SysWOW64\Djmgiboq.exe

Filesize
93KB

MD5
bdc173ad92f9f056467a68ba5790d23c

SHA1
f8578165634b2313e5b7f6d299a7e1cd1f0b5816

SHA256
af114389202e1210e9ed756d5f346d0655835ee94a41b53a473c3a23dc4bcad8

SHA512
ed700bd04fdd228bd79f7fb862fd89683d2f2660b01ae440db0f3818f775ab65bb15087885902312baa2efc9787cf86dcd1a080b36e3e7144870cf72dcf55c7e

Download Submit
C:\Windows\SysWOW64\Lbhocegl.exe

Filesize
93KB

MD5
26deed50fb89ebe2dc4a59c846968f15

SHA1
17f15677626d55a4d5ed2d1814288db1de8c7b01

SHA256
37925302ac8c2b0d8f4eba7c88d32030871b71051b7f017dc5770eefe8fac4b0

SHA512
b294a29cceae3d06e25a439793750b81df4c8e4a82b6348011e6b64c47661cac6cb9fdfaece4c612edafd56b3074c40082f8f88e16bbcc8406da10c921f408a3

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
93KB

MD5
ee989189a588204e3b4e555abdc8bab2

SHA1
b6328ae21f2d3d870549728fdcd860b97a41c977

SHA256
7802c22d3128ee2a420218504b5c6feec012f753fd23e7d5c9a0dbcadd62dac8

SHA512
fe8f6eda4f06342f9b1f0ebe25e9bf8a5b4a250d9c0f3628376d5e942bae3d2759056f55099873db4df183f57bba9f222ccfbda0900c2af23befe84528fe0f39

Download Submit
C:\Windows\SysWOW64\Lffhjcmb.exe

Filesize
93KB

MD5
2e9bcf0bb0d9a7b8edabf363e9a52aec

SHA1
5a102bccca7191db8434b72463945fd214bb9658

SHA256
bcffcc532e47ff469896140f068c07edad5c9d68e82ee8045cb0fb1efbaa437d

SHA512
d972dbaa8db42b4ada300d5ec1f43c37e710548adb976ea251de86c5ef5e9b5b5ee8bcb3cadb1ee389373fc15e6b6fa2b4718b0d3147756fd2810180ac7c744a

Download Submit
C:\Windows\SysWOW64\Lghdockp.exe

Filesize
93KB

MD5
574cc459ee2174d9060b1eec8f48a25f

SHA1
8bd0968501d86712c79c38f54162cfdf9a278c5e

SHA256
236f54b27220825d026f377e65fbeab8541c9ef86ecf2d49f54a5f5c4b9d5d70

SHA512
16723e1a19529eb46a0535a506fea68b88b30c38d925dc114015ca6160e81cdf1b2a113ce50011ad45780e06e12d61b174ca20055162fb40ee35d83b98d5c536

Download Submit
C:\Windows\SysWOW64\Llbpbjlj.exe

Filesize
93KB

MD5
a400f276c971c2a8591d0f7186dbdcc9

SHA1
7d289bde0f180c5d803613e8c9a4d060b05c98b0

SHA256
ede8b05013506d412f0040a9993847217877e6b24eeca814898bbbc77b343926

SHA512
9f0509b05926b7f7d415e4157241039cc647989de3675e98506fb81a23a7e0e3e85767d2c945800d7c8d803026c985d8ed95928a0e9ba3a02483e98da4d0f86e

Download Submit
C:\Windows\SysWOW64\Lmbmlmbl.exe

Filesize
93KB

MD5
4485722fd711a553683cecbb6697b529

SHA1
0240348819a69e5f9ac29949647a8146179ea594

SHA256
84c864c02a3ad0b39bded474f5e48bfa50398124e8a70e8e1a92a8a5db286e73

SHA512
3b4e03d18e76a00acc3861e4dd7dfb90de749a6e875bed4794ba547d7200146221b1508221c8b17bcf902c44c9bf5ead0dc2c73dd6ec73715350ce2fb0e4b030

Download Submit
C:\Windows\SysWOW64\Lmmcqn32.exe

Filesize
93KB

MD5
13a3661eb828a889af821e07a6972816

SHA1
21619ce7daa36bea4b0f1de37f5696846fe852ff

SHA256
3898e8edac55e284757c9642a31199ee9f92d42c0249c2f07a887b0f03a9932e

SHA512
8dd541a8e49fab1708cc617c71d5023868964bff3edbf8287844387ff2f3a3baad7a0ad2f778f82a62e401ec543f82210d3a840e311834670afb5414a16e5436

Download Submit
C:\Windows\SysWOW64\Lmmcqn32.exe

Filesize
93KB

MD5
08a90e0d774cd3d492d603b090a36699

SHA1
2add402025f275d008063514418a8ec724a4776c

SHA256
434d0d39dd5b3e599186fdff3f148cb677f18b32d7592f8d76d3d27b6da90f8d

SHA512
bfc2c10b438ad8acf70f7a29a655f25ef6f4916d22fccbd81a9e2e443ee39e058fb9c532fee08411d0a4f8fc1c7787dfe81e65ba19fd4531465bd7a3f52715dc

Download Submit
C:\Windows\SysWOW64\Lplpmi32.exe

Filesize
93KB

MD5
5a5e4fc653a2bd78fedd8aff9930f935

SHA1
14f11b985e887184ace87986475ab9874f7ef673

SHA256
ffc5de3b45be0ee55317a958534a1acf263512f3bfaab3c88f0c205ddab69021

SHA512
02e6e8de298c7ba4475aa60d431e2426632082f94552db1143440dd61d4408e86672f22bd50ef91503ef6447ae978492faf7de02920674bcb5eedb9d11810ef3

Download Submit
C:\Windows\SysWOW64\Lpnlbi32.exe

Filesize
93KB

MD5
19008f3bb43ded99d93f069337cba0d2

SHA1
01826bcf43228b350082b6c65d98824bdc1353b5

SHA256
ee8cf1210e872c343bddfda51085bf217fac35748cc89761ed925a3c670cb737

SHA512
a4ecd52714585117298ab2bc1f62c3975444e1d59a7ab64ef0b40cc1cd13f922ac09a1c70661e1dac9ee32790b564953f9ea9872c4ec53f1f0b4e142fc24f2f0

Download Submit
C:\Windows\SysWOW64\Mccooc32.exe

Filesize
93KB

MD5
1c7735d4b336367903908ac104caca14

SHA1
ee4dd2d2a7c16b64571cf8ce27f6ff339196e96a

SHA256
9b81aad6c2a85bcd0615f95d90ea4ae144807be82aac94c3da8d6a9b4d00ed85

SHA512
ad2d1bdd483178e2a4344f74a1dbb17d9e16d8d9040abec50114a1bfab25dc3106373776e589e07d0e40aeb4fa62c04095f9539fde3c70551dcf7d66aef7d2c0

Download Submit
C:\Windows\SysWOW64\Mdnang32.exe

Filesize
93KB

MD5
5b6d776e517b54e1c060852275fa05ac

SHA1
3b83c1480822b8656368f9f049c71db44bf9aa8d

SHA256
d953b2f236a6f28973159077d60f95a92e0cbabbec6d3fec22fc972729837d65

SHA512
1abc85524059147681568c9c1960a0e114cdc05a55a780dcf5642b04a26ed3b54ae10be63f62d8b43e5e53c750487e2371e113c59de0a228e47e0da5ac0d7dd9

Download Submit
C:\Windows\SysWOW64\Medgan32.exe

Filesize
93KB

MD5
4f2081aaac7c1a87883b22e4038b2294

SHA1
520356e61031505bec80e5316accf92856a95f69

SHA256
905d496850567a8bcba95afa81165ed14967df018f28286dd1a4b0e21711977b

SHA512
e15995dcec8e7c8a95ff74d1e37e305d1b50640ade984ed0d1f575141dca7db96aa2a185b09fa49786cae75bcbd1793c95bc211f198dca312604523eb675c983

Download Submit
C:\Windows\SysWOW64\Megdfnhm.exe

Filesize
93KB

MD5
c967d5f9b8973c09ce3321f5afaeaa5a

SHA1
fdf00fcdaaac89a61f7f07ae053f1179dd5a266d

SHA256
2f6cfb7883857cb5b611c08972c52491120219822927af35c7749e7ffccf7f0a

SHA512
be86e3267115e091c8c09a3bb52be0a18c5e26a4545405669b0d5313c8c57b668e087d7052104597fbd09c200c15cfdd9f91ae5407895f3c8c5df9875ab757ce

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
93KB

MD5
c7cb1751471b4cccc603e8b8d3f37f3c

SHA1
ac2119c302cdb0ef75af55b663ed28b76fefd72f

SHA256
630b183a1fbec5533ada74e93b12d602907f3a60de439b60bba384c58c5bdfb3

SHA512
c412078b7867441e3818547b73ee7a66fac4c8b0498fef8a14203ffc5b872e6b42a7a1976e2feb11c694682743b43a2d22426c8a127dc7a0b4b6390426c240f3

Download Submit
C:\Windows\SysWOW64\Mgddka32.exe

Filesize
93KB

MD5
d8b984483716dffd1c787be0b25d8d0e

SHA1
1c10057dcb64a0cd26f5dd69b41d579cc8a06735

SHA256
0d2695b6519362a46228dec04236c2e62edb6367913c9e0d3b6899c55561ec71

SHA512
b0b0eec01b1ff9870b80247fbf1b496bb68aa1d0153409021610e77ff7450c4bbee2f89e401542c9022a668e5a3749f1e287665d668715bf80f924854b610b12

Download Submit
C:\Windows\SysWOW64\Mhjlkk32.dll

Filesize
7KB

MD5
056f96ac4e00c3a28a192b2192f6de24

SHA1
5a8305302fc70332431980004d16366016a0c43b

SHA256
30c1d504f30be7837a8b6009f8ede91d2a150806b0044473e8f163c2fea1d8f1

SHA512
2eecfa76e59eded1f3ee7e6d8d27eacf75b32f4180e1c7db5b9fe2c71a30012f5ca8c1615e13e09d12a3fbe5f8fd6bd631a7d91318696d2077b6caf7e4ac347f

Download Submit
C:\Windows\SysWOW64\Mikjfn32.exe

Filesize
93KB

MD5
8b845fbdaad420538f10781ec2261999

SHA1
8015203cd4fd9d868f8fa33886d587fa6f7316f2

SHA256
fa4abfdbdd277bca68c1266d31519c2e42fe713588fa18292a265a50cff82277

SHA512
7687f922215e8fc371c86c6058ecf5edba44c0d3b612b41b977e91b694a23603843c0b27a8a6e8cdd37a07fac7761ce88c73fa6dc3ace9b36583a1c8bf177c5d

Download Submit
C:\Windows\SysWOW64\Mlnpnh32.exe

Filesize
93KB

MD5
f8f7b9109138703c51404c789d8bf55c

SHA1
c6966518f725e3075058fb640fd2d8f83fdd44dc

SHA256
2ea10f4a29a989c5658c6026064a2cd051014db0a610bbd33b511ff607a02ef3

SHA512
53b70a0553173bd24afcf4029a2acb4dab0510556890ea53cab667b3f6e8a8065ca14cbf854613a4dcf9825d8ba614cec40fede467a32be1aed9ae83bd064ecf

Download Submit
C:\Windows\SysWOW64\Mmdiamqj.exe

Filesize
93KB

MD5
413188c8745837fc808f6a8fe9ea42f0

SHA1
fb1e8f18558b251518cef32fd7b8f59b3ac3bf47

SHA256
4da7d598e35fe1094c9df0c91ba8e342171b54f8cfdb087ac540134e30e6d403

SHA512
172e9e8ef5fc879a921e4651a16c53055428122c2b1a4811f5a9db2170a058cd38fcccc4175de7500bf43e6649d43461baedd3468a1acbd463eb37ea7d5d9ea5

Download Submit
C:\Windows\SysWOW64\Mmicll32.exe

Filesize
93KB

MD5
3beaf6d6b08934245f0f64fc08a53248

SHA1
3c9cfed421f6c92e86d88e6140c1871746a2b969

SHA256
a23c260e5738e908df899154f8a8f6863717ca12747de219fc6e9b4aeadba332

SHA512
21331d75519de5d96003e66c3be4dd25481c4300dbfb6b5e447005463e03d7fe0b81104adfdfab691b1b2944916d8306e2fcf981da8aceb9266a5f068a953a72

Download Submit
C:\Windows\SysWOW64\Mnnlgkho.exe

Filesize
93KB

MD5
4710e677429332baff561c0518b10135

SHA1
db6f3e7bcd2c25ff0f2ba75d43f0e86efd62f3a9

SHA256
ad73ccfd6a8bd3353d2e5c08d82c679e3f2c8fc5749e9a62a20fe07c8468a970

SHA512
478a5e6df372b13cdf8a3edf715dc544fc557f3b80261808ef4c6a4480165efaf592a84beec88a91bc18a86b8fed00947b2c8196c04be5cca84825fdc6471944

Download Submit
C:\Windows\SysWOW64\Mpgoig32.exe

Filesize
93KB

MD5
f2cb37d94e2920ba4d9a8f89e37e2c2d

SHA1
3049d1ebd85a1a1caf8a65ae9f3a43f15e39b089

SHA256
712aea37cebe1056fd83e9d8623d13a5fd56830ab3215e858890b6cf1c3ef0b9

SHA512
0ebf3c60a749757b00a8068a41c91cc09a9231d685d70a72604573c7248718a1ccc9448bdb9b82caed39b069a146c07087bc70f89dbdf912466e9e7df4763c67

Download Submit
C:\Windows\SysWOW64\Mplhdghc.exe

Filesize
93KB

MD5
88032eb80316b6fbd03e2313c2cc2ab2

SHA1
6c72dd34b0d6ff8572ef75b5ff2984142cafc39d

SHA256
08927630a58e32a24f431d003d81916558a96ee14e30bb561c35525cbf8d008a

SHA512
776cf1dd52582337690e2563077bf3743baef441984326e4fe63f72f874432f8c5cf859f4dfbaa78c5326a4c8ee124603c45ffac52f33550749007fb671129f9

Download Submit
C:\Windows\SysWOW64\Ncdgfaol.exe

Filesize
93KB

MD5
4b8dbf90ff406baafab7cc82e44e1307

SHA1
6dba977021cfc5c02541c09bafc6a68c2264f7ee

SHA256
da9a34ab73be621a20ad5ff3f0a8f60f9062a25059d3b80d0058abab9b8e5a08

SHA512
8eb9bdc5dea11fa9d9138a835c94808184e1f08ee3a3fc9870a7ed3e7fca3ffce229825e3a134d68a8097d3282727e3045b47b19685cb553447bdb6db77630e0

Download Submit
C:\Windows\SysWOW64\Ndhdde32.exe

Filesize
93KB

MD5
dab56be7aac0f27a253cff810fd64809

SHA1
7291594b44cab778d979410ed8b59092ffba44bc

SHA256
5de4b86e5a183f33d10ecd386bdffb99dd21da4dc7ca9934ef3473249ce513ae

SHA512
4181a9706487f563ed6e0fb68ec1d9ad18c03df0bed10d2e9a9b2b1e5bb3a5e53de2991371699f7635110f35d4ca2d7ec8fdf42690efc6a6e724c2f24ad85c12

Download Submit
C:\Windows\SysWOW64\Ndjajeni.exe

Filesize
93KB

MD5
e9d66b03a3ef674903379bd744e10ac6

SHA1
704e4e476de33513d8f9a2f391d4387f81a7d51a

SHA256
b75321677ad8d3abd53a463b892a9c57cbf6287b7712fdcd5d9a0aa6914fced3

SHA512
7d5ca129c0e56f9c06bebd1b3e76634e9da5cf113a207e56d85acd8829d20aa3b27668d29d37c495d2660d569c7756313c3eb126f8d0607cf736c38bb3df83c7

Download Submit
C:\Windows\SysWOW64\Ndoked32.exe

Filesize
93KB

MD5
43c18bbe12a94ec6b7d16ff2e65bd49b

SHA1
ffa5373f7e6617bc600a9d316e0571c56a5fbb72

SHA256
be09fb198f6682e2dba93c70c1869c6fde32153d9ea97851603858076ac71fd6

SHA512
51beb6320f591141c3fb5e427a205eb4ecdfe5adcb8ea38f2d4d276780a7daf17b329f407c472c39ce1699b5f56fbbd8b267c2c215077961f75f62ea2a272a5a

Download Submit
C:\Windows\SysWOW64\Nenjgm32.exe

Filesize
93KB

MD5
7aca0627a6235aa9dddf9593931c66b3

SHA1
bbe814304df01cd7c77b5c38bd46a4ce7457098c

SHA256
4428bb52a3b7b94375728ec23abde0ea1b8c9d5ce026370a477341bc3fc0edcd

SHA512
ce88484cb0eecbb8074f78e5af578eaadad8414ee30cac0b7514ccd666e65795f6ca5e5b67dfb2461716534e9d63967c3e0ec56cc86d4766f79042e5d92e7450

Download Submit
C:\Windows\SysWOW64\Nidmml32.exe

Filesize
93KB

MD5
2a1b4d76b717b702425e0191dcc3dcf3

SHA1
663d62b3fd5eb405672aeb98d4cb9ea2af6001f9

SHA256
a7eb04e9169ab9e7960205c856aa648f7ec23e2803098c8d4a82f3c09db077aa

SHA512
c95a045baef933c6035d9928605aa53b41c813a28e88d1931fb2b42996dc77f88219d8e8de083afc879ff55c2ada7568f7b500b1bff4c40dd30ce82ae3201a0c

Download Submit
C:\Windows\SysWOW64\Njlcmk32.exe

Filesize
93KB

MD5
11a7234ec4ccf1d83f211257f8e3fe95

SHA1
db92783b526a3f028a25eed55f236dfdd8835334

SHA256
35c18db442fc8d5a6b12ee6ffe99018f226d5efde03d1edd05b1cc25dc242e6e

SHA512
50a28865da337134429cf1c37f50b0b198a1abfeba2d8810fe13e300bdfc6577e0637cb87e1ef0ae1c440e1d7982b10f7b3b5382456f0039e8e76c3a5c69b432

Download Submit
C:\Windows\SysWOW64\Nlciih32.exe

Filesize
93KB

MD5
4daffd873b1c170589b3c07cf0a4592c

SHA1
9f85284e20de4ab781b00a27db92017b8b9b8614

SHA256
3389775358ce2e7251c312979f826a1f7423ece295901d8059a1f4932d6737f0

SHA512
4ed92cd404e08b2e5ac7a7918f70aa97459c93cef59988ab9d318f6584db45f5e5e05ad5f3a0e130173490e11936f60ea66f0b92231da89058181922cc08d5b2

Download Submit
C:\Windows\SysWOW64\Nlllof32.exe

Filesize
93KB

MD5
9bbed82de600a53dfb137771c539feca

SHA1
126ffd1998fd7ab27868b1667106770f747bc02c

SHA256
7dad10fee00f107ac2c8257ff863abc346cd8a2ad1e3ac5128454d9ef02f5118

SHA512
314a3e3277736d504baedefdc11d9759d756c742632a893954f6e5cc82216f88c24cae1b4dfbcc85bb514df1343e445e0bcf58441e9b5cef21d239f7f6d8ec2f

Download Submit
C:\Windows\SysWOW64\Odhmkcbi.exe

Filesize
93KB

MD5
ac967864f580b27f61913c35fe373c73

SHA1
66676d222ff340eb860d066d2075dd859e2f5309

SHA256
5b7ebc86ea26f0bac6bb1dae5475b9063c223c2653024403b7a37644014634bb

SHA512
8216c233aabb9e2b5d66df6f0472c373993548777336b23ef2e1364ac2d8f913eb5854ae8bbebe54272ec5f42a53d851761d417962b12f71ae91ea8f2556bbef

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
93KB

MD5
0ee953c0eef258111efce9f4682ab05c

SHA1
1490891c4c4b1cfaa33fc30948cac9af824f6d72

SHA256
9a012429da7318f1c246cb9a1d1dabd58f17587920cdaee5b0b6f5388c9afe9e

SHA512
d1359a9e63c0336e850aa3afa9e464659dbe0f975fedf3a933289b72bcb69c3245b3e71d44c63fbde51c6720040a3db7498583a2345a23ce00c794d607bdbf9a

Download Submit
C:\Windows\SysWOW64\Ojgbij32.exe

Filesize
93KB

MD5
d7d9eb7de1ccec8222db882506c3d09a

SHA1
2c680f396fd8c0ed20035b29624a9ab60bc97792

SHA256
5c6e88bca382d2f8789b80135ac4d7480f50a5c14ffd4e88e0e81729033a6270

SHA512
ccd396d939189045279d524db8fa14ed532cdab3d12be32a2a5da79ab9e8b9748a0df7e645977cfd8b865ee77d2f9d9833afa215430e456b38e43208665d0b2a

Download Submit
C:\Windows\SysWOW64\Opjeee32.exe

Filesize
93KB

MD5
1fc769c3729d8c4a9f3a1734f5561fc0

SHA1
6a8317badb71ac41a5cab2e2422173294e499a49

SHA256
ae50166ac9992073b22d6cd37324f363cd3e10123e95dbd058013f9e0731dafd

SHA512
b99e331dad243a615f22b011051c9fa87763e52ce62f131c352cc9a57401214c028b151dbb896e061c7a30ec85ef6cbfc576c5358312ab0266c2a350393a98e9

Download Submit
C:\Windows\SysWOW64\Pcijhnld.exe

Filesize
93KB

MD5
54560d180be156458f6a23191e28e499

SHA1
dc79a77b8fda90079c26776b5a9a5a36c29e2aa0

SHA256
e95ce6bf9d93b2d98660a32a15db42fb99c191eb4e806fea0cb931f08d33b477

SHA512
c0adecb86eac129d2484b29f3514f5272c39ac469684f3ffb99e713b8cdc9715164a588377f418033b6e0176e0a22a73a6b12e82dfb9ff46292f16bd2b462447

Download Submit
C:\Windows\SysWOW64\Pjnijihf.exe

Filesize
64KB

MD5
34c4f95d63e68bba0c41993d7315a44d

SHA1
bf9106b8d00e0201fd9724e0f2bb5d45a6663c21

SHA256
face544e89750b2c73ae473812736c9547e230cae9e25c73dd269d972ade83c7

SHA512
5f178acf9923ee12370d0c11aa1bfe96fcc831dc4736e6425c69eed6dfec84f016b540e76b185fe3d3b314fc5ba9e9ba06ec25f5f7986c721e4b667f59f4e982

Download Submit
C:\Windows\SysWOW64\Qmfhlcoo.exe

Filesize
93KB

MD5
d61ffabe165c2d72a33d6996350f872c

SHA1
182e3dfbd89b88677fdccd01d0502226add25800

SHA256
d6ef066e0710b75ea6ff7d8b4baed6d80f70161e34d6d16db2d66e9a54e33f95

SHA512
2dc7dabceb0fc97e2becee0df4b9d36b08c8d782eb6ef825a15ba086b34b8938d300b85e42c73cbfb38a5a1a8f30411ab12ece797249d70baf03efdd7399c1f8

Download Submit
memory/180-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/180-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/380-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/416-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/416-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/448-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/764-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/764-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/840-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-337-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4008-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4216-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-267-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-393-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads