berbew | f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Size

337KB
MD5

8a9e6d4e64909c9096b7003b4e2e344d
SHA1

2b690ba1c59fa12f88666d15812087f6e7ee38ae
SHA256

f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455
SHA512

31c6b6206734c21a1cb0bf970bd0919feece2d45c8b7e1bc5cd8b539910c0e8a541444d5e52d1c92c08b92fdc1fe1481c58e96935fbc3d032eb6b087e9f41778
SSDEEP

3072:OkBHm60oi+GnF6G7gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XHmPoqF6G71+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnphnke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcppimfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcgopjba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmlcennd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndoked32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgfdikg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqfdac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgfaol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpicgihh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldlehg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngonjqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpdklo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlqgkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgjhkjbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bncqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnjejgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqijmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deehkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcioha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chlngg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhokmgpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdoclbla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfcmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domldpcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjajeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfolehep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acbmnmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmjlpfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgfdikg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bglepipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghdockp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqihhbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgbodo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anedfffb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbmnmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afaijhcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjemgal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhjbii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkjlpkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onqbdihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefbcogf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dffdcccb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplpmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlnpnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mplhdghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bncqgd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1484	Lpicgihh.exe
1032	Lbhocegl.exe
3428	Lplpmi32.exe
1104	Leihep32.exe
3972	Ldjhcgll.exe
2540	Lghdockp.exe
2772	Lpqihhbp.exe
3096	Ldlehg32.exe
3080	Mpcenhpn.exe
3020	Mepnfone.exe
1468	Mpebch32.exe
2992	Mmicll32.exe
3236	Mcfkec32.exe
4396	Mlnpnh32.exe
4952	Mchhjbii.exe
4500	Mlqlch32.exe
1016	Mplhdghc.exe
2800	Ndjajeni.exe
4448	Ngkjlpkj.exe
4844	Ndoked32.exe
3916	Nngonjqd.exe
1128	Ncdgfaol.exe
4276	Nlllof32.exe
404	Ofeqhl32.exe
3960	Odfqecdl.exe
1540	Ofgmml32.exe
1228	Odhmkcbi.exe
3124	Onqbdihj.exe
2632	Ocmjlpfa.exe
4912	Ojgbij32.exe
3984	Ocpgbodo.exe
1688	Pdoclbla.exe
2576	Pgnphnke.exe
2908	Pqfdac32.exe
2372	Pfcmij32.exe
4728	Pnjejgpo.exe
1740	Pcgmbnnf.exe
4456	Pjqeoh32.exe
4328	Pmoakd32.exe
4532	Pcijhnld.exe
4936	Pfgfdikg.exe
3504	Pmanaccd.exe
3112	Pckfnn32.exe
2124	Pfjcji32.exe
4408	Pnakkf32.exe
1460	Qdkcgqad.exe
3732	Qjhlpgpk.exe
3128	Qmfhlcoo.exe
4280	Qcppimfl.exe
2260	Qfolehep.exe
2660	Anedfffb.exe
4004	Acbmnmdi.exe
2120	Afaijhcm.exe
216	Amkagb32.exe
4968	Aebihpkl.exe
2164	Agpedkjp.exe
2628	Anjnae32.exe
3116	Aqijmq32.exe
3964	Acgfil32.exe
1292	Anmjfe32.exe
3360	Aefbcogf.exe
4904	Ajcklf32.exe
4620	Ambgha32.exe
1892	Aclpdklo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aclpdklo.exe	Ambgha32.exe
File created	C:\Windows\SysWOW64\Hmkpbinn.dll	Celeel32.exe
File created	C:\Windows\SysWOW64\Dhokmgpm.exe	Cepnqkai.exe
File created	C:\Windows\SysWOW64\Kngnfp32.dll	Dfakhc32.exe
File created	C:\Windows\SysWOW64\Mpebch32.exe	Mepnfone.exe
File created	C:\Windows\SysWOW64\Llegpbnp.dll	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Leckmm32.dll	Pjqeoh32.exe
File created	C:\Windows\SysWOW64\Qcppimfl.exe	Qmfhlcoo.exe
File created	C:\Windows\SysWOW64\Egkjmb32.dll	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
File opened for modification	C:\Windows\SysWOW64\Lbhocegl.exe	Lpicgihh.exe
File created	C:\Windows\SysWOW64\Qieibhog.dll	Ocmjlpfa.exe
File opened for modification	C:\Windows\SysWOW64\Afjlqgkb.exe	Aclpdklo.exe
File created	C:\Windows\SysWOW64\Bappnpkh.exe	Afjlqgkb.exe
File created	C:\Windows\SysWOW64\Bglepipb.exe	Babmco32.exe
File created	C:\Windows\SysWOW64\Qhigml32.dll	Dmlcennd.exe
File created	C:\Windows\SysWOW64\Lbhocegl.exe	Lpicgihh.exe
File created	C:\Windows\SysWOW64\Mldkjlpl.dll	Ofeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Bebbom32.exe	Bnhjbcfl.exe
File opened for modification	C:\Windows\SysWOW64\Cnopcb32.exe	Cfhhbe32.exe
File created	C:\Windows\SysWOW64\Kkaejn32.dll	Chlngg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmpmpm32.exe	Domldpcd.exe
File created	C:\Windows\SysWOW64\Ldjhcgll.exe	Leihep32.exe
File opened for modification	C:\Windows\SysWOW64\Lghdockp.exe	Ldjhcgll.exe
File created	C:\Windows\SysWOW64\Eqjdll32.dll	Ncdgfaol.exe
File created	C:\Windows\SysWOW64\Ipgpnnah.dll	Pcgmbnnf.exe
File created	C:\Windows\SysWOW64\Jlfciocm.dll	Pfjcji32.exe
File opened for modification	C:\Windows\SysWOW64\Bappnpkh.exe	Afjlqgkb.exe
File opened for modification	C:\Windows\SysWOW64\Dhokmgpm.exe	Cepnqkai.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgfaol.exe	Nngonjqd.exe
File opened for modification	C:\Windows\SysWOW64\Pcgmbnnf.exe	Pnjejgpo.exe
File opened for modification	C:\Windows\SysWOW64\Qmfhlcoo.exe	Qjhlpgpk.exe
File created	C:\Windows\SysWOW64\Cmpcioha.exe	Cffkleae.exe
File created	C:\Windows\SysWOW64\Iedoijdg.dll	Dmnpjmla.exe
File created	C:\Windows\SysWOW64\Lpqihhbp.exe	Lghdockp.exe
File opened for modification	C:\Windows\SysWOW64\Bccfej32.exe	Bmimhpoj.exe
File opened for modification	C:\Windows\SysWOW64\Cmpcioha.exe	Cffkleae.exe
File opened for modification	C:\Windows\SysWOW64\Pfgfdikg.exe	Pcijhnld.exe
File opened for modification	C:\Windows\SysWOW64\Pmanaccd.exe	Pfgfdikg.exe
File created	C:\Windows\SysWOW64\Apcmonfe.dll	Pfgfdikg.exe
File opened for modification	C:\Windows\SysWOW64\Afaijhcm.exe	Acbmnmdi.exe
File created	C:\Windows\SysWOW64\Imkppcem.dll	Agpedkjp.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjbcfl.exe	Bccfej32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcji32.exe	Pckfnn32.exe
File created	C:\Windows\SysWOW64\Bmpjpg32.dll	Aqijmq32.exe
File created	C:\Windows\SysWOW64\Ecpakh32.dll	Anmjfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cepnqkai.exe	Chlngg32.exe
File created	C:\Windows\SysWOW64\Dnbdfk32.dll	Cepnqkai.exe
File created	C:\Windows\SysWOW64\Ddjemgal.exe	Dmpmpm32.exe
File created	C:\Windows\SysWOW64\Mmicll32.exe	Mpebch32.exe
File opened for modification	C:\Windows\SysWOW64\Mlnpnh32.exe	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Gdgmla32.dll	Mlqlch32.exe
File created	C:\Windows\SysWOW64\Qghbgn32.dll	Aclpdklo.exe
File created	C:\Windows\SysWOW64\Epfkimfp.dll	Cmpcioha.exe
File opened for modification	C:\Windows\SysWOW64\Dfakhc32.exe	Dhokmgpm.exe
File opened for modification	C:\Windows\SysWOW64\Deckfkof.exe	Dmlcennd.exe
File created	C:\Windows\SysWOW64\Ejpimhhm.dll	Pmanaccd.exe
File opened for modification	C:\Windows\SysWOW64\Bjokgd32.exe	Bhqnki32.exe
File created	C:\Windows\SysWOW64\Caicdcpj.dll	Bhqnki32.exe
File created	C:\Windows\SysWOW64\Cdlhki32.exe	Cnopcb32.exe
File opened for modification	C:\Windows\SysWOW64\Danefkqe.exe	Dopijpab.exe
File created	C:\Windows\SysWOW64\Aebihpkl.exe	Amkagb32.exe
File opened for modification	C:\Windows\SysWOW64\Aebihpkl.exe	Amkagb32.exe
File created	C:\Windows\SysWOW64\Agpedkjp.exe	Aebihpkl.exe
File created	C:\Windows\SysWOW64\Anmjfe32.exe	Acgfil32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4776	2096	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhcgll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjhlpgpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqijmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpjmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiaibap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkagb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmamdkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlllof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghdockp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlnpnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcgmbnnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdkcgqad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhqnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deehkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhocegl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Domldpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpdklo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepnqkai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mepnfone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bncqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcgopjba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfjmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmlcennd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agpedkjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgbodo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoakd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgjhkjbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegljmid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhmkcbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkjlpkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdoclbla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfcmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlqgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deckfkof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dffdcccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqihhbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqfdac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnjejgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afaijhcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplpmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcenhpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlqlch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnphnke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijhnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgfdikg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmfhlcoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chlngg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebihpkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngonjqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anedfffb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npokka32.dll"	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodiig32.dll"	Dffdcccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpoijjol.dll"	Odhmkcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffkleae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfcmeh.dll"	Cegljmid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnopcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qghbgn32.dll"	Aclpdklo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfkimfp.dll"	Cmpcioha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkjmb32.dll"	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpcenhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbheqgmg.dll"	Qfolehep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqijmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbaibe32.dll"	Acbmnmdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bncqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiaibap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplpmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhcgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onqbdihj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgmbnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljcdici.dll"	Cnopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnelogk.dll"	Ldlehg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjlpfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnphnke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdkcgqad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjhlpgpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjahhilp.dll"	Pckfnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlfciocm.dll"	Pfjcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfjmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhigml32.dll"	Dmlcennd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbbokdl.dll"	Lbhocegl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohneobmn.dll"	Mlnpnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfcmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjqeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkjlpkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfhad32.dll"	Bglepipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdgnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmpmpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll"	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkbie32.dll"	Dhokmgpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deehkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Domldpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkkiip32.dll"	Lpicgihh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhjbii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejpimhhm.dll"	Pmanaccd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiefj32.dll"	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Babmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfakhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqihhbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odfqecdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpdklo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onjjbpnl.dll"	Babmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjdll32.dll"	Ncdgfaol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anedfffb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhqnki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhikp32.dll"	Deckfkof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnapigob.dll"	Cffkleae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmamdkm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 1484	4212	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	81
PID 4212 wrote to memory of 1484	4212	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	81
PID 4212 wrote to memory of 1484	4212	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	81
PID 1484 wrote to memory of 1032	1484	Lpicgihh.exe	82
PID 1484 wrote to memory of 1032	1484	Lpicgihh.exe	82
PID 1484 wrote to memory of 1032	1484	Lpicgihh.exe	82
PID 1032 wrote to memory of 3428	1032	Lbhocegl.exe	83
PID 1032 wrote to memory of 3428	1032	Lbhocegl.exe	83
PID 1032 wrote to memory of 3428	1032	Lbhocegl.exe	83
PID 3428 wrote to memory of 1104	3428	Lplpmi32.exe	84
PID 3428 wrote to memory of 1104	3428	Lplpmi32.exe	84
PID 3428 wrote to memory of 1104	3428	Lplpmi32.exe	84
PID 1104 wrote to memory of 3972	1104	Leihep32.exe	85
PID 1104 wrote to memory of 3972	1104	Leihep32.exe	85
PID 1104 wrote to memory of 3972	1104	Leihep32.exe	85
PID 3972 wrote to memory of 2540	3972	Ldjhcgll.exe	86
PID 3972 wrote to memory of 2540	3972	Ldjhcgll.exe	86
PID 3972 wrote to memory of 2540	3972	Ldjhcgll.exe	86
PID 2540 wrote to memory of 2772	2540	Lghdockp.exe	87
PID 2540 wrote to memory of 2772	2540	Lghdockp.exe	87
PID 2540 wrote to memory of 2772	2540	Lghdockp.exe	87
PID 2772 wrote to memory of 3096	2772	Lpqihhbp.exe	88
PID 2772 wrote to memory of 3096	2772	Lpqihhbp.exe	88
PID 2772 wrote to memory of 3096	2772	Lpqihhbp.exe	88
PID 3096 wrote to memory of 3080	3096	Ldlehg32.exe	89
PID 3096 wrote to memory of 3080	3096	Ldlehg32.exe	89
PID 3096 wrote to memory of 3080	3096	Ldlehg32.exe	89
PID 3080 wrote to memory of 3020	3080	Mpcenhpn.exe	90
PID 3080 wrote to memory of 3020	3080	Mpcenhpn.exe	90
PID 3080 wrote to memory of 3020	3080	Mpcenhpn.exe	90
PID 3020 wrote to memory of 1468	3020	Mepnfone.exe	91
PID 3020 wrote to memory of 1468	3020	Mepnfone.exe	91
PID 3020 wrote to memory of 1468	3020	Mepnfone.exe	91
PID 1468 wrote to memory of 2992	1468	Mpebch32.exe	92
PID 1468 wrote to memory of 2992	1468	Mpebch32.exe	92
PID 1468 wrote to memory of 2992	1468	Mpebch32.exe	92
PID 2992 wrote to memory of 3236	2992	Mmicll32.exe	93
PID 2992 wrote to memory of 3236	2992	Mmicll32.exe	93
PID 2992 wrote to memory of 3236	2992	Mmicll32.exe	93
PID 3236 wrote to memory of 4396	3236	Mcfkec32.exe	94
PID 3236 wrote to memory of 4396	3236	Mcfkec32.exe	94
PID 3236 wrote to memory of 4396	3236	Mcfkec32.exe	94
PID 4396 wrote to memory of 4952	4396	Mlnpnh32.exe	95
PID 4396 wrote to memory of 4952	4396	Mlnpnh32.exe	95
PID 4396 wrote to memory of 4952	4396	Mlnpnh32.exe	95
PID 4952 wrote to memory of 4500	4952	Mchhjbii.exe	96
PID 4952 wrote to memory of 4500	4952	Mchhjbii.exe	96
PID 4952 wrote to memory of 4500	4952	Mchhjbii.exe	96
PID 4500 wrote to memory of 1016	4500	Mlqlch32.exe	97
PID 4500 wrote to memory of 1016	4500	Mlqlch32.exe	97
PID 4500 wrote to memory of 1016	4500	Mlqlch32.exe	97
PID 1016 wrote to memory of 2800	1016	Mplhdghc.exe	98
PID 1016 wrote to memory of 2800	1016	Mplhdghc.exe	98
PID 1016 wrote to memory of 2800	1016	Mplhdghc.exe	98
PID 2800 wrote to memory of 4448	2800	Ndjajeni.exe	99
PID 2800 wrote to memory of 4448	2800	Ndjajeni.exe	99
PID 2800 wrote to memory of 4448	2800	Ndjajeni.exe	99
PID 4448 wrote to memory of 4844	4448	Ngkjlpkj.exe	100
PID 4448 wrote to memory of 4844	4448	Ngkjlpkj.exe	100
PID 4448 wrote to memory of 4844	4448	Ngkjlpkj.exe	100
PID 4844 wrote to memory of 3916	4844	Ndoked32.exe	101
PID 4844 wrote to memory of 3916	4844	Ndoked32.exe	101
PID 4844 wrote to memory of 3916	4844	Ndoked32.exe	101
PID 3916 wrote to memory of 1128	3916	Nngonjqd.exe	102

C:\Users\Admin\AppData\Local\Temp\f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
"C:\Users\Admin\AppData\Local\Temp\f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\Lpicgihh.exe
  C:\Windows\system32\Lpicgihh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\Lbhocegl.exe
    C:\Windows\system32\Lbhocegl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Lplpmi32.exe
      C:\Windows\system32\Lplpmi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\Leihep32.exe
        
        C:\Windows\system32\Leihep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Ldjhcgll.exe
        
        C:\Windows\system32\Ldjhcgll.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Lghdockp.exe
        
        C:\Windows\system32\Lghdockp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Lpqihhbp.exe
        
        C:\Windows\system32\Lpqihhbp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Mpcenhpn.exe
        
        C:\Windows\system32\Mpcenhpn.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Mepnfone.exe
        
        C:\Windows\system32\Mepnfone.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mpebch32.exe
        
        C:\Windows\system32\Mpebch32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Mmicll32.exe
        
        C:\Windows\system32\Mmicll32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Mlnpnh32.exe
        
        C:\Windows\system32\Mlnpnh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Mchhjbii.exe
        
        C:\Windows\system32\Mchhjbii.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mplhdghc.exe
        
        C:\Windows\system32\Mplhdghc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ndjajeni.exe
        
        C:\Windows\system32\Ndjajeni.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ngkjlpkj.exe
        
        C:\Windows\system32\Ngkjlpkj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Ndoked32.exe
        
        C:\Windows\system32\Ndoked32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Nngonjqd.exe
        
        C:\Windows\system32\Nngonjqd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Ncdgfaol.exe
        
        C:\Windows\system32\Ncdgfaol.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Odfqecdl.exe
        
        C:\Windows\system32\Odfqecdl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ofgmml32.exe
        
        C:\Windows\system32\Ofgmml32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Odhmkcbi.exe
        
        C:\Windows\system32\Odhmkcbi.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ocmjlpfa.exe
        
        C:\Windows\system32\Ocmjlpfa.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Ojgbij32.exe
        
        C:\Windows\system32\Ojgbij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Ocpgbodo.exe
        
        C:\Windows\system32\Ocpgbodo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Pdoclbla.exe
        
        C:\Windows\system32\Pdoclbla.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Pgnphnke.exe
        
        C:\Windows\system32\Pgnphnke.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Pqfdac32.exe
        
        C:\Windows\system32\Pqfdac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Pfcmij32.exe
        
        C:\Windows\system32\Pfcmij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Pnjejgpo.exe
        
        C:\Windows\system32\Pnjejgpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Pcgmbnnf.exe
        
        C:\Windows\system32\Pcgmbnnf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Pjqeoh32.exe
        
        C:\Windows\system32\Pjqeoh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Pmoakd32.exe
        
        C:\Windows\system32\Pmoakd32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Pcijhnld.exe
        
        C:\Windows\system32\Pcijhnld.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Pfgfdikg.exe
        
        C:\Windows\system32\Pfgfdikg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Pmanaccd.exe
        
        C:\Windows\system32\Pmanaccd.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Pckfnn32.exe
        
        C:\Windows\system32\Pckfnn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Pfjcji32.exe
        
        C:\Windows\system32\Pfjcji32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Pnakkf32.exe
        
        C:\Windows\system32\Pnakkf32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Qdkcgqad.exe
        
        C:\Windows\system32\Qdkcgqad.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Qjhlpgpk.exe
        
        C:\Windows\system32\Qjhlpgpk.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Qmfhlcoo.exe
        
        C:\Windows\system32\Qmfhlcoo.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Qfolehep.exe
        
        C:\Windows\system32\Qfolehep.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Acbmnmdi.exe
        
        C:\Windows\system32\Acbmnmdi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Amkagb32.exe
        
        C:\Windows\system32\Amkagb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Aebihpkl.exe
        
        C:\Windows\system32\Aebihpkl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Anjnae32.exe
        
        C:\Windows\system32\Anjnae32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Aqijmq32.exe
        
        C:\Windows\system32\Aqijmq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Aefbcogf.exe
        
        C:\Windows\system32\Aefbcogf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Ajcklf32.exe
        
        C:\Windows\system32\Ajcklf32.exe
        63⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Aclpdklo.exe
        
        C:\Windows\system32\Aclpdklo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Afjlqgkb.exe
        
        C:\Windows\system32\Afjlqgkb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Bappnpkh.exe
        
        C:\Windows\system32\Bappnpkh.exe
        67⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\Bgjhkjbe.exe
        
        C:\Windows\system32\Bgjhkjbe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Bncqgd32.exe
        
        C:\Windows\system32\Bncqgd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Bglepipb.exe
        
        C:\Windows\system32\Bglepipb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bmimhpoj.exe
        
        C:\Windows\system32\Bmimhpoj.exe
        72⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Bccfej32.exe
        
        C:\Windows\system32\Bccfej32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Bnhjbcfl.exe
        
        C:\Windows\system32\Bnhjbcfl.exe
        74⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bhqnki32.exe
        
        C:\Windows\system32\Bhqnki32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\Bcgopjba.exe
        
        C:\Windows\system32\Bcgopjba.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        85⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Cfmamdkm.exe
        
        C:\Windows\system32\Cfmamdkm.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Dfakhc32.exe
        
        C:\Windows\system32\Dfakhc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Dmlcennd.exe
        
        C:\Windows\system32\Dmlcennd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Deckfkof.exe
        
        C:\Windows\system32\Deckfkof.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Dfdgnc32.exe
        
        C:\Windows\system32\Dfdgnc32.exe
        94⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Dmnpjmla.exe
        
        C:\Windows\system32\Dmnpjmla.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Deehkk32.exe
        
        C:\Windows\system32\Deehkk32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dffdcccb.exe
        
        C:\Windows\system32\Dffdcccb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Domldpcd.exe
        
        C:\Windows\system32\Domldpcd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Dmpmpm32.exe
        
        C:\Windows\system32\Dmpmpm32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2972
        
        C:\Windows\SysWOW64\Dfiaibap.exe
        
        C:\Windows\system32\Dfiaibap.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dopijpab.exe
        
        C:\Windows\system32\Dopijpab.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        103⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 408
        104⤵
        Program crash
        
        PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2096 -ip 2096
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acgfil32.exe

Filesize
337KB

MD5
62eb6c11829f3be07c53753f0c7658d0

SHA1
bb243bcd88a4cd5e57068d43333e1254f702e24b

SHA256
107462d8738eca320409cc368c31c3f906365dcb62ed9967a21da8c492be9733

SHA512
e4477106a99fd9835728a9c7de2b1313dd71721d07319f63a953c4f3be861e2d969274aabd0c5b5c3a4bbd6c4e8e384ae81c4497246b605e481204f62b0d0178

Download Submit
C:\Windows\SysWOW64\Aefbcogf.exe

Filesize
337KB

MD5
2834ae0d52deb5ba76e9bb1fb0c9e98d

SHA1
49f5f0db8d1364832f98fc60329afcd0765ef7b6

SHA256
6567b37bec3ffd2da56fe23bf9356b09ff14a494106ae108a1f7c82bc4c28a18

SHA512
847dc40c3a9c51332fbe542ffb45db70d13e258aa51467b5bb81b209a45b2d4c04372b941069103e3e71717b59f687614d7db6f471b1344bfaf2b343eb059bf9

Download Submit
C:\Windows\SysWOW64\Anedfffb.exe

Filesize
337KB

MD5
2f982fc5a7c31521f05c056d8a8ab5f2

SHA1
9f680f79d7fe02c2f1dae75f448b493812f5cf5a

SHA256
1bbbe231092a8d6c806d34669527a7e2c8d4ee0194122471e8a2a162ce4092e4

SHA512
243db22b94be027edc1bf7031dce4df86bdd33d9dcebc13e4ed220a665ab64849048757cc09b214eec68b827f70d75c08a326076cf6b06423d7f16560ce22cfb

Download Submit
C:\Windows\SysWOW64\Anjnae32.exe

Filesize
337KB

MD5
54a205cb85633d85aea053ccf8f8c5c8

SHA1
5c73f8d2d488c4fcb14d994d7006d56e592ec720

SHA256
34ce927386aea653bf31377feabebf4b27cff385535455e3dbdbed298d233a53

SHA512
c006a8ce11841494c17567ff49b8d5e50569259acf04f93000c4c3da9d4be234180caaa755d94eaad69957f65681bd033acb7cd8cc70e2c67ca678693efadff2

Download Submit
C:\Windows\SysWOW64\Bccfej32.exe

Filesize
337KB

MD5
5367eeff65f9532634019b1aafa9e731

SHA1
71984d0ff9463a33dfbc8b2f3cb8a240ad721075

SHA256
7defc85c2e9bcee01ba537eb3df6c4f13f6ae28f11215221b4a3636dca7e022b

SHA512
aa082d5bdc89e631c4647250794746e43fb9bf4f8778a7d2fe12394668bec7d2b8dfabe7859c1e7c89dece4d77cf1a83a6d804988e5a5ebb3ed2aee5e5645306

Download Submit
C:\Windows\SysWOW64\Bglepipb.exe

Filesize
337KB

MD5
8e94712ab39627f9a0831bf0ca1a6a62

SHA1
bbb4fb5358bbacacc2bbcdd8f772b9d5d7ae1c53

SHA256
6e99acd27805779a1f05514ae877dd89bdb7c669c56ba6ebfbb384b26d677886

SHA512
c738210f9ac697f326e8887bacd06c601faf64f6d55853862a5bea1f1f1162850828b858a13febb923604b5fda7255546ffde857b8e031b5fc19cda6ca1daf88

Download Submit
C:\Windows\SysWOW64\Cabfjmkc.exe

Filesize
337KB

MD5
294b42bd4204a48f352cc7be9ca4230a

SHA1
6d63e17d3c02a2e1b5ae0714d6863a49b2388229

SHA256
0b8a2b9bda220d690f17ed056e85a94d2c4d8601b273f7969377ef440274bd69

SHA512
482f77cfcb78557b5a93d0d1339b47fd09cf1ee7b086071dba61e9a83b79fccf58c96434bb8d8af1a77e51bfb2458c92322cec54888f9301b2b6d9e273f87c69

Download Submit
C:\Windows\SysWOW64\Danefkqe.exe

Filesize
337KB

MD5
ef4a562e54a6710d453cb0bd11690a5b

SHA1
ff4a9037f53c34e0c4164473164b7af0fa82e4ef

SHA256
1ae7cb9f93ec23ebdd414009a904727dcc8285a3315230782b799ae1e21825f1

SHA512
2dcda2d5907f5e2507437166766023aa63813a5eff3eff96b2fdb863aa72c7870373da9313106492b227c1a88e3ac4a0b760b5d786a190e67c514a060aa0505e

Download Submit
C:\Windows\SysWOW64\Ddjemgal.exe

Filesize
337KB

MD5
da432121642359507e9af9365061d364

SHA1
c8d7860853c3dc1d050f92016d6103352de0c329

SHA256
60512e970698e1518cc691922d468bbbb704849b772ad85b7b77ce07b318b9c9

SHA512
289737d9adb60a4f3c3e11fdf8973a68f1bbf4a0f1f60283fd8c924e042060ff177987290af6245b8c36cae35fbd7d93b3ff7738e0527766ca3c9c7510af73df

Download Submit
C:\Windows\SysWOW64\Dfdgnc32.exe

Filesize
337KB

MD5
7d1740f3c0b81f848fd52557096268f9

SHA1
0be65781893e49eb6a6edfbb3032506d5410227a

SHA256
1418fe6189850b9e59870cd4f7739db514c1d83bd446434a24d867de7fdb735f

SHA512
87848fed96ff87cb830e7c6448b87403d1a3612a7aeb875d53bbce168bf2321af847cd24d0820a392f53f045147b3985b5f6dc9a3dd58826aacfd905490fb7b6

Download Submit
C:\Windows\SysWOW64\Dmlcennd.exe

Filesize
337KB

MD5
db89957dfbcb0ac7ee4d98c3e0059347

SHA1
d3600a45328c7024b0004eb219be8b2cedb025ec

SHA256
51efa2d5ba09e64891606f8400e2ebbd8e0787e0632571aa5c85dc2a19773445

SHA512
f42c62f4a93655602116d78c5ae532c281b131b7bff0ede37b14ee72078390e44d04609afd9b366fe2ad27e825e2d569b8f82be7b500e54767ac5edcd4ab5e67

Download Submit
C:\Windows\SysWOW64\Lbhocegl.exe

Filesize
337KB

MD5
6a1a5096785f0e2c254c6e70ab14d4a7

SHA1
4a7f318771d85c391c15a84ffa2a137e1164d575

SHA256
90590c8996a5f5ee3f473421d393ff0df9339579a2031d1eec0f6651b2096548

SHA512
5af8927516bb0b21edc542fcd8de3c2ec49db03ef3e9c71add6a16befc30db092330d1a41e57e7aa2992809eae4ece5ce90f7de94d6b5c28b5d4ad65e7570a90

Download Submit
C:\Windows\SysWOW64\Ldjhcgll.exe

Filesize
337KB

MD5
eac7a808f22b6d6935812f699c837eb3

SHA1
31605aaf773034751383b88031ef8b4c318f05e3

SHA256
8036aaea600143dcedc3e41258dd2c41fc6228beff4d12992a6ece32117e79bf

SHA512
0f4570f906fbc3bba8bd158c002adb530405d58b732ed1e842abb98f9441e424743eae19f32c830947176fcfdf076be5f71a3b38b68c23a973fc3ff40026ea38

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
337KB

MD5
a7b9e5842db470cc06c6691b0ded220e

SHA1
8e7998185fbdf570e240be98a23cde14ebbed1ea

SHA256
7c069fd6cbe4b109fd44ca894ffbded89657e8b0fa7d137607d8123b0bb9a4c0

SHA512
276acc5e4abba6052387ff700c98a2cba8884dabb0793ff1b4b09c7ae3c681154379e7a18107cedd849b8212adcf0f8a1d6775a05ea9504ad0287c1dcf9d98ab

Download Submit
C:\Windows\SysWOW64\Leihep32.exe

Filesize
337KB

MD5
d1462f7bbbe840fd464478b1e556a9f2

SHA1
c25085012df4a4dbdf34af2010b8f0c6384849ee

SHA256
af4823ed55fb782f1303e198d95febbd9f58295c901ce85f66bb89a23f126d33

SHA512
63a5ed94186e9f678b9b664c8698764a316be73d49cc56a1efd2c6cdb6a73721dd3c49db20713ede21e738d93133e5b0dabc086c964ccde7000acc511ff5d080

Download Submit
C:\Windows\SysWOW64\Lghdockp.exe

Filesize
337KB

MD5
d8fae1308768c8469ad56bb64dc07c0f

SHA1
3d6339c26c433c440fcada12cfe7a1346c4c3e33

SHA256
cea4428249af9d7ebb133260bc4591b2771c82553c7f632dbce59d5d14515cd4

SHA512
e025ef4f179d2b65bc1e4c4bae538c5446e608bed4b1532dc248c557947b2c6945c2b8c909d5f178aa6c93496a8eb7e391a1b43db9d45055cbf092f9c0563a27

Download Submit
C:\Windows\SysWOW64\Lpicgihh.exe

Filesize
337KB

MD5
cd2b6cc669ba5aa9156a7b8dfdba7869

SHA1
2cc908c4565ee1d1ce897dfa49660cdbab21df21

SHA256
9fc6d24f281444a46a860125b72b94a76656f01b7d909339c4533114bf90ceb4

SHA512
1c6cb4ab2208d3c59b09b0217b61ba9e2aec5633f0923ba65710dfee8459b3371066359510d31e69037e3436a0fb349f08d86a5f824d24abc70ca6398c8f63ed

Download Submit
C:\Windows\SysWOW64\Lplpmi32.exe

Filesize
337KB

MD5
b686ccf7399837d38e3664168d339efe

SHA1
965e512e0315113f463a919f88f523839a389ac7

SHA256
acb7fb2a4556932e093cb5b6d34ee67707b31baee65c11f2be21867cfca761a0

SHA512
013e73e55a367a13b4a158e84c10277d36e01c8ee9a42b2d6cd1f3f18547b3ee3520f461b6ba011fd6f24ccd83adbcc69b928794fa899c72732c71b8e3eac845

Download Submit
C:\Windows\SysWOW64\Lpqihhbp.exe

Filesize
337KB

MD5
71976f5481722ee6e9a8ce31665049f9

SHA1
2074d16586a927b2b0cc10210eed73b6aba0f801

SHA256
ca858261a2b524194a8f966b8f00102020436ca27498fa0d3d56f35b704f2041

SHA512
b7e21fcc38674d0cb40d2482dae8fea1e419eade5506f9ffc4d3a2427511549066d77762a561d433d7afbe1aa12a06f7ae46531d7d82891f404bdc37541fb5b4

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
337KB

MD5
71e4f64c61fa771f3b5678d841596897

SHA1
186c49a6b7fde8966d1707263f52c7a88db1dff3

SHA256
7e390784159fd73d6736664145edb9eb00de7c8eaab0a1df6d71ecef414e2d51

SHA512
34e619ce046a854fec32f1a8b3f04124a00db2c414c8943dc49594bf63bce580c3e668df839c6aa278137dbc7a66328ff6a54c2198f4bd928a9b03d8bb028ea0

Download Submit
C:\Windows\SysWOW64\Mchhjbii.exe

Filesize
337KB

MD5
2eeafa49174f718e5c793c90ec63c305

SHA1
6b9e176cb45a0403dc939408e14d41b076268ae7

SHA256
1fc5e63b26d618d736aeb48e09da7dcc9365549ecf79e267782654161eefde2c

SHA512
12e117bf772f0cbdad20927eea114c9f4a47439f812ccb6c0f62969c0e3481070a88833ba0eaf380a5cbecb7a25cf6b2af8ce38893fb3b943095f35efa606d9d

Download Submit
C:\Windows\SysWOW64\Mepnfone.exe

Filesize
337KB

MD5
1855b721ee85197bf183889509c9a517

SHA1
7e2bf3a55a77f482036aec5806fd26eb3872e9c5

SHA256
aa55db984fc0ec60565f6f976cfab26a10b1930531c5cd5630c47fb5ae7da07d

SHA512
60ef132c2062fd4f59f78a96a3474186eaf917a988efd63e251e9750993e8e8934546017e5b2f63519b8d911632c53baa7e0f17aea8da7605be015b7c2450d09

Download Submit
C:\Windows\SysWOW64\Mlnpnh32.exe

Filesize
337KB

MD5
a6baf933dc65814954abf337d76d992b

SHA1
1059b14478a05e9d50ff2d7600bfdbff1d13bbb7

SHA256
09bb9f21e03046cf473f10fc1a08b0145023d462329fd08627845a8170053e9b

SHA512
7016d2f5a7007082fe2004877939ab1349dc52cdd2f77421c62747926d393e52f9df18b38a7e72203baec93b47ee8db5ddb5647d1a278c80b34b25daf953834f

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
337KB

MD5
83d9bd556ec51ee206871950c1170bd3

SHA1
07fa6cdbc5e02b495a8988f1ba392f359eed0a90

SHA256
18680408ae7d93413e4ea0170b118ddd5c12430343ae9dbf1894e876c96f44a6

SHA512
fe661ec25a59d4056222252fd3715039dcc802b578a30852e8d8323c5ba84153ca8f0168a9b573098aa19c71ae6205cc2ae7f4be43ecd271b400417e0722a577

Download Submit
C:\Windows\SysWOW64\Mmicll32.exe

Filesize
337KB

MD5
64ef44a7c518df68424f94ce7800ef96

SHA1
ab5d89fbe8b068a541a12b43fb190b73625f4050

SHA256
e17625901d5b395267ce3542d7f15bdaab08a1a306b86f53e0b20098814097fd

SHA512
03ef0cd40d7cc6ee446c093a33dd7d97a1882713410eb830f22817ee7ca7e9d49dc38ddc9aeb097cb5897d58c853b70a2549fc8d6c6a9c38ee8269f0a97606be

Download Submit
C:\Windows\SysWOW64\Mpcenhpn.exe

Filesize
337KB

MD5
c113a9a5251840988212ae9ce1c0d5b2

SHA1
ec3d96376eb796af63b5855c6f77e54c26a85888

SHA256
8c5ae0c044441abab47409a47c492661a2f4f4c86531950aa66a08bababd3c4b

SHA512
2ac490167f2a64a57fe702a79c276c8cb48aeb9de90960ae8a2eaca987ea5abe3dce98d0fd956db204206dc1d9cb80e4c919798b2a1fc6c23b1e77a5776a25d6

Download Submit
C:\Windows\SysWOW64\Mpebch32.exe

Filesize
337KB

MD5
d3169365dcc7aa8230c12720aa332ed0

SHA1
a6f47c28bc06a393bf4b3658b6e1d8a0b2cd0598

SHA256
a8a6d340b0571d25ef835246d2d88ea8ed66fd532a2b7cc40d20742582e6f29d

SHA512
39a718e3effb40bfdcf7b293588824af6a21f7593d7c9c6693891fb690fde212499ce68e11f4f67cabbf43f818975951d6d85eb6197e2e8aad4009de47807237

Download Submit
C:\Windows\SysWOW64\Mplhdghc.exe

Filesize
337KB

MD5
d84ff8076126e9b1801e469393a3a286

SHA1
009c584604caebefbb20ce482c2538a9824743b3

SHA256
7661f33b15d2f3460aba307ee7ae5722c7f3a2aedb09205540e77ca81506f50f

SHA512
bff0737cac6a3d97a07e35567ad71a6b9e5314ea7512689241e54f7da338faf799c76832dc28d4e9ce10e5596fab8d016c4937750d0f1494e11706d082c7a133

Download Submit
C:\Windows\SysWOW64\Ncdgfaol.exe

Filesize
337KB

MD5
8130f22094304687c174a9490db0aefc

SHA1
81c1ace84e289645f8217c4420307eb2e131d815

SHA256
51faa2bdabbc720fe72c710e606bfe66f8622a771254ebfc13ac84b60fee0b84

SHA512
26ad3c48b509d7e6b161b5042bcbba4e410448f522ec13b8e70f4aa5792529b558041b5e2d9ec8061d25aab540089ac412e499775b7f8f3d1238aee0c2ff4823

Download Submit
C:\Windows\SysWOW64\Ndjajeni.exe

Filesize
337KB

MD5
d44fbd0c75abeaa977da28a624a5c0f4

SHA1
4a7b6efc3ccc4a0b2536d8e2e869c7aa74995c76

SHA256
fc3043811c1045950d111d2204b0a43ce457e4e2baad00b9c2fa219d7d13edf4

SHA512
f3280b22d782cbb6d39ea42588d34010fd58b39d09736b9329b48dbf7d859cc02aa710e53aeead657f1feb435a1cfa94b2ad3f206479d9520a04f3af8aff4b03

Download Submit
C:\Windows\SysWOW64\Ndoked32.exe

Filesize
337KB

MD5
ea8b9f0278642f3a37464080592772ac

SHA1
1c33c8eccec1e23c2563b767b4fdac5f8e43454e

SHA256
51793cf1389987d0c171409e667dccc5b0ea73c7c7c6f8d77d9737654f1a4eea

SHA512
1e7310fc7b3600bc5f7068902ecb582e3a55e70fdb04574a1fa97eaecf6968c178ba2d7488ac10157d10d5b981383a240bc8aaf1386a0e14cb58959df8a53ce3

Download Submit
C:\Windows\SysWOW64\Ngkjlpkj.exe

Filesize
337KB

MD5
6306b99ac77a1e4ad528384a7aa027f1

SHA1
49a265fbe13cf5130518ff3ff36386cbffc7fcdf

SHA256
21a9db1ffa444fa39aa5daffa3cac52022a6d3c72cfe8fc3d627bfec3070824d

SHA512
8b396c1b3806c2ec0ce20bc0e0bc5fca599a2d33168124bf6e4ec1ca0c999a03f5e64f36c6fe2085ccad46e1d737518a87573959b6a280ba2f6f7b2dc9610a2c

Download Submit
C:\Windows\SysWOW64\Nlllof32.exe

Filesize
337KB

MD5
3a38992ee2aa9ed3d66737e24b156383

SHA1
695513298397e164d5db5672fd22f161d127270d

SHA256
985020c2dbea8f96fdb8a6e9c042b9f076cb5ee74c7c7a1e78273b61417ccf70

SHA512
a7fec249527d47472bb405036074b533883d1f6991e12b830eef294ef55062da203aa61a6c485fd4ecd7424d8a7d78623d650cdc3ce9d0f9b47c378ab3f545d0

Download Submit
C:\Windows\SysWOW64\Nngonjqd.exe

Filesize
337KB

MD5
c5c2d7bd006473d2805ff4062f983eaa

SHA1
f5e973ca5b47bb20ab09f596a121ee7326a1c96a

SHA256
5a76e703c8e9fca49774ad102190da56ebef22c74800409452f56032c8e27bf1

SHA512
a3134b00493e072373c9a793d1e19def533fa370aca576f8d75e8ef70fa88ce1be8db7ed4da39f87f98933adb5421b9366201a31a5ad156877a43646d2c13841

Download Submit
C:\Windows\SysWOW64\Ocmjlpfa.exe

Filesize
337KB

MD5
1269d85382f2962c6051f690c7ab3c8a

SHA1
a054825dd4fc23a0b0087f1cfe4da3fb3825d4e2

SHA256
51bd9c2a5aef25063479922f194ee7683340c3fe1b3288f459d83d32212ca437

SHA512
69e7a78b39705464c9071750443cda14e2b34caf0430190a4ccebbf0101581f5dbf097182307c91a2d923716d76b9ddb9de07c85ff3842e7629bb6c8572855f3

Download Submit
C:\Windows\SysWOW64\Ocpgbodo.exe

Filesize
337KB

MD5
67b5e3fce39b3b18536831edc47bbc76

SHA1
d8f0e9e69c4e313edd32b1aba878f4f3c548f9bc

SHA256
9466183d3cb89e4e1a293e00328e69c67132dbe465bdca229af3c71f51692aa1

SHA512
0bcc2ba53895d891882b2ade5a7fe5f3ea431830282a4d3195c2f4baeb075715d7b5c48f7a76388935c5f6017d7d3576fa4a89416ee97e50bb248f3654c446e1

Download Submit
C:\Windows\SysWOW64\Odfqecdl.exe

Filesize
337KB

MD5
8731a0bfd409b53f5b66af6f08ac8847

SHA1
6b703b768a4028abaa1a648428e4bc4d04dc8a12

SHA256
7770b84c1b4ab57e02321c4df500811d163f3b4a4341f750947de55e18b30942

SHA512
554e86db56c95788add71a2c4a28bc945399306b912c24e93fe8b1c2cd059914ea40e5b2ab6966942673bdec04214d5ea031f4567efc051943bc3665a4097ceb

Download Submit
C:\Windows\SysWOW64\Odhmkcbi.exe

Filesize
337KB

MD5
d112b9f3e40cd4db93f8c6ef896f573f

SHA1
cc4d9c83c923f10d3dbbf9aa354bf82b9effeee6

SHA256
49d2927eb802b9f1aa359e34a91f6affa63be37d9f97db49ed48f8a97ba23a1a

SHA512
5e67aea120777728c565f63922087871c2b45e54cb2c74c3094ee199938714ca93c13030c0cc5a6565e6ab7ecc6a1707eadc42fb2ae53b907fc12cb537dbf857

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
337KB

MD5
0df04533b659069d73a26f0faba40e9c

SHA1
39fbd47a71bdbda9f066c2a012d5f10b7c9ce5c6

SHA256
c2700051ee06e31f411a83fbfb9848306ed03aead86b805ff4a6c61863d809c4

SHA512
39156c0055d89e9156858adec4c6fe93a049fb82ceeec17e270d217b7a6c60ef0b74d380e9606cb56b279e546ff1023faf88d1f6fe55fa032d96b77b8e96d7b4

Download Submit
C:\Windows\SysWOW64\Ofgmml32.exe

Filesize
337KB

MD5
7efe0052d8dce2ac2a1c134646790f4d

SHA1
48a684b1d1287bde35ab7ea81965d1faa1366e06

SHA256
7608a73342c46ba2cab1f5b1c9b11f4584d7f80656f9a21b0b58126f0cfe9dc8

SHA512
f587417ddeb08f6d8aeb5c2a9cc240a2e0fbd6dcd23c926225976d25642e2c6206ad5223d096ce1812c4cce2761d9e7db95a99a016c8db5053a8652e11456025

Download Submit
C:\Windows\SysWOW64\Ojgbij32.exe

Filesize
337KB

MD5
61b0eb862bf04f436e8d7d2df98c54c9

SHA1
962170d6523750c285222c058c31939d11df1718

SHA256
aa7bf81c3e605c0b55d0bb7071b089058c4100c6dd97ee622c5632fa48b84dcd

SHA512
3c6406b7a9b5f88c185b934d7c6cbb3b1da23fbe2e533859a10dd75a19f989166e2587ef7d6d2e14830bf8c7c710c767e85e7e941632556fa5761155892f88f8

Download Submit
C:\Windows\SysWOW64\Onqbdihj.exe

Filesize
337KB

MD5
959d5395125668545897c58c43baa10c

SHA1
237c425e06e068296b73073aa55435969532662b

SHA256
1259dc547d53697dcee644ee02455e71ceea92e79d4882738c0659bdf6fc51f1

SHA512
3a859c49345ce253b1b834047ba4c20fe64eb3c69f5dac6cf5a1a0678973f6ede20e61eee92cb8a78830876757d7291b0f7dfae44cfb3786e612d6e40ccc90d8

Download Submit
C:\Windows\SysWOW64\Pcgmbnnf.exe

Filesize
337KB

MD5
e9aac9ad20a99dd79eec25b6cd361263

SHA1
933ae882f4e80ebb136d188ad63c202656a70fc3

SHA256
844c86c6c573b9d9a3aec820c26b871f0cb503dd6a90a320fb210866ac1d7d1d

SHA512
26553e7652fc8edfd4adcf6818d05c06f30cc594711278faa9bf4187fa8494961f29bc36431360004f4c5efcbf5b9308fd4df2daecbee380cf5580c10fafc2d7

Download Submit
C:\Windows\SysWOW64\Pdoclbla.exe

Filesize
337KB

MD5
6e338dfd6d19c89032de06ca3d631ed7

SHA1
ea7258b2585ea65dd73a7685668671fedba779c0

SHA256
6b60e9bb4f1935ca1e0e0590028b7d7aa111d8961df691dddc662809d51b8c99

SHA512
0f7d308ab56ee6ca56bcea3e0c8ce5daf2f9cba853f7d92d4ccfa414f106838079cd5b7f219a779ffce9ede451babe5550e04be6b31322eb9b8e0eb86d769aea

Download Submit
C:\Windows\SysWOW64\Pmanaccd.exe

Filesize
337KB

MD5
cdf96ab5cdce195259e05d0d801b918c

SHA1
7178b99351b9a38d3576a4b4b3c7f2b2ade9e5c7

SHA256
3bb791cfb7dbadc240fddbcd21ffdaca11577dc6a99cab8e9aafb9e9cd3c9fb1

SHA512
90b3c427daaa2f964a8575e95daf34e452af55827e85250ce66ac7fc45804b07d493502361bb94f4bba6ea69b0f5a610103b1c5e291bbc1a652acec5ef1a4ca4

Download Submit
C:\Windows\SysWOW64\Pqfdac32.exe

Filesize
337KB

MD5
bf1a53ffdda62b1b1d9685b3110adc05

SHA1
af8140e372af691f7c1d24c448a3eddb58a0a95c

SHA256
7336cf17f0c44077056ed5c8fbea6ade0b22d0b87bde501c8aa812ead5646809

SHA512
e2eb66bc1efcf4c6eac86f0071124eaaf2ee6bde187304915372fcdc630eaa37fa663b95723e9864286412ecde0d7bb9076111debe40997c9234cf6907961f08

Download Submit
C:\Windows\SysWOW64\Qdkcgqad.exe

Filesize
337KB

MD5
5efdf93ae3c08d96ce7c0d5b915d6dd4

SHA1
87c99c1342123db7f7f6cee85617948c8916bdc7

SHA256
a6415a48a5a3f9363c456dd605cc9abf567688c6d865f90f2779ff85a627652b

SHA512
ad9f282bff76449ec85753924adc5d39b457a005d2d3ebf850ab9cf9ef25f9de146093160d41909d56843e3ffe4ba9a2ee697361ba25f2e3f5f6cd62e262eb6a

Download Submit
memory/216-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-714-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-704-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4212-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads