berbew | fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe
Size

93KB
MD5

c84135ecf5def50b86081d12d915a384
SHA1

fefa9e767d0baa1b4ab17610431da59251ab20de
SHA256

fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1
SHA512

8eb48c3980cd8a27c19cefab5704d3ac5624fe279013d3b8ad9ed2507fda116cc8831f67b0d4e834b4d442fcdccaff16303f6915ac60baa9532638e96457f2e3
SSDEEP

1536:F7H68Et+udq97VY6aXhO97j77llld095t1DaYfMZRWuLsV+17:1H610uUcOm95tgYfc0DV+17

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojbinjbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgplnmib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebihpkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbploeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Megdfnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkleae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deehkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libgpooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Canlon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlapgnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odfqecdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmcnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebkjdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acgfil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgmbnnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfoelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhokmgpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Degdaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omhlkeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnilcjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefbcogf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpcnbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkdmia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpcenhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmpmpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgokpbeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefbcogf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjhmnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlldiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgfdikg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjjalepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpjmla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfqqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onneoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagoel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbpbjlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqonpdgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjddbcgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnjejgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afaijhcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnadadld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmgiboq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocmjlpfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfolehep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjbcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpcenhpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omhlkeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflpoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenjgm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1888	Lmkfknid.exe
1548	Ldeohh32.exe
2364	Lfckdcoe.exe
4492	Libgpooi.exe
632	Lplpmi32.exe
4100	Lbjlid32.exe
2124	Leihep32.exe
872	Llbpbjlj.exe
3732	Lpnlbi32.exe
3128	Lbmhod32.exe
4744	Lekekp32.exe
4012	Lpqihhbp.exe
1276	Memapppg.exe
1284	Mpcenhpn.exe
4964	Mljfbiea.exe
3980	Mgokpbeh.exe
220	Mllchico.exe
3152	Mcfkec32.exe
4900	Mmkpbl32.exe
1792	Mpjlngje.exe
4412	Mgddka32.exe
384	Megdfnhm.exe
4876	Mlqlch32.exe
1896	Ndhdde32.exe
1840	Ngfqqa32.exe
3956	Nidmml32.exe
1340	Neknam32.exe
4372	Njgjbllq.exe
3124	Ndlnoelf.exe
5088	Nenjgm32.exe
5056	Ndoked32.exe
2240	Npekjeph.exe
1000	Ngpcgp32.exe
1860	Nnilcjnb.exe
2528	Ophhpene.exe
5020	Ogbploeb.exe
3460	Ofeqhl32.exe
4932	Onlhii32.exe
3856	Odfqecdl.exe
4316	Ojbinjbc.exe
1972	Onneoi32.exe
1616	Ockngp32.exe
3448	Ofijckhg.exe
2972	Onqbdihj.exe
3768	Oqonpdgn.exe
4364	Ocmjlpfa.exe
4772	Oncoihfg.exe
984	Odmgfb32.exe
1368	Ojjooilk.exe
5100	Omhlkeko.exe
3512	Pdoclbla.exe
764	Pfqpcj32.exe
2012	Pjlldiji.exe
228	Pdapabjo.exe
4544	Pgplnmib.exe
5104	Pnjejgpo.exe
3624	Pddmga32.exe
4700	Pcgmbnnf.exe
1176	Pnlapgnl.exe
3592	Pcijhnld.exe
3548	Pfgfdikg.exe
2736	Pmanaccd.exe
3472	Pckfnn32.exe
1344	Pfjcji32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkmnhqfc.dll	Ambgha32.exe
File opened for modification	C:\Windows\SysWOW64\Bnadadld.exe	Aclpdklo.exe
File created	C:\Windows\SysWOW64\Bagfooep.exe	Bnhjbcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lpqihhbp.exe	Lekekp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcfkec32.exe	Mllchico.exe
File created	C:\Windows\SysWOW64\Mmkpbl32.exe	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Pdoclbla.exe	Omhlkeko.exe
File opened for modification	C:\Windows\SysWOW64\Ajlekg32.exe	Afaijhcm.exe
File created	C:\Windows\SysWOW64\Ajojjcgc.dll	Dfiaibap.exe
File created	C:\Windows\SysWOW64\Jmoifpfo.dll	Dkdmia32.exe
File created	C:\Windows\SysWOW64\Bmimhpoj.exe	Bjjalepf.exe
File opened for modification	C:\Windows\SysWOW64\Bagfooep.exe	Bnhjbcfl.exe
File opened for modification	C:\Windows\SysWOW64\Bmngcp32.exe	Bjokgd32.exe
File created	C:\Windows\SysWOW64\Memapppg.exe	Lpqihhbp.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcji32.exe	Pckfnn32.exe
File created	C:\Windows\SysWOW64\Ammnmbig.exe	Ajoaqfjc.exe
File created	C:\Windows\SysWOW64\Feiolnip.dll	Acgfil32.exe
File opened for modification	C:\Windows\SysWOW64\Aefbcogf.exe	Anmjfe32.exe
File opened for modification	C:\Windows\SysWOW64\Canlon32.exe	Cjddbcgk.exe
File created	C:\Windows\SysWOW64\Lfckdcoe.exe	Ldeohh32.exe
File created	C:\Windows\SysWOW64\Lpqihhbp.exe	Lekekp32.exe
File opened for modification	C:\Windows\SysWOW64\Nidmml32.exe	Ngfqqa32.exe
File created	C:\Windows\SysWOW64\Heapfm32.dll	Npekjeph.exe
File created	C:\Windows\SysWOW64\Bfcogecg.exe	Bcebkjdd.exe
File opened for modification	C:\Windows\SysWOW64\Pdapabjo.exe	Pjlldiji.exe
File created	C:\Windows\SysWOW64\Leihep32.exe	Lbjlid32.exe
File created	C:\Windows\SysWOW64\Ghnelogk.dll	Memapppg.exe
File created	C:\Windows\SysWOW64\Fpcaanlm.dll	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Mbjkckla.dll	Nidmml32.exe
File opened for modification	C:\Windows\SysWOW64\Ophhpene.exe	Nnilcjnb.exe
File opened for modification	C:\Windows\SysWOW64\Bfmhff32.exe	Beklnn32.exe
File created	C:\Windows\SysWOW64\Ghdcnkid.dll	Bagfooep.exe
File created	C:\Windows\SysWOW64\Lpnlbi32.exe	Llbpbjlj.exe
File opened for modification	C:\Windows\SysWOW64\Npekjeph.exe	Ndoked32.exe
File created	C:\Windows\SysWOW64\Gafgdm32.dll	Ngpcgp32.exe
File created	C:\Windows\SysWOW64\Ockngp32.exe	Onneoi32.exe
File created	C:\Windows\SysWOW64\Faqbkf32.dll	Afhokgme.exe
File created	C:\Windows\SysWOW64\Mlibenih.dll	Cdlhki32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfjmkc.exe	Cjhmnc32.exe
File created	C:\Windows\SysWOW64\Colpjg32.dll	Ddekah32.exe
File created	C:\Windows\SysWOW64\Mpcenhpn.exe	Memapppg.exe
File opened for modification	C:\Windows\SysWOW64\Ogbploeb.exe	Ophhpene.exe
File created	C:\Windows\SysWOW64\Mgkooe32.dll	Bmimhpoj.exe
File created	C:\Windows\SysWOW64\Caicdcpj.dll	Bfcogecg.exe
File created	C:\Windows\SysWOW64\Cjfqhcei.exe	Cdlhki32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiaibap.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Nimbke32.dll	Onneoi32.exe
File created	C:\Windows\SysWOW64\Lbjlid32.exe	Lplpmi32.exe
File created	C:\Windows\SysWOW64\Ojbinjbc.exe	Odfqecdl.exe
File created	C:\Windows\SysWOW64\Leibaqof.dll	Bjokgd32.exe
File created	C:\Windows\SysWOW64\Cfonbdij.exe	Cenakl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmpmpm32.exe	Dffdcccb.exe
File created	C:\Windows\SysWOW64\Diikmo32.dll	Mllchico.exe
File opened for modification	C:\Windows\SysWOW64\Pmanaccd.exe	Pfgfdikg.exe
File created	C:\Windows\SysWOW64\Qdkcgqad.exe	Qmdkfcaa.exe
File created	C:\Windows\SysWOW64\Qflpoi32.exe	Qdkcgqad.exe
File opened for modification	C:\Windows\SysWOW64\Chjaag32.exe	Celeel32.exe
File opened for modification	C:\Windows\SysWOW64\Oqonpdgn.exe	Onqbdihj.exe
File created	C:\Windows\SysWOW64\Bhijdp32.dll	Qmfhlcoo.exe
File opened for modification	C:\Windows\SysWOW64\Anmjfe32.exe	Acgfil32.exe
File created	C:\Windows\SysWOW64\Bnhjbcfl.exe	Bfabaf32.exe
File created	C:\Windows\SysWOW64\Pafndn32.dll	Cjfqhcei.exe
File opened for modification	C:\Windows\SysWOW64\Cjfqhcei.exe	Cdlhki32.exe
File created	C:\Windows\SysWOW64\Fcoigo32.dll	Celeel32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6072	5900	WerFault.exe	215

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfckdcoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpcenhpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenjgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npekjeph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgfdikg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldeohh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajoaqfjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhdde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afaijhcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhokgme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqcqql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhokmgpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmkfknid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adplbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebihpkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agpedkjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfcogecg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagoel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgplnmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfolehep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllchico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidmml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Degdaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlhii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegljmid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfjmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekekp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkpbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pddmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmanaccd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libgpooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkleae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmgiboq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfqhcei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljfbiea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlngje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odfqecdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjooilk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celeel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbpbjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndoked32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnilcjnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjalepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimhpoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpjmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhcdhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhmnc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfolehep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjddbcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmkfknid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnichmjj.dll"	Megdfnhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpcgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onlhii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnjnjdho.dll"	Ockngp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhokgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimngd32.dll"	Aclpdklo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldeohh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libgpooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ophhpene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncoihfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loaofnji.dll"	Ojjooilk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlceeo32.dll"	Pddmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdkcgqad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqbkf32.dll"	Afhokgme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmkfknid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdank32.dll"	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockngp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgmbnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deehkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjlkk32.dll"	Leihep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqihhbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mllchico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjlldiji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pddmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhijdp32.dll"	Qmfhlcoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajlekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphdlf32.dll"	Beklnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpoamahl.dll"	Djmgiboq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djpcnbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmfqcqql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nimbke32.dll"	Onneoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beklnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allndpio.dll"	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Degdaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlngje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmopd32.dll"	Mgokpbeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfqqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafgdm32.dll"	Ngpcgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ophhpene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbploeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjooilk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdkcgqad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekekp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmpmpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojbinjbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlqadpo.dll"	Bcqipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmcnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlibenih.dll"	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplpmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckaqiakm.dll"	Odmgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjddbcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnehbkp.dll"	Dmpmpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbjlid32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1888	4088	fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe	81
PID 4088 wrote to memory of 1888	4088	fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe	81
PID 4088 wrote to memory of 1888	4088	fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe	81
PID 1888 wrote to memory of 1548	1888	Lmkfknid.exe	82
PID 1888 wrote to memory of 1548	1888	Lmkfknid.exe	82
PID 1888 wrote to memory of 1548	1888	Lmkfknid.exe	82
PID 1548 wrote to memory of 2364	1548	Ldeohh32.exe	83
PID 1548 wrote to memory of 2364	1548	Ldeohh32.exe	83
PID 1548 wrote to memory of 2364	1548	Ldeohh32.exe	83
PID 2364 wrote to memory of 4492	2364	Lfckdcoe.exe	84
PID 2364 wrote to memory of 4492	2364	Lfckdcoe.exe	84
PID 2364 wrote to memory of 4492	2364	Lfckdcoe.exe	84
PID 4492 wrote to memory of 632	4492	Libgpooi.exe	85
PID 4492 wrote to memory of 632	4492	Libgpooi.exe	85
PID 4492 wrote to memory of 632	4492	Libgpooi.exe	85
PID 632 wrote to memory of 4100	632	Lplpmi32.exe	86
PID 632 wrote to memory of 4100	632	Lplpmi32.exe	86
PID 632 wrote to memory of 4100	632	Lplpmi32.exe	86
PID 4100 wrote to memory of 2124	4100	Lbjlid32.exe	87
PID 4100 wrote to memory of 2124	4100	Lbjlid32.exe	87
PID 4100 wrote to memory of 2124	4100	Lbjlid32.exe	87
PID 2124 wrote to memory of 872	2124	Leihep32.exe	88
PID 2124 wrote to memory of 872	2124	Leihep32.exe	88
PID 2124 wrote to memory of 872	2124	Leihep32.exe	88
PID 872 wrote to memory of 3732	872	Llbpbjlj.exe	89
PID 872 wrote to memory of 3732	872	Llbpbjlj.exe	89
PID 872 wrote to memory of 3732	872	Llbpbjlj.exe	89
PID 3732 wrote to memory of 3128	3732	Lpnlbi32.exe	90
PID 3732 wrote to memory of 3128	3732	Lpnlbi32.exe	90
PID 3732 wrote to memory of 3128	3732	Lpnlbi32.exe	90
PID 3128 wrote to memory of 4744	3128	Lbmhod32.exe	91
PID 3128 wrote to memory of 4744	3128	Lbmhod32.exe	91
PID 3128 wrote to memory of 4744	3128	Lbmhod32.exe	91
PID 4744 wrote to memory of 4012	4744	Lekekp32.exe	92
PID 4744 wrote to memory of 4012	4744	Lekekp32.exe	92
PID 4744 wrote to memory of 4012	4744	Lekekp32.exe	92
PID 4012 wrote to memory of 1276	4012	Lpqihhbp.exe	93
PID 4012 wrote to memory of 1276	4012	Lpqihhbp.exe	93
PID 4012 wrote to memory of 1276	4012	Lpqihhbp.exe	93
PID 1276 wrote to memory of 1284	1276	Memapppg.exe	94
PID 1276 wrote to memory of 1284	1276	Memapppg.exe	94
PID 1276 wrote to memory of 1284	1276	Memapppg.exe	94
PID 1284 wrote to memory of 4964	1284	Mpcenhpn.exe	95
PID 1284 wrote to memory of 4964	1284	Mpcenhpn.exe	95
PID 1284 wrote to memory of 4964	1284	Mpcenhpn.exe	95
PID 4964 wrote to memory of 3980	4964	Mljfbiea.exe	96
PID 4964 wrote to memory of 3980	4964	Mljfbiea.exe	96
PID 4964 wrote to memory of 3980	4964	Mljfbiea.exe	96
PID 3980 wrote to memory of 220	3980	Mgokpbeh.exe	97
PID 3980 wrote to memory of 220	3980	Mgokpbeh.exe	97
PID 3980 wrote to memory of 220	3980	Mgokpbeh.exe	97
PID 220 wrote to memory of 3152	220	Mllchico.exe	98
PID 220 wrote to memory of 3152	220	Mllchico.exe	98
PID 220 wrote to memory of 3152	220	Mllchico.exe	98
PID 3152 wrote to memory of 4900	3152	Mcfkec32.exe	99
PID 3152 wrote to memory of 4900	3152	Mcfkec32.exe	99
PID 3152 wrote to memory of 4900	3152	Mcfkec32.exe	99
PID 4900 wrote to memory of 1792	4900	Mmkpbl32.exe	100
PID 4900 wrote to memory of 1792	4900	Mmkpbl32.exe	100
PID 4900 wrote to memory of 1792	4900	Mmkpbl32.exe	100
PID 1792 wrote to memory of 4412	1792	Mpjlngje.exe	101
PID 1792 wrote to memory of 4412	1792	Mpjlngje.exe	101
PID 1792 wrote to memory of 4412	1792	Mpjlngje.exe	101
PID 4412 wrote to memory of 384	4412	Mgddka32.exe	102

C:\Users\Admin\AppData\Local\Temp\fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe
"C:\Users\Admin\AppData\Local\Temp\fe3cdc286f807153e0937327ebb1fd52937bcce1db5a4215acd48a6958f6b6b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\Lmkfknid.exe
  C:\Windows\system32\Lmkfknid.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Ldeohh32.exe
    C:\Windows\system32\Ldeohh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\Lfckdcoe.exe
      C:\Windows\system32\Lfckdcoe.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\SysWOW64\Libgpooi.exe
        
        C:\Windows\system32\Libgpooi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\Lplpmi32.exe
        
        C:\Windows\system32\Lplpmi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Lbjlid32.exe
        
        C:\Windows\system32\Lbjlid32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Leihep32.exe
        
        C:\Windows\system32\Leihep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Llbpbjlj.exe
        
        C:\Windows\system32\Llbpbjlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Lpnlbi32.exe
        
        C:\Windows\system32\Lpnlbi32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Lbmhod32.exe
        
        C:\Windows\system32\Lbmhod32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Lpqihhbp.exe
        
        C:\Windows\system32\Lpqihhbp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Mpcenhpn.exe
        
        C:\Windows\system32\Mpcenhpn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Mljfbiea.exe
        
        C:\Windows\system32\Mljfbiea.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mgokpbeh.exe
        
        C:\Windows\system32\Mgokpbeh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Mllchico.exe
        
        C:\Windows\system32\Mllchico.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Mmkpbl32.exe
        
        C:\Windows\system32\Mmkpbl32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mpjlngje.exe
        
        C:\Windows\system32\Mpjlngje.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Mgddka32.exe
        
        C:\Windows\system32\Mgddka32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Megdfnhm.exe
        
        C:\Windows\system32\Megdfnhm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ndhdde32.exe
        
        C:\Windows\system32\Ndhdde32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Nidmml32.exe
        
        C:\Windows\system32\Nidmml32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Neknam32.exe
        
        C:\Windows\system32\Neknam32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Njgjbllq.exe
        
        C:\Windows\system32\Njgjbllq.exe
        29⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Ndlnoelf.exe
        
        C:\Windows\system32\Ndlnoelf.exe
        30⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Nenjgm32.exe
        
        C:\Windows\system32\Nenjgm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Ndoked32.exe
        
        C:\Windows\system32\Ndoked32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Npekjeph.exe
        
        C:\Windows\system32\Npekjeph.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Ngpcgp32.exe
        
        C:\Windows\system32\Ngpcgp32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Nnilcjnb.exe
        
        C:\Windows\system32\Nnilcjnb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Ophhpene.exe
        
        C:\Windows\system32\Ophhpene.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ogbploeb.exe
        
        C:\Windows\system32\Ogbploeb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Onlhii32.exe
        
        C:\Windows\system32\Onlhii32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Odfqecdl.exe
        
        C:\Windows\system32\Odfqecdl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Ojbinjbc.exe
        
        C:\Windows\system32\Ojbinjbc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Onneoi32.exe
        
        C:\Windows\system32\Onneoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ockngp32.exe
        
        C:\Windows\system32\Ockngp32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ofijckhg.exe
        
        C:\Windows\system32\Ofijckhg.exe
        44⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Onqbdihj.exe
        
        C:\Windows\system32\Onqbdihj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Oqonpdgn.exe
        
        C:\Windows\system32\Oqonpdgn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Ocmjlpfa.exe
        
        C:\Windows\system32\Ocmjlpfa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Oncoihfg.exe
        
        C:\Windows\system32\Oncoihfg.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Odmgfb32.exe
        
        C:\Windows\system32\Odmgfb32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Ojjooilk.exe
        
        C:\Windows\system32\Ojjooilk.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Omhlkeko.exe
        
        C:\Windows\system32\Omhlkeko.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Pdoclbla.exe
        
        C:\Windows\system32\Pdoclbla.exe
        52⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Pfqpcj32.exe
        
        C:\Windows\system32\Pfqpcj32.exe
        53⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Pjlldiji.exe
        
        C:\Windows\system32\Pjlldiji.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Pdapabjo.exe
        
        C:\Windows\system32\Pdapabjo.exe
        55⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Pgplnmib.exe
        
        C:\Windows\system32\Pgplnmib.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Pnjejgpo.exe
        
        C:\Windows\system32\Pnjejgpo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pddmga32.exe
        
        C:\Windows\system32\Pddmga32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Pcgmbnnf.exe
        
        C:\Windows\system32\Pcgmbnnf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Pnlapgnl.exe
        
        C:\Windows\system32\Pnlapgnl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Pcijhnld.exe
        
        C:\Windows\system32\Pcijhnld.exe
        61⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Pfgfdikg.exe
        
        C:\Windows\system32\Pfgfdikg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Pmanaccd.exe
        
        C:\Windows\system32\Pmanaccd.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Pckfnn32.exe
        
        C:\Windows\system32\Pckfnn32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Pfjcji32.exe
        
        C:\Windows\system32\Pfjcji32.exe
        65⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Qmdkfcaa.exe
        
        C:\Windows\system32\Qmdkfcaa.exe
        66⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Qdkcgqad.exe
        
        C:\Windows\system32\Qdkcgqad.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Qflpoi32.exe
        
        C:\Windows\system32\Qflpoi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4756
        
        C:\Windows\SysWOW64\Qmfhlcoo.exe
        
        C:\Windows\system32\Qmfhlcoo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Qfolehep.exe
        
        C:\Windows\system32\Qfolehep.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Amhdab32.exe
        
        C:\Windows\system32\Amhdab32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Adplbp32.exe
        
        C:\Windows\system32\Adplbp32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Ajlekg32.exe
        
        C:\Windows\system32\Ajlekg32.exe
        75⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Aebihpkl.exe
        
        C:\Windows\system32\Aebihpkl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Ajoaqfjc.exe
        
        C:\Windows\system32\Ajoaqfjc.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Ammnmbig.exe
        
        C:\Windows\system32\Ammnmbig.exe
        79⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Anmjfe32.exe
        
        C:\Windows\system32\Anmjfe32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Aefbcogf.exe
        
        C:\Windows\system32\Aefbcogf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3324
        
        C:\Windows\SysWOW64\Afhokgme.exe
        
        C:\Windows\system32\Afhokgme.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Aclpdklo.exe
        
        C:\Windows\system32\Aclpdklo.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bnadadld.exe
        
        C:\Windows\system32\Bnadadld.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:456
        
        C:\Windows\SysWOW64\Beklnn32.exe
        
        C:\Windows\system32\Beklnn32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Bmfqcqql.exe
        
        C:\Windows\system32\Bmfqcqql.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Bcqipk32.exe
        
        C:\Windows\system32\Bcqipk32.exe
        90⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Bmimhpoj.exe
        
        C:\Windows\system32\Bmimhpoj.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Bccfej32.exe
        
        C:\Windows\system32\Bccfej32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bfabaf32.exe
        
        C:\Windows\system32\Bfabaf32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:180
        
        C:\Windows\SysWOW64\Bnhjbcfl.exe
        
        C:\Windows\system32\Bnhjbcfl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Bagfooep.exe
        
        C:\Windows\system32\Bagfooep.exe
        97⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Bcebkjdd.exe
        
        C:\Windows\system32\Bcebkjdd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bfcogecg.exe
        
        C:\Windows\system32\Bfcogecg.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Bmngcp32.exe
        
        C:\Windows\system32\Bmngcp32.exe
        101⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Cnmcnb32.exe
        
        C:\Windows\system32\Cnmcnb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Cjddbcgk.exe
        
        C:\Windows\system32\Cjddbcgk.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Canlon32.exe
        
        C:\Windows\system32\Canlon32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2984
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Cjfqhcei.exe
        
        C:\Windows\system32\Cjfqhcei.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Chjaag32.exe
        
        C:\Windows\system32\Chjaag32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1128
        
        C:\Windows\SysWOW64\Cjhmnc32.exe
        
        C:\Windows\system32\Cjhmnc32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Cenakl32.exe
        
        C:\Windows\system32\Cenakl32.exe
        115⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Cfonbdij.exe
        
        C:\Windows\system32\Cfonbdij.exe
        116⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        117⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\Djmgiboq.exe
        
        C:\Windows\system32\Djmgiboq.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dagoel32.exe
        
        C:\Windows\system32\Dagoel32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Ddekah32.exe
        
        C:\Windows\system32\Ddekah32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Djpcnbmn.exe
        
        C:\Windows\system32\Djpcnbmn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dmnpjmla.exe
        
        C:\Windows\system32\Dmnpjmla.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Deehkk32.exe
        
        C:\Windows\system32\Deehkk32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Dhcdhf32.exe
        
        C:\Windows\system32\Dhcdhf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dffdcccb.exe
        
        C:\Windows\system32\Dffdcccb.exe
        126⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmpmpm32.exe
        
        C:\Windows\system32\Dmpmpm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Degdaj32.exe
        
        C:\Windows\system32\Degdaj32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Dfiaibap.exe
        
        C:\Windows\system32\Dfiaibap.exe
        130⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Dkdmia32.exe
        
        C:\Windows\system32\Dkdmia32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Dmbiem32.exe
        
        C:\Windows\system32\Dmbiem32.exe
        132⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 400
        134⤵
        Program crash
        
        PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5900 -ip 5900
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpdklo.exe

Filesize
93KB

MD5
ef37199a865766c186a477d24b41ff9c

SHA1
ef42d136ab7108507f582b455c924a59ace07f85

SHA256
54aeafadd9a478456f8efc6734d663eb5451c484df2675fecd8edd2f81bbb7c4

SHA512
77dd3fc53025cf26950579688608f066781635feddd4773fca6b55d1dffb5e54c2b122ca013326c11b9d78ed540f862b7a33e55bf03681e599c2a35d53bba3bc

Download Submit
C:\Windows\SysWOW64\Afaijhcm.exe

Filesize
93KB

MD5
c2a85cf7cb331663e9efeac007e97369

SHA1
73c4fff4966dd0513e571eb653ebe72337c09930

SHA256
6d33d0e140c62863520352a4e618157508581dab305e0005f2ab16d934a084ce

SHA512
9955ca43f3a8dab9a9faf1044f29b94225028e8b48a5d86e8bb845bed85fcc5d444b84849d410d334ed45097e7eab5ea19dbf6dd21c546f3575d4d86382b6785

Download Submit
C:\Windows\SysWOW64\Ajoaqfjc.exe

Filesize
93KB

MD5
179b660c196354a874a5e02d1660a128

SHA1
fc320aaae19c43193964c5b7735ae33731f93573

SHA256
9d51b3ffbd23b38f6f21965fa03571b84bee014828faeff79ed4a8d1dd121b0b

SHA512
2b3199323094fac549efb998d4f3eb003bd13171cca5fbef2e6564b3502bb83e86cda38572a08f43318f722478ad0effb658b433c4f0c27d5978dc2f644c160a

Download Submit
C:\Windows\SysWOW64\Anmjfe32.exe

Filesize
64KB

MD5
3bda8ba24b78b07142cbed2803ebddfa

SHA1
b83501f80858c01c4365c8da715c9d8fa7be5e0c

SHA256
fc185f9708fb9bbb7eb16a177a02d8b8465dd288fb06bf7f4baaa4bafb96ebd8

SHA512
585f15ac9feb7ca94b352de00769c558b5f39d9fc1fc85721d83a713e78fe4c1d7213ea55d252e49b0939cd56812ef3eb1f24e6439d624e86917d2797e4817f9

Download Submit
C:\Windows\SysWOW64\Beklnn32.exe

Filesize
93KB

MD5
963402a5dbdb085f1148ceabe3d30dbc

SHA1
8b2946dd201437fa8215265b12610f349d18f6bf

SHA256
cbb572d6b26cdfd4649e3725186f0520718fc73da8fa35f1653cc135d8b1f7f0

SHA512
adf79a3256bce22a5a80e8d4e459fb51cb94ac127e75d547c420d6b4f47ec6da3531d800520022737c504810c7be2bd24f2ebdd30c9c014da1c9e7fe95913b3e

Download Submit
C:\Windows\SysWOW64\Bfoelf32.exe

Filesize
93KB

MD5
aa8e1261b47a397708b464262c1e32b2

SHA1
a6f8e7303789dcea31598456b49f967d0ac5b1fe

SHA256
612f8591ba78349614998b86983e3e0aab33e9e0f524bcfd1a14570fa6b43576

SHA512
c5b012be156042d51de5d0cf10e3e3b4086a27e961e4f66b93f6492b85dadc601c99ce62f380c66d3dcf6a10f08f4f4d1f30bf053b05e0c25e6838c7c07d3d6c

Download Submit
C:\Windows\SysWOW64\Cdlhki32.exe

Filesize
93KB

MD5
84ead7e932b48189e68090cc92082bdd

SHA1
d2109db772ed16ba86b88b7238ea618ebb7235dd

SHA256
21ebeae57f931bb9cbbfebc9dcf5975dd3f3dfb3e56e4f465d240878c278b312

SHA512
f9d270bf2cd31a73f602ea7573b651376e3875af21574d0fdaf67f6d4b57ff41075f33d80bc0b508bbef1dfc56b093353e97b5942eeaadadf43011739c8596e9

Download Submit
C:\Windows\SysWOW64\Cepnqkai.exe

Filesize
93KB

MD5
e39d42c0f831d71899f61968c4481230

SHA1
41c5c2b2a73139d244c5804caa27b8fa0ff489f4

SHA256
22b303a777174eea93d50bfbf3ffc87ff2e79788d07544b6f42d18b99132e1b1

SHA512
07252b71eb82d61d48ed5343ce28389e1162aa9dbdeeef07126422791415084328b0185e811fd206a82e01dd79a4298948d0d67634ee8aa23b9757b0306988e1

Download Submit
C:\Windows\SysWOW64\Chjaag32.exe

Filesize
93KB

MD5
3ac602c7b65458c6ed2512f77967ecbc

SHA1
d4c99468acb40e3665e66fe0edfff14d3f3d6398

SHA256
faed50c68ca6316a5c26260cb945901a4b27a9e04a2cbb60c48784a3c470e95f

SHA512
ea75e32d3fe34c644d38915ccbf3d333539cdb316fa66e87744623aa5dce993ebe9541c01dc15caa398cd33d9790a25e7a83a188b127f8cd7435c819dd6dfc62

Download Submit
C:\Windows\SysWOW64\Cjfqhcei.exe

Filesize
93KB

MD5
5f6e186c1c658b8ba2945ec15052ac9d

SHA1
51cc64752f2c5c4aa56ffe767f807d254b53feca

SHA256
fea877a3699012d2af115f018ada0052a4427b6760f72968af142a48b89a99cc

SHA512
e39d9bb601796959a20341b024c163d9e5726712eb3d409c76efb67429090898e9ea78b86e1260245b2683bdf1a17ff1a09f6ff9aa5b9b473dd76715f9cc65bc

Download Submit
C:\Windows\SysWOW64\Cjhmnc32.exe

Filesize
93KB

MD5
6a9d2a4e16ecba2971b36072cdc614ca

SHA1
58269d4532147b18486821155f08fc1006a93b36

SHA256
23856ee5032b32b9e25b46a40fdadc52d49f703240debca6f374d9ddabf63dcb

SHA512
9f1debcc3e35669b2e0335eddfd8b67c156a7ada4752adadae6e83d179c8483260d40266bcabf3cf5ff93b6da7a30534f96670d932d0d90bd481c67fbfe57858

Download Submit
C:\Windows\SysWOW64\Cnmcnb32.exe

Filesize
93KB

MD5
75c1b4372d0703c94c23e944138c7412

SHA1
735e4501bb6262993475f03ec6b49e0e38d2b608

SHA256
7d7b3bfb942f9488a6a96568a66d6ed9d61dafd517b009e0745d702bc425d015

SHA512
653c9cf4fe02175a8f5ea60a15770efda3f76feb9679213b75c61b5eae2dc97ff7fe3ccc6355bfa45dac09a0a49872b573c58a1176499350e08b6b82f7e31c26

Download Submit
C:\Windows\SysWOW64\Ddekah32.exe

Filesize
93KB

MD5
b6ab691d29589908c8030b18224257d5

SHA1
db06d81962d7dbfc99ff1760076b7a9ff26c9573

SHA256
f93dd7a3ba3ffa3d69a54774c1f1d359368c6e3251d914522d123755461907b9

SHA512
e68911f97c7298baf5ab1dc7342493c9efaf676b57fbe23b1027abdcaf63249064e66fd54c7949aa2ba2ba2501f234ea708e8f8f71399934f044b56aa87e88ab

Download Submit
C:\Windows\SysWOW64\Deehkk32.exe

Filesize
93KB

MD5
a2504c0a5762bd26373e1e275c1297cc

SHA1
15974bd8a657d311e8ba3d2900907be3bbbeccc2

SHA256
c7b686a5f77c5a1563c2fb386bfec69b5c05c00f9941d88c19cdc16d9835fc2f

SHA512
4a0c99a91c8d1db490d0bd3c66807eaa136c9d0a13ce76ef52539cec7d97daa4363b25f6edeb776626275ea80a92c87f59c5f92bc96444c6f60185cc00c077eb

Download Submit
C:\Windows\SysWOW64\Dffdcccb.exe

Filesize
93KB

MD5
1936f6d60a74a215177ec1c0e1945dac

SHA1
ed676d964fa47f26f6c40c0d82ed3a408f0635b7

SHA256
404fc302a161c03e73d4981b6f03667acff029fd800f44f54c6e3ce514990969

SHA512
9064a8ddee2e532ffed8059d30e394638ee96c8bfc03149f3af70914bdfb45f465b4a768c532e7ce688c8b37ef24b8976831f8f5295d0a1e508f2cc6093613f1

Download Submit
C:\Windows\SysWOW64\Djmgiboq.exe

Filesize
93KB

MD5
0daced3b0f819286a6b39ac8e1115060

SHA1
34247bdee816cb405f3fab9382e5b65e3a30f58d

SHA256
5ed2377db6d0adeaa60a05deae25134a4070e0ff28c00e93505644c9e3dcc170

SHA512
ec057a00336dcba65ff6f8f4ab4bbd6748472ffcbd9bc3b04c8608066e4584baf51b64ec87134b48c685ea892aa1619c13dcb689fe66e060f1caa4de18fd8178

Download Submit
C:\Windows\SysWOW64\Lbjlid32.exe

Filesize
93KB

MD5
932759c20ccf7609d2dec51859b81cad

SHA1
5cba7b40aa8dc5a921e49b168cca7b5a3a1396ed

SHA256
94438acf231f1a7a9df9dbdff67ad128bd56411f41fb1abcc65ce03f6480221e

SHA512
e0a8c345fe53835008acf56d2e3b9cbf797011fb93462565a981d3249561db31d2b506caddc7ce70a2a2ae7ea98a8c64ad366bad3ed002b4ed3061946f06ee17

Download Submit
C:\Windows\SysWOW64\Lbmhod32.exe

Filesize
93KB

MD5
fa3766de27d0613f88a68d857e0c13c4

SHA1
d1ab21fe43d762ce09e5c24a2431e669aae463e8

SHA256
09747d87df1c41f8bbec92d03835679a7f28282d4521609685f5af2c87b8cb32

SHA512
8f78829b5378efa88b01a93377ec0a7a7217cb3c2b65e045af1e14afe8d5b3af20cc3d99020c889cc70822ab9a5a798788e6b8ff7c32e62bcc8f3b13e252f84c

Download Submit
C:\Windows\SysWOW64\Ldeohh32.exe

Filesize
93KB

MD5
23c58ff1b499764ec390cdc9935442d3

SHA1
1d56d2c0578ec5a80cd21f3597a1046519c61c88

SHA256
9580286f3da24fc75785d21f71e734090f04b3c5d755797c7b8652313ee0dd72

SHA512
c476334f273f4ee1f1f6c00b126bcfbee4176c2f3a8c0e5424f26b2b2e491b8733f75cf52fa09105528899fce7b5d612084c35171fa8073c703eec3955a3085f

Download Submit
C:\Windows\SysWOW64\Leihep32.exe

Filesize
93KB

MD5
f9b048cbdcad83c28e1d400255115e00

SHA1
61cea31a7bc1b6a068dbf87a10d8ad712e42b7ba

SHA256
176b202afd58d3b0f1ed9dcaa8b4da0c31a3a39713b4d0aead1f782400f8a2a4

SHA512
a4bfd6f2ccb060246c9a7d0a23dcb42922935e27252790d5f366085322b4b3a4192da3924e80b50c59228dfbfe987db5dcdaaeba74f139086d3c6882aa726db1

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
93KB

MD5
c42a327fe23462313fbc2178048ca27c

SHA1
bcb52cb5b1d76b1087f7282924ffe2c65461e24d

SHA256
ecfcee6d1fe9df6fc4b7675ec71d0876ef2a26bf659c9e5daa39d0e39ecbc43b

SHA512
4c9c59201a8846c63a910d2c448de27c6b8768731bf11a801fef4c6071b3482507889eb945f437e2204fa04161595456044834fa19a53ba4123a9e2f7b4bf000

Download Submit
C:\Windows\SysWOW64\Lfckdcoe.exe

Filesize
93KB

MD5
a1d182dfc31a8e4f4d751579cd9d7778

SHA1
6b9ec261dc4ad948e24224bd8cb22246fececde6

SHA256
706d9513aaf0eef065071aea43c3db5befe616f7e74f581b10bda2787989e5e0

SHA512
ef4ea4f3b180b0e9b889b7343a77fd366b327a39df6c79c1c8c1ec3ef4585235a98319af050c45cb4a4f32568e970e771e693c9a33abcd36356090b038d74be2

Download Submit
C:\Windows\SysWOW64\Libgpooi.exe

Filesize
93KB

MD5
4a179b0f89d6f421d5de4632bc0e0034

SHA1
8181447347a6f9a24e2be095349e269962f25924

SHA256
e57ce610f1551542bd1aa5d1871eabf5de92b9af0479dee257448af39e2c1118

SHA512
3085d07dd411c9d204f5be45d60e269b2ba8a2c1625887db37237909d32220387665806e9dc653d333f518d68f3938230074ec74bde3fa4761b9c25fbf18b794

Download Submit
C:\Windows\SysWOW64\Llbpbjlj.exe

Filesize
93KB

MD5
90b1b169ce5271860675d891273c57b6

SHA1
f466af791119222b1ad0831f317a094d285534fb

SHA256
8f6b7c7974ddfd9fd0a9c1685da7ac778101c64a5811c27b6b2a4e3783ba51ea

SHA512
741202c21d90e4e6208580dceb0c84bcfbc76cb3053c70e4d051bbdce3e99190906b5493d112ac9c6834064100ddcb54c7fac6acdc9d227856361dff153680a8

Download Submit
C:\Windows\SysWOW64\Lmkfknid.exe

Filesize
93KB

MD5
6a57125b90a8b2955503c93552661679

SHA1
08baa75ebe70b8529e510bdfd14e9aef20065d7b

SHA256
79097dfb18d77f64196b98f9ffce7f15b676190d3e3ac5a869322164627b0e93

SHA512
37efccf38f07b36943208358fd9f2b4c262f6c78c560eec35ae73eedff3f093d946c8696d74eba04df290fc3a2c4d99729755cb478b7272bbcc3cc5c01918b43

Download Submit
C:\Windows\SysWOW64\Lplpmi32.exe

Filesize
93KB

MD5
591edad80206bcc34f39569b20b2daa6

SHA1
9db54f704ff63845a0e6b2177675c193d00389ca

SHA256
4605d24a35fc5c8091efcc890f61697e104029802c2798c509b6027e6ba19a08

SHA512
b3d34ec61ad9e38a67c7839bb64af560c31c96e5eff9461279a30b455966ebc386d88e0addee13db4533df755a42dd4c44fc9839a6b124c8467ed3d70f8780f4

Download Submit
C:\Windows\SysWOW64\Lpnlbi32.exe

Filesize
93KB

MD5
6a7b65e6dfe406c797229e7b149398b4

SHA1
bcd65d52692d801b276be0af83de7d166a8772be

SHA256
96e2c1a3b275c0b9355fa3d2f980cc023b9e0c35a150541583990831dc1db2c1

SHA512
b55566196e1c66690de5c54682c1a1bbd5ff4a7097021b2678feec77153e85e283d33ec65ada0104e82b0e930de2b2b5f6cb7b617fb1246f585800a407383956

Download Submit
C:\Windows\SysWOW64\Lpqihhbp.exe

Filesize
93KB

MD5
42362db52aba86e40a3f1f23928abb7a

SHA1
3cb69b3a650750c5bbd480e60b7c514503595b3a

SHA256
203396e420ac5ce813a2667360156c9c918c5433678bce81348e663c81e9c6a7

SHA512
41e4c80e84f4427480581acfc8263b23b15b763b605be91acb33e0caca91638902c3711294837b98d797c6693859765f74c518f3b6518b7c8b446008276e0c8e

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
93KB

MD5
119398a0228e6b933e3d40c8829da745

SHA1
e611cd529a9a527fc4906666638a749c64016462

SHA256
a6440b65a1afa88a9a310c5cece48e13ec63787188193e6a8204d04962d8f599

SHA512
84ed559afc131e116e3b11ee87a766f9b1a39c48fd781340611f9eeab7694d0a87b2cb3402254bcc87582a021d9ed68b95e9611c4a4676d7d1b96f70af08c6fc

Download Submit
C:\Windows\SysWOW64\Megdfnhm.exe

Filesize
93KB

MD5
025f2ea0693ce2e166852cc8bdce839f

SHA1
e5c844f39587b5ee0ef113b355d30901a880bfe0

SHA256
70f5f82743af1a27da51b5a55a50492c26a22aef995126547f69dbf1c94bcced

SHA512
f8032ec0f3a7a4adf4d253287ece390e3a7dd304ee86b0cb4be97bc202a8a492d02fea9db9734776f14b1af39a7303a86b5da951a0773311d44156581b3399ba

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
93KB

MD5
fde372a5ca38a8696f32229e2899c341

SHA1
dfb306239dd8adbfecfb48d7e7b9c6794bcdc1be

SHA256
197a5598bfae51717ffab49dac292dd489eabea9fda9a38d4dbe69eedc2e4de8

SHA512
ff03084e84ae40df8808cc0d2cc5109b4f0a73d326a18a6cfd71414cb1c23d4e3f2bc4148927fec52d8a8402f0283a720f7f89cccbe11af6b7121d980bf05f67

Download Submit
C:\Windows\SysWOW64\Mgddka32.exe

Filesize
93KB

MD5
643abf724a3fe15cac4ea396b3878972

SHA1
1fd3fa74a8840a06c587cfb469f416a603a5d81d

SHA256
f16adc59c4f5f8a5a384418f1841170905c95f47df61b9de92df547005d43c70

SHA512
72e59c2473a5eb94ec3f1e701ec84e7fcb884cea76cc44f4d38c9afbb2cf508be9800e4bfe8a0da1655e156e1e0803595551d46843b87b7a8fecd4fbf026f644

Download Submit
C:\Windows\SysWOW64\Mgokpbeh.exe

Filesize
93KB

MD5
dbdb0b8753f291515cf88467635ba249

SHA1
996160346edf8c71646fc59adb1217948880ac99

SHA256
8ab08f5b032a1d1a3a80758460fc462dfb6e3321f3caa2b47767389681abbbd0

SHA512
a514bf41db2396cafc15e9f612b9b24e17cd1bc3451c2d98b205c79d796f27e07a54c19e5c926dea471844940c20ba53155f33b7151e3c2d43bae7350fc608ca

Download Submit
C:\Windows\SysWOW64\Mljfbiea.exe

Filesize
93KB

MD5
89f68c0a8a935818d0e86ea924283cb9

SHA1
bd9814467c4454d0707c2cbe10aeb0e5e0b1e2e8

SHA256
5834fa6b93fd80df5a396f58a77c86d0efdbf3005075fb9d4fa6736035430ade

SHA512
394f03d26f8eee987c41c063fc41c6da7346e0b691bd30210191bdae67c8e84005e8e0f75ac6e75e52dbd9fdd3a0dc5c3449e2c0ca42d9316657dd1fe39efae9

Download Submit
C:\Windows\SysWOW64\Mllchico.exe

Filesize
93KB

MD5
f740f1ac645b1344a531e8a918c2b33b

SHA1
c8f4c442c49b817e98ffcd53548ebb55cea0e0e3

SHA256
3453c7f2288f4d7dd309adf48b04b00e5dbdbaad622a0c9c8941583702ab4835

SHA512
59d159ac3b3ca507569aba3b49ea5684f0cde3f79acbfd1ad7b22b5e1bc4824fab5d35b84d14e3c4bbf58f629323654b6ea6c7781aff595d176e777c63e6e92b

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
93KB

MD5
584b6cbb0920e711cc3aa2a4fdcd70d2

SHA1
4939e1afa1453eb43cb7dd474efeba5ce9e3c997

SHA256
5be2a5cbde118cc3434fdd7178165574add50a1d1275701666d8c49fc6a6ca66

SHA512
97485ec6f9e01b81851f01c3556fa439a93c04235e0c341e821015951bc20da60b3c79661baa89be59586da0678e8eed6f8d3c1af8511a8191982f0700f77e06

Download Submit
C:\Windows\SysWOW64\Mmkpbl32.exe

Filesize
93KB

MD5
645fe74230a365406c1253284d0012ec

SHA1
c462228639e9357a50c16eb988d9c5bc3b14c30a

SHA256
a7bd13109563d2ce2f2354e6e2003d1db3f2dd8ffc20e49edd4e14b2ffda2635

SHA512
704ce61d0ff8bac5124f289e95d74a6a6d355c42aeab6a9127db05a2973960d7d18a741dd045eb39ed0b0c6cb6030e368aa2878f42997f7bac24d4c866207b7d

Download Submit
C:\Windows\SysWOW64\Mpcenhpn.exe

Filesize
93KB

MD5
0916aa5037b293f2c5a18690c5c380a4

SHA1
a227a06f3d7823adb23d662239713a0f6029e963

SHA256
00d6f16208f2cea16b93eef0577d06f35c2dbf084f35957c1748bc2a3aa8df3a

SHA512
ba7bc72f8f9d4ac907ae1970073be5a2d876103402a0d2dba9985e178a89189a8ad9e8e1e7a18eee4131fe5efa0250bf524b37e33eb4543356711a71eb369123

Download Submit
C:\Windows\SysWOW64\Mpjlngje.exe

Filesize
93KB

MD5
2926a9d85957897741ab3a21cd5b6854

SHA1
ff20e5dd708f4e73eb4a2973aeaa12f95d42c437

SHA256
528ad3e1785a7b82c431b6575a6ddbe3971584045a447152ff573573df0551ed

SHA512
4f23225e9084163325e0ab7b1631a57ebad96bb57f74366c73fbff65326e956ac4863cb5e1148a8cb9faabfd6c5d7e1a14a38bb2842599b7345c2ef15e9db391

Download Submit
C:\Windows\SysWOW64\Ndhdde32.exe

Filesize
93KB

MD5
aa3f868ea7a0e273379af0b87047582a

SHA1
e795e41ccdab4930622b4230a218c21dd71bf2f5

SHA256
25e35a1f46f39ce9770ef779095f21173c4280b80521c430536a279b405d65e9

SHA512
d8decba6ae90a50881ca1b7d9bf4bb88df0154f93d1be665083b1ef3d87a53710bcaf731ad44b356406590a843534883be0fb10e2a83be03ccfbd69782fa4d00

Download Submit
C:\Windows\SysWOW64\Ndlnoelf.exe

Filesize
93KB

MD5
9f16bfc501f69fe63b2063bdaa6f0084

SHA1
e1452f6e3cad3c07522281b5a405d25a4e0de714

SHA256
1add5ddf12c2912ebf7e47a8f3cadda5798e52b49a81896e8bbf9f5c82b58361

SHA512
b54a830b5bb2e71c0df41db0184e9f10e0b2312ec5794081e96d64c705931871add600e7833cf00d17ce115a64393597e75ed052968172fec466d63b189bd8be

Download Submit
C:\Windows\SysWOW64\Ndoked32.exe

Filesize
93KB

MD5
66e267c236d88300bbaeb4cb2b6a77ab

SHA1
701195ff2a9b7e60f68575f74a776bd76ccb75cb

SHA256
8a18803e7653a812e740b96e6c0997b59e6a5c47324abacd63fa2fab04c704dc

SHA512
7e74746f8ead5850caac9aa107ae8184d42237e0504a7a4cc933ceaeb95b257e3a30e2adee4fe8d165b987d5446713f1540001a5307a09dbe4b4bef758c61ab5

Download Submit
C:\Windows\SysWOW64\Neknam32.exe

Filesize
93KB

MD5
3992784f6b3a6c43f92ad0105d4b539a

SHA1
b33166cfcf99c603ae7742a2a333240afbeccf28

SHA256
86304ef5973b69efc0b7e16b752c55a2c3f1bf2dd1d0f6c4c08add4ee89fcf04

SHA512
01e11ea59d9daab26944794fab0d080ff5b7f2f4bf2ed070e9a8775db85b762b3f428ceed21adbbc6d7f11d713bab3c193ce80763409a844574b1f861648edd6

Download Submit
C:\Windows\SysWOW64\Nenjgm32.exe

Filesize
93KB

MD5
703ebfcecc92247f25314d1bbd94b8a8

SHA1
71d267ff9df4438e29c890f15deab2ff91cc9194

SHA256
967721d3ebe4c9ae48fccb5e5b25666ba5248153f7395a04a54868b8357c5a98

SHA512
fbec6ef7804738c58a52294006384024db5e9c3f59e5eb128a151b716af9889626f809ab496331e03be3baab0b4eaf40a647b89fbaf2544d24e2929cbfe2b331

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
93KB

MD5
17c9edc836a89298df2fe556d91ec131

SHA1
81d9718b05a925cff2f5b8a37d3a34c8a9854448

SHA256
921830a8beb8aad02a42a444dbcb8943229389e175866b4f25615072fdbc1987

SHA512
69fc50854208c546585763d3eb89f65e4e39e0c5d1d6cea13f05d4ec382083e63a520b9b8fb5ca63caa8b7393d551ccb0aef3d2009a5b674320b8318df55a8c2

Download Submit
C:\Windows\SysWOW64\Nidmml32.exe

Filesize
93KB

MD5
a8ba61d3156d2c127720254540cfe452

SHA1
1c4dbfbe36f779b442955520f42a5d4420f29c3a

SHA256
4ea8a1d5b2c24fdace9ef12dc9dc94aeb3d6fb8af1f767a8707d6723056bc977

SHA512
c2d0a3eb18f325400e9f44955750efe173ad1ae0ea655b2bbe6235580d862dea065d9b5e6d9f2e24b6127318baef9f91ff2e1d89e85f5b2a9d6fa038ffcfa076

Download Submit
C:\Windows\SysWOW64\Njgjbllq.exe

Filesize
93KB

MD5
68341a68881c51e9130a1d70307c9861

SHA1
2f6c8e289c04d1792a076ccef6dc6a2005d70cc3

SHA256
ebf88c02629286c5b32fa5aa5be1756aeea5d49e112847f85f393c30a7ad6409

SHA512
2d803ff9dc9deb2c4b134f0337d2e6f30caf48109adaf0c31ece8ca11b770cfe47e2eb4239d28a62d9d58625798bab604d945640a2a737ac414958834e0ede03

Download Submit
C:\Windows\SysWOW64\Npekjeph.exe

Filesize
93KB

MD5
9d4cb29f6430fdfcf88aeb8ed784ff89

SHA1
9d7c4ffd1d70927d951254d0b7fb0976bebed24b

SHA256
bf12ed32e813a3f55a50d0631ac7b9f0e7680443e74cb7e8a1f1b7f0636da28c

SHA512
82f05073a6707bd6d8d27f77c4ea1a4c52539c77946fad8c2cab55e95c50cca31c110c95b135d1de1c227540f37eaaf37c9501ae130be863e7211c83b91e5cbb

Download Submit
C:\Windows\SysWOW64\Odfqecdl.exe

Filesize
93KB

MD5
cf5b4bade5c8ea25b1bf65af4be35faf

SHA1
64a165777b76bc2989047676ce4255fbe1076604

SHA256
30259d7c9953836fd9cc5d9cb8ea68e65c3c90d3f14981d2905e1a05541d9c57

SHA512
1af381a00ca51a2449d83afd2aeccdb1865e4e7479bcda45eb2ef30c1acd6143eb64a236e51614e0ec2c8e30e98cb8c2286cd5ce999c2dda4ef1c20a29c4ed8a

Download Submit
C:\Windows\SysWOW64\Ofijckhg.exe

Filesize
64KB

MD5
baf8c43b9f79ee88df1c8a018a0d7069

SHA1
aadac480afb6f1730fd95bf606d61cb63e0c39f5

SHA256
7e0531f85991a1c82fd891f85d4e46dc8cf217b7fe67199c4fa647e94efbc54f

SHA512
74fe355bdee376e0fb0067cef64ad29ae63bf6a8e0a4e182a0edaf161d0125725a4cbf1c9da13f584f0d4d843976c6788dfa3465926a3049ea73f21857627e0d

Download Submit
C:\Windows\SysWOW64\Ojjooilk.exe

Filesize
93KB

MD5
27405a1e024eb44e0637c3ceec1075bd

SHA1
b5e15c45ddec3f2a9f3f5dfccc9b45d96be05a3e

SHA256
16ad4e9ee4fc2a1c1c87dcae7580390131df64cbc2fbded97600d565e0e15d10

SHA512
5ceebbfdc024e01c33dacb8b610bbb9fd78c0fb7f9b09492028f35da2b24c4ae0d03dc888758bd7bb009797acc36eeda3e167fb493f041334ccfdc9d1e066e0b

Download Submit
C:\Windows\SysWOW64\Oncoihfg.exe

Filesize
93KB

MD5
7bc65185e869ffa9c8cdcc7e64df35ee

SHA1
c7409e987fb45e1e789acfaa38cc0daead637bfd

SHA256
c12d19f45292f39f4abf568f96f6ffa720eb3d47b3e9641b215291d98df3fa9b

SHA512
5e40968d657965c7042f805044c009b39b71eeefdd3e7b20964eef5b06e2b7531e2d914db329887d8eeb00854231a248b266c96c35db3e0a07a174847ee95834

Download Submit
C:\Windows\SysWOW64\Pckfnn32.exe

Filesize
93KB

MD5
04318c2eb2d31770e46c54f0fb7d694a

SHA1
6c6dfd132b345e234d61555c6a3a8da6a94afba1

SHA256
fc2d03601a55a9e5073ea1c42e95b6e350ff9bedeb818a9a016a333e1782aa8f

SHA512
d54df0562960fea7bf6acc42aeb1d62872a1b12605f5ade4dc740fecc41b943273a8e82030fa0c86b44fcc23e7eb21d4054f5964395504130f382e08463f5a4a

Download Submit
C:\Windows\SysWOW64\Pfqpcj32.exe

Filesize
93KB

MD5
eea23f1c9a309489a196ec5631cbf611

SHA1
a3060bbde4c6bf816284a6a14ee6a7c408e66dda

SHA256
b4d79ffcfa5b8f0bd4729c097d9bc670a9c90c3e54e6b481ff4b0b7170824f09

SHA512
03a942f7b57f22defffdf440ff4630ba0ffccbce12d4792a69d4a68adb8ade018a1560312daf4e9462e3e5eba7231cfe3901f3664b19e82b2cc98580d6b5d01b

Download Submit
C:\Windows\SysWOW64\Pnjejgpo.exe

Filesize
93KB

MD5
e842ed17f1d3515d1a7dc85cef9b27f0

SHA1
55dd04cf7c1a6f9e5e3e8e14c238eee34d39dfbe

SHA256
8cdbae92484743176d987f82397f814357b5bd91437fb740a16744dd5f8a953a

SHA512
69ded038ede0331fa3a4be5e4176a17f89e85b0f16640002f0d2eb6dae4eb36ba8c1991075a0e099a6d5db18e6d13a2f278efc588be69dfa056a5b42268a7efb

Download Submit
C:\Windows\SysWOW64\Qmdkfcaa.exe

Filesize
93KB

MD5
9063ef71afd96eba765c24f1951a890a

SHA1
5bd715c5d5c0d33956d2f76af1d7acaab4b98f8d

SHA256
98d368302aa3679a001d94af2e27efef6a469056e3170795a5915c0366d1aaf3

SHA512
f6f41e52e58a60ce94535c11d90dbde81ccc5096233c3b94283da8138b3c0c59474576b4c5c4ac34876df1e67708dc121128e6cb446f5359779f0119b0228b7b

Download Submit
C:\Windows\SysWOW64\Qmfhlcoo.exe

Filesize
93KB

MD5
1775a131d9a742dddd36a387255c594c

SHA1
b9a00f686c37aed8e6d43c015bf6ddea629cf786

SHA256
5eecbeb47cd89a4bc8edf3acb0cda0df59e4dc6bfed601e7410a055474f83f1f

SHA512
e9c13d162a30259f596467ea37f2e45efe56b580186838ac826319b706e9eeca5f3ced152417c5bfb6e658d5be190aee3a341aa7f4a7f2740cb20f9a99dd94ea

Download Submit
memory/220-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-942-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-939-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-936-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-933-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-932-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads