berbew | e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe
Size

55KB
MD5

af818f69e16d6bed763da5534058a090
SHA1

1d64aa7db8486292bc55bd363c9155f974943484
SHA256

e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76
SHA512

c068300a1eb24ceec71c08e86fb8c26e9e528dd2335cb726d93b8864a9734d7e6658375a5485e0fb345859658d524532123df56b6167a20add58a5f2370b210c
SSDEEP

1536:PGAJKVS8zxmBGCVDqbJtdvdsdd9dQdsk8dshdqdudfd3i5OQyR2LmH:PJ6VSDEJtt2D9OOk8ihckFhpqmH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opmakd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onqbdihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckepbgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlldiji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miiman32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onqbdihj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onekoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajcklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpcenhpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adplbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhckqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqdqbaee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llemgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mepnfone.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajcklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoakd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllchico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefngkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflfhkee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmlcennd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgokpbeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcppimfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhdgeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhdgeai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjjqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmfhlcoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agpedkjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npoeif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljoig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgmbnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokpoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgdfim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgiodlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhokmgpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capiemme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljfbiea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfeiojnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgjhkjbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afebeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbploeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aedfnoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhckqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqfmhacc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjfe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
548	Libgpooi.exe
1548	Llpcljnl.exe
1264	Lffhjcmb.exe
3288	Lmppfm32.exe
1160	Lbmhod32.exe
2652	Lekekp32.exe
884	Llemgj32.exe
3544	Ldlehg32.exe
4216	Miiman32.exe
984	Mpcenhpn.exe
4744	Mcabjcoa.exe
4012	Mepnfone.exe
1276	Mljfbiea.exe
1284	Mgokpbeh.exe
4964	Mllchico.exe
3980	Mipcambi.exe
244	Mchhjbii.exe
3424	Mlqlch32.exe
700	Nckepbgf.exe
1792	Nidmml32.exe
3864	Npoeif32.exe
4700	Ncmaeb32.exe
1128	Nghmfqmm.exe
3632	Nlefngkd.exe
1524	Nconka32.exe
1560	Nnebhj32.exe
1340	Ncakqaqo.exe
3472	Ngmgap32.exe
2892	Nljoig32.exe
5088	Njnpck32.exe
2956	Ogbploeb.exe
2240	Oloidfcj.exe
472	Ociaap32.exe
1860	Ojbinjbc.exe
2528	Opmakd32.exe
4628	Ockngp32.exe
4880	Onqbdihj.exe
1828	Odjjqc32.exe
3056	Oflfhkee.exe
2852	Oqakfdek.exe
1032	Ogkcbn32.exe
3428	Onekoh32.exe
972	Pqcgkc32.exe
4008	Pjlldiji.exe
928	Pqfdac32.exe
4760	Pcdqmo32.exe
3128	Pnjejgpo.exe
3784	Pcgmbnnf.exe
3260	Pfeiojnj.exe
3236	Pmoakd32.exe
2636	Pgdfim32.exe
872	Pmanaccd.exe
2120	Pckfnn32.exe
380	Pfjcji32.exe
3036	Qqoggb32.exe
2452	Qgiodlqh.exe
4852	Qflpoi32.exe
5080	Qmfhlcoo.exe
4276	Qdmpmp32.exe
2848	Qcppimfl.exe
4076	Aqdqbaee.exe
1512	Adplbp32.exe
4516	Afaijhcm.exe
2632	Aqfmhacc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qgiodlqh.exe	Qqoggb32.exe
File opened for modification	C:\Windows\SysWOW64\Babmco32.exe	Bjhdgeai.exe
File created	C:\Windows\SysWOW64\Pbhfao32.dll	Deehkk32.exe
File created	C:\Windows\SysWOW64\Mcapno32.dll	Npoeif32.exe
File created	C:\Windows\SysWOW64\Onekoh32.exe	Ogkcbn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoakd32.exe	Pfeiojnj.exe
File opened for modification	C:\Windows\SysWOW64\Afaijhcm.exe	Adplbp32.exe
File created	C:\Windows\SysWOW64\Qghbgn32.dll	Agglej32.exe
File created	C:\Windows\SysWOW64\Afjlqgkb.exe	Agglej32.exe
File created	C:\Windows\SysWOW64\Allndpio.dll	Ccjlfi32.exe
File created	C:\Windows\SysWOW64\Dnbdfk32.dll	Chlngg32.exe
File created	C:\Windows\SysWOW64\Oinlcn32.dll	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe
File created	C:\Windows\SysWOW64\Ockngp32.exe	Opmakd32.exe
File created	C:\Windows\SysWOW64\Leckmm32.dll	Pfeiojnj.exe
File created	C:\Windows\SysWOW64\Ngmgap32.exe	Ncakqaqo.exe
File created	C:\Windows\SysWOW64\Opmakd32.exe	Ojbinjbc.exe
File opened for modification	C:\Windows\SysWOW64\Anmjfe32.exe	Afebeg32.exe
File created	C:\Windows\SysWOW64\Ccjlfi32.exe	Cakpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjjn32.exe	Cfmamdkm.exe
File created	C:\Windows\SysWOW64\Cllnlemd.dll	Libgpooi.exe
File created	C:\Windows\SysWOW64\Nidmml32.exe	Nckepbgf.exe
File opened for modification	C:\Windows\SysWOW64\Nidmml32.exe	Nckepbgf.exe
File created	C:\Windows\SysWOW64\Ambgha32.exe	Ajcklf32.exe
File created	C:\Windows\SysWOW64\Njfhad32.dll	Bjjalepf.exe
File created	C:\Windows\SysWOW64\Bjmnbd32.exe	Bepeinol.exe
File opened for modification	C:\Windows\SysWOW64\Ccjlfi32.exe	Cakpjn32.exe
File created	C:\Windows\SysWOW64\Capiemme.exe	Cmdmdo32.exe
File created	C:\Windows\SysWOW64\Llemgj32.exe	Lekekp32.exe
File created	C:\Windows\SysWOW64\Ppmopd32.dll	Mgokpbeh.exe
File opened for modification	C:\Windows\SysWOW64\Onqbdihj.exe	Ockngp32.exe
File created	C:\Windows\SysWOW64\Hdkbie32.dll	Dhokmgpm.exe
File created	C:\Windows\SysWOW64\Dfdgnc32.exe	Ddekah32.exe
File created	C:\Windows\SysWOW64\Pnjanm32.dll	Aefbcogf.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpoofo.exe	Cjddbcgk.exe
File created	C:\Windows\SysWOW64\Cfkegd32.exe	Cdlhki32.exe
File opened for modification	C:\Windows\SysWOW64\Odjjqc32.exe	Onqbdihj.exe
File created	C:\Windows\SysWOW64\Pqcgkc32.exe	Onekoh32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeiojnj.exe	Pcgmbnnf.exe
File opened for modification	C:\Windows\SysWOW64\Qqoggb32.exe	Pfjcji32.exe
File created	C:\Windows\SysWOW64\Bmimhpoj.exe	Bjjalepf.exe
File created	C:\Windows\SysWOW64\Jonepa32.dll	Lffhjcmb.exe
File created	C:\Windows\SysWOW64\Hqmfgcnl.dll	Lbmhod32.exe
File created	C:\Windows\SysWOW64\Npoeif32.exe	Nidmml32.exe
File created	C:\Windows\SysWOW64\Dffdcccb.exe	Deehkk32.exe
File opened for modification	C:\Windows\SysWOW64\Danefkqe.exe	Dopijpab.exe
File created	C:\Windows\SysWOW64\Mepnfone.exe	Mcabjcoa.exe
File created	C:\Windows\SysWOW64\Faqbkf32.dll	Ajcklf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjhdgeai.exe	Bgjhkjbe.exe
File created	C:\Windows\SysWOW64\Bhckqh32.exe	Bmngcp32.exe
File created	C:\Windows\SysWOW64\Mlqlch32.exe	Mchhjbii.exe
File created	C:\Windows\SysWOW64\Hadimk32.dll	Njnpck32.exe
File created	C:\Windows\SysWOW64\Agglej32.exe	Ambgha32.exe
File created	C:\Windows\SysWOW64\Miiman32.exe	Ldlehg32.exe
File created	C:\Windows\SysWOW64\Cegooa32.dll	Aqfmhacc.exe
File created	C:\Windows\SysWOW64\Bmngcp32.exe	Bhqnki32.exe
File created	C:\Windows\SysWOW64\Fdkhpc32.dll	Bmngcp32.exe
File created	C:\Windows\SysWOW64\Dgqmpg32.dll	Afaijhcm.exe
File created	C:\Windows\SysWOW64\Ecpakh32.dll	Anmjfe32.exe
File opened for modification	C:\Windows\SysWOW64\Bhqnki32.exe	Bjmnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Pqfdac32.exe	Pjlldiji.exe
File opened for modification	C:\Windows\SysWOW64\Pckfnn32.exe	Pmanaccd.exe
File created	C:\Windows\SysWOW64\Ekeinhcn.dll	Pfjcji32.exe
File opened for modification	C:\Windows\SysWOW64\Qmfhlcoo.exe	Qflpoi32.exe
File created	C:\Windows\SysWOW64\Aqdqbaee.exe	Qcppimfl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3044	WerFault.exe	194

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjddbcgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfqmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhjcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllchico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflpoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agpedkjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldlehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabjcoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflfhkee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlqgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeiojnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnfone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhckqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjagmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmakd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onqbdihj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afebeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojbinjbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqakfdek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgjhkjbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdgnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajcklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dokpoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpcljnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoakd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjalepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqdqbaee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfmhacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnebhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhokmgpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpoofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmanaccd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cakpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqfdac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libgpooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oloidfcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlldiji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimhpoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnjejgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefbcogf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmfhlcoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmamdkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefngkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjjqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdmpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemgj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekeinhcn.dll"	Pfjcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Babmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdel32.dll"	Qmfhlcoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokpoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domldpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejpimhhm.dll"	Pmanaccd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pckfnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekekp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjanm32.dll"	Aefbcogf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnjejgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjagmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadimk32.dll"	Njnpck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqakfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojjom32.dll"	Mcabjcoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnebhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbploeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbmja32.dll"	Pqcgkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlceeo32.dll"	Pnjejgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libgpooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmodnlac.dll"	Lmppfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aefbcogf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomlnhpk.dll"	Aqdqbaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcgfbo32.dll"	Bglepipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhjcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefngkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npoeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allndpio.dll"	Ccjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfakhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngnfp32.dll"	Dfakhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ociaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opmakd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhijdp32.dll"	Qdmpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajoaqfjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afebeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgfebgh.dll"	Ncakqaqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pckfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelfff32.dll"	Oqakfdek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijcoe32.dll"	Llpcljnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlfhmp32.dll"	Mlqlch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledagi32.dll"	Ojbinjbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfgganp.dll"	Onekoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohneobmn.dll"	Mipcambi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nidmml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nconka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlilanbh.dll"	Nnebhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dffdcccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcabjcoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckepbgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncoihfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcppimfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aefbcogf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peodfhjp.dll"	Afjlqgkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhokmgpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 548	1728	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe	81
PID 1728 wrote to memory of 548	1728	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe	81
PID 1728 wrote to memory of 548	1728	e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe	81
PID 548 wrote to memory of 1548	548	Libgpooi.exe	82
PID 548 wrote to memory of 1548	548	Libgpooi.exe	82
PID 548 wrote to memory of 1548	548	Libgpooi.exe	82
PID 1548 wrote to memory of 1264	1548	Llpcljnl.exe	83
PID 1548 wrote to memory of 1264	1548	Llpcljnl.exe	83
PID 1548 wrote to memory of 1264	1548	Llpcljnl.exe	83
PID 1264 wrote to memory of 3288	1264	Lffhjcmb.exe	84
PID 1264 wrote to memory of 3288	1264	Lffhjcmb.exe	84
PID 1264 wrote to memory of 3288	1264	Lffhjcmb.exe	84
PID 3288 wrote to memory of 1160	3288	Lmppfm32.exe	85
PID 3288 wrote to memory of 1160	3288	Lmppfm32.exe	85
PID 3288 wrote to memory of 1160	3288	Lmppfm32.exe	85
PID 1160 wrote to memory of 2652	1160	Lbmhod32.exe	86
PID 1160 wrote to memory of 2652	1160	Lbmhod32.exe	86
PID 1160 wrote to memory of 2652	1160	Lbmhod32.exe	86
PID 2652 wrote to memory of 884	2652	Lekekp32.exe	87
PID 2652 wrote to memory of 884	2652	Lekekp32.exe	87
PID 2652 wrote to memory of 884	2652	Lekekp32.exe	87
PID 884 wrote to memory of 3544	884	Llemgj32.exe	88
PID 884 wrote to memory of 3544	884	Llemgj32.exe	88
PID 884 wrote to memory of 3544	884	Llemgj32.exe	88
PID 3544 wrote to memory of 4216	3544	Ldlehg32.exe	89
PID 3544 wrote to memory of 4216	3544	Ldlehg32.exe	89
PID 3544 wrote to memory of 4216	3544	Ldlehg32.exe	89
PID 4216 wrote to memory of 984	4216	Miiman32.exe	90
PID 4216 wrote to memory of 984	4216	Miiman32.exe	90
PID 4216 wrote to memory of 984	4216	Miiman32.exe	90
PID 984 wrote to memory of 4744	984	Mpcenhpn.exe	91
PID 984 wrote to memory of 4744	984	Mpcenhpn.exe	91
PID 984 wrote to memory of 4744	984	Mpcenhpn.exe	91
PID 4744 wrote to memory of 4012	4744	Mcabjcoa.exe	92
PID 4744 wrote to memory of 4012	4744	Mcabjcoa.exe	92
PID 4744 wrote to memory of 4012	4744	Mcabjcoa.exe	92
PID 4012 wrote to memory of 1276	4012	Mepnfone.exe	93
PID 4012 wrote to memory of 1276	4012	Mepnfone.exe	93
PID 4012 wrote to memory of 1276	4012	Mepnfone.exe	93
PID 1276 wrote to memory of 1284	1276	Mljfbiea.exe	94
PID 1276 wrote to memory of 1284	1276	Mljfbiea.exe	94
PID 1276 wrote to memory of 1284	1276	Mljfbiea.exe	94
PID 1284 wrote to memory of 4964	1284	Mgokpbeh.exe	95
PID 1284 wrote to memory of 4964	1284	Mgokpbeh.exe	95
PID 1284 wrote to memory of 4964	1284	Mgokpbeh.exe	95
PID 4964 wrote to memory of 3980	4964	Mllchico.exe	96
PID 4964 wrote to memory of 3980	4964	Mllchico.exe	96
PID 4964 wrote to memory of 3980	4964	Mllchico.exe	96
PID 3980 wrote to memory of 244	3980	Mipcambi.exe	97
PID 3980 wrote to memory of 244	3980	Mipcambi.exe	97
PID 3980 wrote to memory of 244	3980	Mipcambi.exe	97
PID 244 wrote to memory of 3424	244	Mchhjbii.exe	98
PID 244 wrote to memory of 3424	244	Mchhjbii.exe	98
PID 244 wrote to memory of 3424	244	Mchhjbii.exe	98
PID 3424 wrote to memory of 700	3424	Mlqlch32.exe	99
PID 3424 wrote to memory of 700	3424	Mlqlch32.exe	99
PID 3424 wrote to memory of 700	3424	Mlqlch32.exe	99
PID 700 wrote to memory of 1792	700	Nckepbgf.exe	100
PID 700 wrote to memory of 1792	700	Nckepbgf.exe	100
PID 700 wrote to memory of 1792	700	Nckepbgf.exe	100
PID 1792 wrote to memory of 3864	1792	Nidmml32.exe	101
PID 1792 wrote to memory of 3864	1792	Nidmml32.exe	101
PID 1792 wrote to memory of 3864	1792	Nidmml32.exe	101
PID 3864 wrote to memory of 4700	3864	Npoeif32.exe	102

C:\Users\Admin\AppData\Local\Temp\e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe
"C:\Users\Admin\AppData\Local\Temp\e4caa63a48108576bd2f5231f06bf6846fc186b559b9e2488e6eb779f9438e76N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\Libgpooi.exe
  C:\Windows\system32\Libgpooi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\Llpcljnl.exe
    C:\Windows\system32\Llpcljnl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\Lffhjcmb.exe
      C:\Windows\system32\Lffhjcmb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\Lmppfm32.exe
        
        C:\Windows\system32\Lmppfm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\SysWOW64\Lbmhod32.exe
        
        C:\Windows\system32\Lbmhod32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Llemgj32.exe
        
        C:\Windows\system32\Llemgj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Miiman32.exe
        
        C:\Windows\system32\Miiman32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Mpcenhpn.exe
        
        C:\Windows\system32\Mpcenhpn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Mcabjcoa.exe
        
        C:\Windows\system32\Mcabjcoa.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Mepnfone.exe
        
        C:\Windows\system32\Mepnfone.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Mljfbiea.exe
        
        C:\Windows\system32\Mljfbiea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Mgokpbeh.exe
        
        C:\Windows\system32\Mgokpbeh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Mllchico.exe
        
        C:\Windows\system32\Mllchico.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mipcambi.exe
        
        C:\Windows\system32\Mipcambi.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Mchhjbii.exe
        
        C:\Windows\system32\Mchhjbii.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Nckepbgf.exe
        
        C:\Windows\system32\Nckepbgf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Nidmml32.exe
        
        C:\Windows\system32\Nidmml32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Npoeif32.exe
        
        C:\Windows\system32\Npoeif32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ncmaeb32.exe
        
        C:\Windows\system32\Ncmaeb32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Nghmfqmm.exe
        
        C:\Windows\system32\Nghmfqmm.exe
        24⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Nlefngkd.exe
        
        C:\Windows\system32\Nlefngkd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Nconka32.exe
        
        C:\Windows\system32\Nconka32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Nnebhj32.exe
        
        C:\Windows\system32\Nnebhj32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ncakqaqo.exe
        
        C:\Windows\system32\Ncakqaqo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ngmgap32.exe
        
        C:\Windows\system32\Ngmgap32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Nljoig32.exe
        
        C:\Windows\system32\Nljoig32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Njnpck32.exe
        
        C:\Windows\system32\Njnpck32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ogbploeb.exe
        
        C:\Windows\system32\Ogbploeb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Oloidfcj.exe
        
        C:\Windows\system32\Oloidfcj.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Ociaap32.exe
        
        C:\Windows\system32\Ociaap32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Ojbinjbc.exe
        
        C:\Windows\system32\Ojbinjbc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Opmakd32.exe
        
        C:\Windows\system32\Opmakd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ockngp32.exe
        
        C:\Windows\system32\Ockngp32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Odjjqc32.exe
        
        C:\Windows\system32\Odjjqc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Oflfhkee.exe
        
        C:\Windows\system32\Oflfhkee.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        41⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Oqakfdek.exe
        
        C:\Windows\system32\Oqakfdek.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Ogkcbn32.exe
        
        C:\Windows\system32\Ogkcbn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Onekoh32.exe
        
        C:\Windows\system32\Onekoh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Pqcgkc32.exe
        
        C:\Windows\system32\Pqcgkc32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Pjlldiji.exe
        
        C:\Windows\system32\Pjlldiji.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Pqfdac32.exe
        
        C:\Windows\system32\Pqfdac32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Pnjejgpo.exe
        
        C:\Windows\system32\Pnjejgpo.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Pcgmbnnf.exe
        
        C:\Windows\system32\Pcgmbnnf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Pfeiojnj.exe
        
        C:\Windows\system32\Pfeiojnj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Pmoakd32.exe
        
        C:\Windows\system32\Pmoakd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Pgdfim32.exe
        
        C:\Windows\system32\Pgdfim32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Pmanaccd.exe
        
        C:\Windows\system32\Pmanaccd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Pckfnn32.exe
        
        C:\Windows\system32\Pckfnn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Pfjcji32.exe
        
        C:\Windows\system32\Pfjcji32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Qgiodlqh.exe
        
        C:\Windows\system32\Qgiodlqh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Qflpoi32.exe
        
        C:\Windows\system32\Qflpoi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Qmfhlcoo.exe
        
        C:\Windows\system32\Qmfhlcoo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Qdmpmp32.exe
        
        C:\Windows\system32\Qdmpmp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Aqdqbaee.exe
        
        C:\Windows\system32\Aqdqbaee.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Adplbp32.exe
        
        C:\Windows\system32\Adplbp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Ajoaqfjc.exe
        
        C:\Windows\system32\Ajoaqfjc.exe
        68⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Aedfnoii.exe
        
        C:\Windows\system32\Aedfnoii.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1456
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Aefbcogf.exe
        
        C:\Windows\system32\Aefbcogf.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Ajcklf32.exe
        
        C:\Windows\system32\Ajcklf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Agglej32.exe
        
        C:\Windows\system32\Agglej32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Afjlqgkb.exe
        
        C:\Windows\system32\Afjlqgkb.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bmddma32.exe
        
        C:\Windows\system32\Bmddma32.exe
        77⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Bgjhkjbe.exe
        
        C:\Windows\system32\Bgjhkjbe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Bjhdgeai.exe
        
        C:\Windows\system32\Bjhdgeai.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Bglepipb.exe
        
        C:\Windows\system32\Bglepipb.exe
        81⤵
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Bmimhpoj.exe
        
        C:\Windows\system32\Bmimhpoj.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Bepeinol.exe
        
        C:\Windows\system32\Bepeinol.exe
        84⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Bjmnbd32.exe
        
        C:\Windows\system32\Bjmnbd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Bhqnki32.exe
        
        C:\Windows\system32\Bhqnki32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Bmngcp32.exe
        
        C:\Windows\system32\Bmngcp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Bhckqh32.exe
        
        C:\Windows\system32\Bhckqh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        C:\Windows\SysWOW64\Cjagmd32.exe
        
        C:\Windows\system32\Cjagmd32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Cakpjn32.exe
        
        C:\Windows\system32\Cakpjn32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Ccjlfi32.exe
        
        C:\Windows\system32\Ccjlfi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cjddbcgk.exe
        
        C:\Windows\system32\Cjddbcgk.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Cmbpoofo.exe
        
        C:\Windows\system32\Cmbpoofo.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Cfkegd32.exe
        
        C:\Windows\system32\Cfkegd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Capiemme.exe
        
        C:\Windows\system32\Capiemme.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4996
        
        C:\Windows\SysWOW64\Cfmamdkm.exe
        
        C:\Windows\system32\Cfmamdkm.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        99⤵
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        100⤵
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Dfakhc32.exe
        
        C:\Windows\system32\Dfakhc32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Dmlcennd.exe
        
        C:\Windows\system32\Dmlcennd.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Ddekah32.exe
        
        C:\Windows\system32\Ddekah32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Dfdgnc32.exe
        
        C:\Windows\system32\Dfdgnc32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Dokpoq32.exe
        
        C:\Windows\system32\Dokpoq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Deehkk32.exe
        
        C:\Windows\system32\Deehkk32.exe
        107⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Dffdcccb.exe
        
        C:\Windows\system32\Dffdcccb.exe
        108⤵
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Domldpcd.exe
        
        C:\Windows\system32\Domldpcd.exe
        109⤵
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        110⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Dhfqmf32.exe
        
        C:\Windows\system32\Dhfqmf32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Dopijpab.exe
        
        C:\Windows\system32\Dopijpab.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        113⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 400
        114⤵
        Program crash
        
        PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3044 -ip 3044
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afebeg32.exe

Filesize
55KB

MD5
be0efe401a429366d4572f7c112d08a7

SHA1
ad4080f109aa5f1fb2e70ae35fedf923d27826db

SHA256
a2729ddf55dc838e474a5a2a6e415b19e652cdf899d0a535581d74ff8c14aa5e

SHA512
3fc700857a70b82ad5cc963827c75b74a1d9c3fba0313a415aebf822f866d4be0e454d796f3d1562179c5dccbe1d830705435ed296de062a7a0e9ae5424be36c

Download Submit
C:\Windows\SysWOW64\Aqdqbaee.exe

Filesize
55KB

MD5
11db1592ba0ec933ceddcfe76ec354d3

SHA1
07ec7652701f4cd5ac2419f5483a2b4dd8dea730

SHA256
b7cdcecd671c0bf47c6e004789b522629dccad966f9370de17a49aa31c90add9

SHA512
c5ee76614e52432dd9e3836f3a22f46c90a3d4ea5e06f5b6a12bfc4a77f2de7792cac7148871b1d55de3630f0451431570c5bc363817eda034e8f794a5888c51

Download Submit
C:\Windows\SysWOW64\Aqfmhacc.exe

Filesize
55KB

MD5
5b30755f89c2ec48731e3f2fe9a3fc81

SHA1
de5e5d0a4676f1b5bf645fdbf4b417e81760741d

SHA256
82d64996c56b7dd01106060253e8c952e40705fe40bd97915fa71e0dfde5a70b

SHA512
63eaeb3da6041977a38b26cabe38120e76b19a351647e84c85d3827d9660bdb22b6ebf20f112ea17038223a246a8861913ab4af69b9cd9053e0cac1e374079c8

Download Submit
C:\Windows\SysWOW64\Bgjhkjbe.exe

Filesize
55KB

MD5
b360f20a32e2dbb3589d9ac413b695a1

SHA1
8850ee3cdf19823eca1a18ea92f5e23d1793a757

SHA256
d5f2274917f9955fd4c63e109fffeb50b1c55cbe0c2d4d9dadeabbbd5e9b2eb2

SHA512
63da9dff305588da6643f36f1bd2f6fe48100145ffdfb527f98614ee9c6a00c66a2db86cbaf4959e0d8888e772303c7ef71559a878052bbe4fa5ca142f38a196

Download Submit
C:\Windows\SysWOW64\Bhqnki32.exe

Filesize
55KB

MD5
2951e77346e63cf62d5072064476eed0

SHA1
586af9e9a16a43d6775570817dced206fd702f2f

SHA256
a26b9988d6a19e036ca809f4a8ffe4222f8c9984462e007c7fcec38290d09a81

SHA512
a56dd32251e02f16e1de0aa021eb9a54c786704f3bcaff430791947654c43ab823a4f1665afd930dbad84790c234614872eaa83fcf04a5b7080a754299ef1dd6

Download Submit
C:\Windows\SysWOW64\Cakpjn32.exe

Filesize
55KB

MD5
13e6a4528828043fb2d95c09c80c53c1

SHA1
ad64d0e42245a0e497e96174e402279591db50f5

SHA256
6d81ce41136c8fec5020f92c855f7e8970b77e25cb565e178dd5703e6ed73257

SHA512
c4df7917e9677a72adbd3ba3ca9cf507aac18e0dd6b3b80671feffb7d1967c4469cbd3e2874fde2ae2f3933771986e82c6c31de1e653519c5a33cfd98b8a9f4c

Download Submit
C:\Windows\SysWOW64\Cfmamdkm.exe

Filesize
55KB

MD5
e3c0ebf8e7755eb023d8af5ec4f88a08

SHA1
9c71dac22b6a312710f59fffbedcae50c1c57891

SHA256
5e773611c2e2c891b0c89e5525d24b6f34cb370aa38e64a9be5a79eda46e6922

SHA512
1fd0776894eb7c5a8fe6ad8d985ee6a1527fba70c7e59f82843a9156c75cbe5ba033ba3479a7dbddd9c7952fd03deec665a60f2136062cbdaa1540c8efd16bae

Download Submit
C:\Windows\SysWOW64\Chlngg32.exe

Filesize
55KB

MD5
945fd69bfb3a05b6ee782a90d3464f31

SHA1
d2f718af92c2e64dde401fa17fec93fc36d7f8d3

SHA256
a075b605dfb9dcd99711a177455d126a23fdf9c8281e1ca392ced10fcf9db5c1

SHA512
a6eb3f00e808c116c8f2c1b42a6b7838e7d044538a9cbac50b889ca21de3169dc5dfc05a86d0b2dce28b6b112b0cac991b184ec5fd0e8e6601460344980ea791

Download Submit
C:\Windows\SysWOW64\Deehkk32.exe

Filesize
55KB

MD5
b95c8e7df9c41934c3a946a7097f7688

SHA1
7515c72bfd857211f6bbb5aa5446988d9a1fb564

SHA256
2d70c50a5e130d5a2a218e9304b99e9ce4ea2795cad42a79cbe82418ebb3f5bc

SHA512
6a35f811f867996f11d3edda39c916b62a1986f5a649ce19ed33a65941c22fdf7078d6e821ac9960f8e1d044361771dd42aba43b49435f1f54cabbd7c9d5719b

Download Submit
C:\Windows\SysWOW64\Dmlcennd.exe

Filesize
55KB

MD5
b09e38a984bc69dc62058354988b52df

SHA1
31b870a068402ead559bc7b44e79d64d25cc9539

SHA256
65a8dca3f1d6763f5a0e28a8ca659868bedf279875f062a8c84926252d31696a

SHA512
9c08a6dfac0b45eff22d4901a4143cdfbcaeb573bd01412a318bbb57be361bed1d790c78cd4d828293ce52406c521d932b19c29596942d3d31ac6a67fa96ee00

Download Submit
C:\Windows\SysWOW64\Lbmhod32.exe

Filesize
55KB

MD5
f0fd6fa58d9a4469ec9d411bc9919204

SHA1
7001a39e229fe31c493f65e9efde8eadf580bca6

SHA256
75feab7c2e9832e4c09995188a24c4a8219ad1a42620d5daf5a12c3cd48df11c

SHA512
d6753972fd09efe169243649d48531422880e1bb3ebccf92d2a39138549101a5d9f92f636f2413e1fdaa36d14eca626961787760a0c222d7e2ddf17150a8a940

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
55KB

MD5
e4b266b306a623e66f1bd14688b99192

SHA1
e286abf85d8346cd6fff3e3d5ec8c72b2115430d

SHA256
7626d84137ecb507efcb6446819103c6934052c31bdafd39265122a3532de493

SHA512
e805ec0314e2bec31671ddcd4b4d71bf443c2bb15a954456e05f891a579935c6ef1282cff8e1869dc9e885edc39b3d260ea151dffa60754621948848a425c281

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
55KB

MD5
c7e700c9f3fae55a7261eafccb3b825e

SHA1
c94ac938176f256356c3c7910326650511df4b74

SHA256
5344a2b78ddc39a267faf532cc3778bbe7a74b943fb43782ac917b8d9c7ed15c

SHA512
a2d4012d02c178696afefe52078f37e5ad5ee79f19a49715bbdb93928d397bffe29b919110aaa7ecdc12a0182c830ba1eeb0cb8756cf307d0f48a7c3209bf931

Download Submit
C:\Windows\SysWOW64\Lffhjcmb.exe

Filesize
55KB

MD5
26f3102cba141e9c17803e8fa4d32f25

SHA1
ae1b6f6d7635562fe3735b49694fa627eef42f3b

SHA256
f2b6a4f906b8cd2ddc2f2423b1ba7bc619c01c2512d4d69c6d8e0c7dc220dea9

SHA512
75e025e9a0f8ce587f9f7174ba84f2af62e3214c0d54c59411f183f5015701cefdbeb7dbecfe044189229b394be38d103887774ca6754eedcc55a0918917c2df

Download Submit
C:\Windows\SysWOW64\Libgpooi.exe

Filesize
55KB

MD5
5e61272604c897ee2bb76579ad98a027

SHA1
cdd60a4d104cfa8f7c383d225cca02c6091ba3cc

SHA256
f1f76291c7e424c94598702b0d709550f0c8b7904bd12791e3852701445012d5

SHA512
87522bc9ad2543751430f32d3f00aafc7b82a7f0888ea865a4ce863e7962a0132f7aaed4e725e42c3abb5a5c43b3ffc5ce1a1163153f9399a2c607f4e5e1f4ac

Download Submit
C:\Windows\SysWOW64\Llemgj32.exe

Filesize
55KB

MD5
7518197c691f8bc8960b26334bce8201

SHA1
20a320109271f49b0af16a60c1dc88c9795e1e2d

SHA256
2bef23bab6571c49419fc8773ab6ccb56347cbb44501375ec0e3c577d568703e

SHA512
b044f36404b03c79e1010220371304ebc55734cf6d6d1b407541238afe5f21021ca53887a3ee4b5ee156fbe3afa52ecaa4f6fe807f8508caa59090c93d08f046

Download Submit
C:\Windows\SysWOW64\Llpcljnl.exe

Filesize
55KB

MD5
ab5808ddce999868dbf152d2ca63b080

SHA1
20d069604fcacfa55c1b3d9292bbad3b1d0b8c72

SHA256
47f6ec759d360a78d2bee8147f494338de9717b59c30a90932d64a15ff7b98d7

SHA512
98affa105ec3f1766b3bf3d03e5d3b92d33c4032c4be22a617e0233b6da264ed725542b2ae5708228bccb912ec2c978dfe466a984f2b5d39b632e7aa0e8fbb72

Download Submit
C:\Windows\SysWOW64\Lmppfm32.exe

Filesize
55KB

MD5
9f72cf4b4eaa4c5dd6da0f72af6931fe

SHA1
2d97405b886bb83d68d19eea8426286b84e0d649

SHA256
0ae1f803085a08dd9a3aaa12f75a94c2c89f00a9708f519c912d9d738098b5c4

SHA512
b5099eca1797d5ccc51f2f087503098d7ae47bef63ce9f6f52b048d5d699267e015e4255822bbfb00d446d3aac17ad496dfffb5d9552d0e08e9fc4b66175752d

Download Submit
C:\Windows\SysWOW64\Mcabjcoa.exe

Filesize
55KB

MD5
e44612eed99d387da981b8b58e29ff83

SHA1
560d1c13137a0b69a41e11b878dcb33537c35825

SHA256
359a1975f54b6dee1b5ef2d4efc0aaeda7d0975dee1520c51e0ab44b8904af68

SHA512
a8263d90c65f9b67e3a397cece40dbc9825776e885c775b8a5a6f1868265d0285e8faa2a5f68ee7091d1e4142e570d3502dc254c589c426b6d392607bc9ff12b

Download Submit
C:\Windows\SysWOW64\Mchhjbii.exe

Filesize
55KB

MD5
67d884794ef85536f0149cca4d6060bb

SHA1
f435264659c34ef2183752921824a006ffee76a3

SHA256
f87f62beb05f51fd8321b006353c687734023cc61fd55dde4163d73382e3fbf3

SHA512
eaabe822aa9c43640ce2a3c136dc4eb08a5127d2d42eb9ca67c5b4fdb988bd0024ed2cdf324c7656f71f9a0852b9b29780c6bba069b4c7a4dcdfa365932ee463

Download Submit
C:\Windows\SysWOW64\Mepnfone.exe

Filesize
55KB

MD5
02db4cd7a0275ee728833101fdbbf765

SHA1
73610c9992e1cfc4008530109e9f5e7cdb8e0737

SHA256
783d958d8a965b85c4593aed10c77fca9fd58b8e313ceeb9329eff6315d3788e

SHA512
32093f6aee0d1dbb7c07f9b92ea6567670d6ef9c9eab931cfe28192b10b4f9dada408309616a59c6a90470c2afa722426652c4fb9d5cf1f1cc44430d1b4aaf90

Download Submit
C:\Windows\SysWOW64\Mgokpbeh.exe

Filesize
55KB

MD5
d5962415836a38906f2460dd3305179f

SHA1
7f2d49b5d0f7564f56f81d182a3b8603ad00ad2b

SHA256
39fb1ee9a17bedba2d07714f6ed94e1da95ff78601d2a6faf8da107324e7590c

SHA512
e4b81006ef9ee17353ed592fd97f57d44427416808e1419dc60033cb7c531e59cc7185c9f555de95d57fae3928e6646684e0f7e14b6eeb40a37de2c407f36bcc

Download Submit
C:\Windows\SysWOW64\Miiman32.exe

Filesize
55KB

MD5
8e6000ed3f930b165499a479b8d1a0b6

SHA1
c14a01d72ec81c51e1f4999d086ba0d76f91fe0c

SHA256
425af8704b43b09e7dec8ec68d208130ec7649b44475edb36409ea9e9bbd295f

SHA512
f067afc8528175be745539854be3c1ab4f1f088498fc802f7b44a53eec7698ee10618618e7174d5b9e57ccab6ea9a16b239242a24e82baa774e2253e517d8f71

Download Submit
C:\Windows\SysWOW64\Mipcambi.exe

Filesize
55KB

MD5
2cf044dce364a154ae582996625c7479

SHA1
e49e46df8d3e6f56af349a2f21fe011d75af5c99

SHA256
fc433ae546a725c603d5da088045bbecf480a3f2ee36d1c95d8663c5dfb48d05

SHA512
b3d9f484c61f340983a99fa2c57d6e85c4ed2edde0bc264528539bed879fb25e527fb346e61db12fce6261f1f4d538bc0f3b74b419879bdf2dbffe5ce7ee9ae1

Download Submit
C:\Windows\SysWOW64\Mljfbiea.exe

Filesize
55KB

MD5
cc8319803816beb54ec64746c8efcea2

SHA1
fb493680a3563f482828ac4b9df883425858d8af

SHA256
8c91c1a674a5b40f17c831be7d9667d2d95d8e44a0cb37d9ba6e157f4fb26db9

SHA512
ecf4bd6cfc0d392893102321f4ea8b9c2912b88c2ec12794e430596751e4ada05d6eef2c06e457584328287422ef448384bd2403e0da76bf93ae40595e07acfd

Download Submit
C:\Windows\SysWOW64\Mllchico.exe

Filesize
55KB

MD5
76548636976acc32d4188cb1e50dfd29

SHA1
dff16bc6088377ab64e4a26cc3f8c4297384bb76

SHA256
5b4d223fd37c0fe57b748e9efe62c873a39b511d76c82ec98e9c589b2da9a7a2

SHA512
da0379911c3295ff6e34e7040443a31cadf190a094935a09de1d3dd51dbcebce4c5d912860728a95d1274479cac046ab75210ab1d831b0c676ffcca5f770653b

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
55KB

MD5
f4cc49cc770bbf2ace111267f80ce003

SHA1
96e9d1cba74b6e8d75e0dc433eede4a694564c3d

SHA256
108e0b44430de773ecc39a01f9df76576b4b4b6df2c0f2e790d375a63e2f126b

SHA512
392b122639c3875e387ec8a9b912d479c34dc3c45b58dab79a024732e957b8f9fc3983472dd7b5626ad1d52ccc20c1df0fcf6d1d3584496073b24d995fdf7b0a

Download Submit
C:\Windows\SysWOW64\Mpcenhpn.exe

Filesize
55KB

MD5
b9e443e368864152c58051bd85834974

SHA1
1884d5b9661bc835dea0d0ed79594ab04d1fec3c

SHA256
bc91bff81042c34e3a60c801abe245d371fa7de925f86ac4dd4080b15ec10515

SHA512
3800b11846bd10ea9a56ef1e609e08ccc5623023320482cad58e8715066df6f1c476e3183244ffe61f2edd87a2f8bfb5d37582ef2547a46103deda16f206ea92

Download Submit
C:\Windows\SysWOW64\Ncakqaqo.exe

Filesize
55KB

MD5
ba41230f0a684b8619bd86155246da05

SHA1
ee1c923554eac7962ee4ce6fc1cf63d33dd54fae

SHA256
7587a9fe97b2cf854f6653fe9414a542829b815827756e1ef2c267ba284b457f

SHA512
1cd39114661188bbe5cfaa26a598b9becaa56aa4c84823cea2cf77ae5a58c4dafa5f845c4e0f9738b04feb4eacdd1db71dba6c96d78a2ed6cf19c6f6f60699b0

Download Submit
C:\Windows\SysWOW64\Nckepbgf.exe

Filesize
55KB

MD5
efe307da8c42d5494ab1253615b80f9c

SHA1
44e98c74f95838a4a91f7cf2e182069eab0406e5

SHA256
42ed595e1c262726acc82b066d0b629c85cec7ab700d642af8cad305e0135a18

SHA512
32b07081865897336493ab3af57b52dc2fb3f7ad1ca5971cd2e94d4866287c3c4f6bea2de0ee755b0efc8600dee700a212bffecf8b5e2c48dcb6872ddf017afd

Download Submit
C:\Windows\SysWOW64\Ncmaeb32.exe

Filesize
55KB

MD5
4187ddde2166ce5a585fcda10ef924dd

SHA1
6d06dd9beedb04c35af7bf284b91b079ea144c1e

SHA256
8450b68e1ca6ef26be02cf906d1a869a2c011133e08569bd402f6a8a920539ba

SHA512
40b035cf86cb2f8ba9efa206c9286679b3c3d6fd9b12fe3f4e255c2338e26248f1dbe2d03f64d6a700d2f50e38c40022e9bcc863799d69e3d10dc3c50f61feea

Download Submit
C:\Windows\SysWOW64\Nconka32.exe

Filesize
55KB

MD5
edeff6548f66d5f1919f6e8a9dc42470

SHA1
d11813729af059c92983661f9b1dc48beec5e88a

SHA256
5f58d2fced862c3710fc4d22ea1265e0834c637d0d2b2c7aa384ce15064e1322

SHA512
1671389ab1756ba902781740bcd084693d17db6cd5f7818f318eb85015943994779ce86597391cb5b6f3f767867a9ffdaa138e9be89679f72c690ed154e542e1

Download Submit
C:\Windows\SysWOW64\Nghmfqmm.exe

Filesize
55KB

MD5
20387f39fa9777dc0c18923cd0219132

SHA1
5ea0b6c3a6f79756a7ebb5c796c530d8696b6a80

SHA256
788c3b7ee1deb4fd0c90c5d03fb8a814c4f0df2f9a656c0181c1ce6e119409f4

SHA512
2dfce7de669a7d62874c89916e6f92e22e3e8f61c01b966ad51622a0b1ce161c0a24a10bd320b239957daba937abc8a4249c4460681ae23e5db95448d9261b4f

Download Submit
C:\Windows\SysWOW64\Ngmgap32.exe

Filesize
55KB

MD5
4b007c36891b52a57fa00862330f7633

SHA1
ed3ec58c82f4447c03e22e192cdb18a6dd1bf49c

SHA256
384a50e2355f7f7231d954518c48be4af2b7ce08b1335c8e08cdc62078a1e132

SHA512
b5c799e71dcf07ef27522cced21a01e2604974323ad1007ee1f993ddccf7a8b1174dd7b0ab3f0ccfdeb606766e67b96bd967333811477dfdddb50be2b42dd74a

Download Submit
C:\Windows\SysWOW64\Nidmml32.exe

Filesize
55KB

MD5
aa54eeda7bb6f0491c36f02b8924f53a

SHA1
1a0c10788e6bf339f789b7b4e4c9ad2c397cb5d4

SHA256
6e4b31c5eb2f22115e90f6ebd1fa89852d146426a269e7db3b67a970e28c8412

SHA512
14e6552c3a7d41f56e91d7ada2ba1c607c90526e8c1eab4a16c9a8cd40634b831cfa57736fee4ba100b5ee9eb8fa636af59f6947add675a84b718b652b4acca6

Download Submit
C:\Windows\SysWOW64\Njnpck32.exe

Filesize
55KB

MD5
a1a1c36a0f47b72ba18cccb5c243388b

SHA1
64bfc543096d238ec853f8ec0b7d9af176c17edd

SHA256
e3d53c2fb0ca9b140f9f24509fb77024cd5b33e52293483d6a3c6d8bc3959617

SHA512
76f5d2485d6703ff16be9f98d41209bff5129615347f1cc76af1fc6ba4e6899c236fe06b90b83a59b878e1237a3365eb9ff8440658721de44f8039bfc3234e98

Download Submit
C:\Windows\SysWOW64\Nlefngkd.exe

Filesize
55KB

MD5
b0d64af0b6ff0b7d1525290c4dff5dde

SHA1
525ef3ffaf502d9f98bf3c3663afb2704f3fbb1b

SHA256
fb3ae5e4198b482757c72be65bc33703b52cc9420081605039bc5c3bf8cd92b2

SHA512
cdfb74c9dad4616ec528d0925da0bbdc24d6b756ff883259355a9f675434ffa04eedab365cf24e834355c3708fb7d33d8e9ef6e0949b2cc58bf9f24a2b9613a8

Download Submit
C:\Windows\SysWOW64\Nljoig32.exe

Filesize
55KB

MD5
57aeaa302b5ed891a2c426feb7577f6c

SHA1
2bdd6f69d4ec359c7373dd996a93fc65409f80d7

SHA256
1aef375f15a683936bd88ac73c43d49a5777b208c6dcc4a219216e175c31a3ee

SHA512
e2ec6626f7c68c8604f34e2ec8c558abd7584d580f8ef3843b5e91cedea398e8177c6080c21817311cb35b801a7587cdd328f491e48fb9a4ce783f287a745b3e

Download Submit
C:\Windows\SysWOW64\Nnebhj32.exe

Filesize
55KB

MD5
2dd2e2d575bf7f024168115c4819c5eb

SHA1
0a2b13e9299a9495fd9b4179edebd0a3b4296a01

SHA256
65887863a096f2e0861e4d12b2cce82c63b84eed970e112dd0757ce72ab288a0

SHA512
402e172cc40e62955b69184d19f44348526073cb6112ced893470528cf23b93b835b70a97fa3f9fdd77d3ffbaf63e64ab0b135a96a17b9b5cb65803e0c4f970b

Download Submit
C:\Windows\SysWOW64\Npoeif32.exe

Filesize
55KB

MD5
3a63ce0e20eb5f95399bb4e46a4a7cc0

SHA1
e80e5d88de3df9389204eee0d5d365289188e5ab

SHA256
c816d6db73ac364cf490a76fba72d6951699d67e1bc4c1962c322d17633929f0

SHA512
3c6e6c0a3a33c226eb0264c6715c8e203a146183041b85be15c9a5a57b41c575ff9ff9d23db7dcf2b32357144029ed5e0bdb1b1cc738f0c664a04c6476337f6f

Download Submit
C:\Windows\SysWOW64\Ociaap32.exe

Filesize
55KB

MD5
e367e576dfd7c53c63fe3c501ac938f4

SHA1
91672f734aac69805fb7c54f61c4ac1bf812b6ff

SHA256
69fb1fe3b66a784946a6e7222c9609c7dbe61bbfd253f0e0aebc25fd15ecf8c5

SHA512
ffa162823f0c698dd5756d4f021fbee21c7e9f9e9c1c1db19a127e94c7ca752218a9fe4ba0aa994d2266ced5d4c0681c9532f2d82bab57ace4703c6dc8a29685

Download Submit
C:\Windows\SysWOW64\Odjjqc32.exe

Filesize
55KB

MD5
5255bc857935fd3909439bcbb9af7691

SHA1
941b6698768c40f3d2143bb6b2fa38610aab1922

SHA256
213c65f70728869d3081aff8273ab2b03fd5020f757a2f92a4d594714699451e

SHA512
a57c0aa88b86f377d7da5f4144ec841475e3d7c63ee0655b6dad4a06c5665d32c828d370ad1fc72a52ecd6054bf164b086b1a67f0f0f0f5b572851d0c12402f4

Download Submit
C:\Windows\SysWOW64\Ogbploeb.exe

Filesize
55KB

MD5
41473ac8d18d966baa3df4dce6ec137b

SHA1
043dc2c63f21db9043a675728848d194544014dd

SHA256
79854d00f1560bc2cf999c6ffc40fa240fe0e5bc2bc484f8f0ee77cf7a50360e

SHA512
ad59cc0b3b00f7a9028f1fd10a9472958f3d86ba75d0ecd4c8137e6eb8a06f18545c6dc486cd06256aed170a3ecb3a2d4a81a2a31816af93698e123591ebf8b9

Download Submit
C:\Windows\SysWOW64\Oloidfcj.exe

Filesize
55KB

MD5
f6c9dccb9bbc5a10c254901829f72427

SHA1
9149a952b639b9d603c3b8e528ccc40c7148ae05

SHA256
b5341710e6c8602c4e116fcee0e692fabefa4be456c3bf4c8f097b8883d0c772

SHA512
0a82c62c80dcd11271038405da0207cadbf21abdd9df5c06996c70835710f5247123357c707870c99552152e8766c3632941eca5a2b9078f3a55054b13a3cc9c

Download Submit
C:\Windows\SysWOW64\Pgdfim32.exe

Filesize
55KB

MD5
a390412666f23e437d455129d1be73b0

SHA1
78498ce686056a42f49cd37947e517055b7f45fb

SHA256
52d78190931ed5cb57e2be284300f9333140a0c3848be00897155b769372dd98

SHA512
ee734003a0914ac03fcb0410039f22f0c16d698e7af2224b97d9888e4ad549d91d79d5516a3a4a0984160cd9914364f9db33fb670b81245612c17eaf9bdcf071

Download Submit
C:\Windows\SysWOW64\Pnjejgpo.exe

Filesize
55KB

MD5
6437ccad4aa6c9116bb7d46770992f90

SHA1
bfb813904ca00e25e586e222d93c2f607c02bc81

SHA256
e7175e82ab253943c71de1c83103a161514ff2afa41eac5ffcc62c7377b37ef5

SHA512
837945c569c85c02d478c6daae33acb1dd2986cb4cf9e1f8d5878a483851c3be968b54ac9ff611e991022190bda244e321714d62a605ac82ed2bddf13d8a2871

Download Submit
C:\Windows\SysWOW64\Qqoggb32.exe

Filesize
55KB

MD5
0f158e9d1f9046e99a02b9cc72523209

SHA1
f5b6e679773161b1dca4c1fd3d6f1a28d3f3eca6

SHA256
60cd2f96624c07272ac0bd9066551b391eb2ed2ee7759cd56181d9b9ea8494a7

SHA512
37ebcdaca90244e2bb60dd847433d809b54970ddd2e941710bb7834c952a387226dfc048c92fe6cf5dbcee3365721949b2744abe108c23b02c49d56a56cd2766

Download Submit
memory/244-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/472-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-773-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-767-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-802-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1728-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-870-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-774-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads