berbew | 091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1b

Resubmissions

21-01-2025 13:26

250121-qp1zjsvrc1 10

21-01-2025 12:12

250121-pdfc2aspcs 10

Analysis

max time kernel
96s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
Size

93KB
MD5

92ded907b2757bb99ce6b916b1339b20
SHA1

58c8a30b35c433ea06e6c5f79bedd83f9903de64
SHA256

091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1b
SHA512

85ed719a32ef7baf0a8b09e4a42da2624917e1a0dcfd98db3e42aad1fe6f841e79f43072e206aebb30c7b2d04914767f421dfff3c084dd2df4cff09e04bf2428
SSDEEP

1536:D41n8AffidgBxTaq1BIQfbeOjp2wrxxbxxnxxbxxbxx1xx1xx1xx1rxxxxxxxxxt:6idixTamBRbzxxbxxnxxbxxbxx1xx1xt

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2888	Jblpek32.exe
3104	Jmbdbd32.exe
1256	Jpppnp32.exe
3636	Kfjhkjle.exe
4480	Kmdqgd32.exe
3784	Kpbmco32.exe
3624	Kfmepi32.exe
1928	Klimip32.exe
2268	Kdqejn32.exe
4960	Kmijbcpl.exe
3880	Kdcbom32.exe
3588	Kfankifm.exe
4560	Klngdpdd.exe
3556	Kefkme32.exe
3180	Kplpjn32.exe
3096	Lffhfh32.exe
2436	Llcpoo32.exe
4212	Lbmhlihl.exe
1528	Ligqhc32.exe
4020	Lenamdem.exe
2932	Lgmngglp.exe
1096	Lpebpm32.exe
1208	Lebkhc32.exe
4384	Lmiciaaj.exe
3488	Mbfkbhpa.exe
2984	Mipcob32.exe
3192	Mpjlklok.exe
1988	Mgddhf32.exe
1580	Mmnldp32.exe
4592	Mplhql32.exe
3228	Mgfqmfde.exe
2012	Mmpijp32.exe
3148	Mpoefk32.exe
2180	Mgimcebb.exe
4844	Mlefklpj.exe
1556	Mdmnlj32.exe
3776	Menjdbgj.exe
4512	Npcoakfp.exe
4556	Nepgjaeg.exe
1128	Nljofl32.exe
2596	Ngpccdlj.exe
4972	Neeqea32.exe
1084	Npjebj32.exe
1124	Nfgmjqop.exe
5092	Nnneknob.exe
2784	Nckndeni.exe
2064	Olcbmj32.exe
2460	Ogifjcdp.exe
4468	Olfobjbg.exe
1976	Ogkcpbam.exe
3000	Opdghh32.exe
3908	Ofqpqo32.exe
4920	Odapnf32.exe
1500	Ogpmjb32.exe
4656	Onjegled.exe
800	Ocgmpccl.exe
3640	Pnonbk32.exe
3600	Pfjcgn32.exe
4564	Pnakhkol.exe
1688	Pgioqq32.exe
4444	Pdmpje32.exe
1704	Qqfmde32.exe
4544	Qjoankoi.exe
4404	Qffbbldm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Lpebpm32.exe	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Jblpek32.exe	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lgmngglp.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mipcob32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Kmijbcpl.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kefkme32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5208	4996	WerFault.exe	188

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfankifm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkfpo32.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 2888	4328	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe	83
PID 4328 wrote to memory of 2888	4328	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe	83
PID 4328 wrote to memory of 2888	4328	091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe	83
PID 2888 wrote to memory of 3104	2888	Jblpek32.exe	84
PID 2888 wrote to memory of 3104	2888	Jblpek32.exe	84
PID 2888 wrote to memory of 3104	2888	Jblpek32.exe	84
PID 3104 wrote to memory of 1256	3104	Jmbdbd32.exe	85
PID 3104 wrote to memory of 1256	3104	Jmbdbd32.exe	85
PID 3104 wrote to memory of 1256	3104	Jmbdbd32.exe	85
PID 1256 wrote to memory of 3636	1256	Jpppnp32.exe	86
PID 1256 wrote to memory of 3636	1256	Jpppnp32.exe	86
PID 1256 wrote to memory of 3636	1256	Jpppnp32.exe	86
PID 3636 wrote to memory of 4480	3636	Kfjhkjle.exe	87
PID 3636 wrote to memory of 4480	3636	Kfjhkjle.exe	87
PID 3636 wrote to memory of 4480	3636	Kfjhkjle.exe	87
PID 4480 wrote to memory of 3784	4480	Kmdqgd32.exe	88
PID 4480 wrote to memory of 3784	4480	Kmdqgd32.exe	88
PID 4480 wrote to memory of 3784	4480	Kmdqgd32.exe	88
PID 3784 wrote to memory of 3624	3784	Kpbmco32.exe	89
PID 3784 wrote to memory of 3624	3784	Kpbmco32.exe	89
PID 3784 wrote to memory of 3624	3784	Kpbmco32.exe	89
PID 3624 wrote to memory of 1928	3624	Kfmepi32.exe	90
PID 3624 wrote to memory of 1928	3624	Kfmepi32.exe	90
PID 3624 wrote to memory of 1928	3624	Kfmepi32.exe	90
PID 1928 wrote to memory of 2268	1928	Klimip32.exe	91
PID 1928 wrote to memory of 2268	1928	Klimip32.exe	91
PID 1928 wrote to memory of 2268	1928	Klimip32.exe	91
PID 2268 wrote to memory of 4960	2268	Kdqejn32.exe	92
PID 2268 wrote to memory of 4960	2268	Kdqejn32.exe	92
PID 2268 wrote to memory of 4960	2268	Kdqejn32.exe	92
PID 4960 wrote to memory of 3880	4960	Kmijbcpl.exe	93
PID 4960 wrote to memory of 3880	4960	Kmijbcpl.exe	93
PID 4960 wrote to memory of 3880	4960	Kmijbcpl.exe	93
PID 3880 wrote to memory of 3588	3880	Kdcbom32.exe	94
PID 3880 wrote to memory of 3588	3880	Kdcbom32.exe	94
PID 3880 wrote to memory of 3588	3880	Kdcbom32.exe	94
PID 3588 wrote to memory of 4560	3588	Kfankifm.exe	95
PID 3588 wrote to memory of 4560	3588	Kfankifm.exe	95
PID 3588 wrote to memory of 4560	3588	Kfankifm.exe	95
PID 4560 wrote to memory of 3556	4560	Klngdpdd.exe	96
PID 4560 wrote to memory of 3556	4560	Klngdpdd.exe	96
PID 4560 wrote to memory of 3556	4560	Klngdpdd.exe	96
PID 3556 wrote to memory of 3180	3556	Kefkme32.exe	97
PID 3556 wrote to memory of 3180	3556	Kefkme32.exe	97
PID 3556 wrote to memory of 3180	3556	Kefkme32.exe	97
PID 3180 wrote to memory of 3096	3180	Kplpjn32.exe	98
PID 3180 wrote to memory of 3096	3180	Kplpjn32.exe	98
PID 3180 wrote to memory of 3096	3180	Kplpjn32.exe	98
PID 3096 wrote to memory of 2436	3096	Lffhfh32.exe	99
PID 3096 wrote to memory of 2436	3096	Lffhfh32.exe	99
PID 3096 wrote to memory of 2436	3096	Lffhfh32.exe	99
PID 2436 wrote to memory of 4212	2436	Llcpoo32.exe	100
PID 2436 wrote to memory of 4212	2436	Llcpoo32.exe	100
PID 2436 wrote to memory of 4212	2436	Llcpoo32.exe	100
PID 4212 wrote to memory of 1528	4212	Lbmhlihl.exe	101
PID 4212 wrote to memory of 1528	4212	Lbmhlihl.exe	101
PID 4212 wrote to memory of 1528	4212	Lbmhlihl.exe	101
PID 1528 wrote to memory of 4020	1528	Ligqhc32.exe	102
PID 1528 wrote to memory of 4020	1528	Ligqhc32.exe	102
PID 1528 wrote to memory of 4020	1528	Ligqhc32.exe	102
PID 4020 wrote to memory of 2932	4020	Lenamdem.exe	103
PID 4020 wrote to memory of 2932	4020	Lenamdem.exe	103
PID 4020 wrote to memory of 2932	4020	Lenamdem.exe	103
PID 2932 wrote to memory of 1096	2932	Lgmngglp.exe	104

C:\Users\Admin\AppData\Local\Temp\091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe
"C:\Users\Admin\AppData\Local\Temp\091a148a1a48d81195d6faa9006e7d93d2010a132d7f9c0b211206b23101bb1bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\Jblpek32.exe
  C:\Windows\system32\Jblpek32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\Jmbdbd32.exe
    C:\Windows\system32\Jmbdbd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\Jpppnp32.exe
      C:\Windows\system32\Jpppnp32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        30⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        51⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        63⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        79⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        90⤵
        Drops file in System32 directory
        
        PID:336
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        92⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        102⤵
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        106⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 404
        108⤵
        Program crash
        
        PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4996 -ip 4996
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
93KB

MD5
860be5b02d460cebf58eed1b8ef6e26a

SHA1
fede2b7a5bd86df468b5fbbec860b27bd36da8ee

SHA256
466a940d6379875c21815055ca6080a5eea2625f6c6e89c0d4420f9329b39457

SHA512
1cc98abb89390854a339bd55b89af37a8849852a74dfd8e0b3a4ef7d02a4f141ac1531e8bbb0e6e815cff89b9359b9f1c754a665b07c1f80f40da4ae7519f5a0

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
93KB

MD5
3f261beead0770db0bab0347bbfc4243

SHA1
7cec2da1a32b5dbdbb4d004f03988b70ed477cf4

SHA256
aa93e63b221a6b1c8c686a6aa874a696d98189ae6ebc70a760e9bcafcc2ef495

SHA512
d1b9fdf7c968b58162df6d8f419a0b97b9f3b1fa864a12aee6f4e254e04dceaa97d517ea3e125a0f90daf08d5d6daa278b58abd350b6a750bccf67c889f52786

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
11a1dc324a1a5aa983c78a38bb74952c

SHA1
497c1c0b37902f4b7680a0d88da25c69802b0c1a

SHA256
0fdee30d035ba73aa5680402225c90c957e3527fbe572619c82819d489aae41b

SHA512
ec1d3efe156c3d7215975dd220521576f5966738cf7e973f45bc6eade789c728296f4b099db5ed5bd965f82536b485d06132693eb347f9463d7db0fcd096fe5d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
64KB

MD5
8afba2b384532656c17d751019700214

SHA1
f10390f19198793dde8c0c1d3eda9cd6481e46e6

SHA256
7cfc464d9249e4f63b3d20109037eeb692810f50c20eb3251a28f305b9015eee

SHA512
7900f68ccdefa45d7216f9f3cff7b6cc8f7b19f1cf82d0b997c4a02a70e9f5b0c83e8a2bd377ddd32db91ab7d48e77c43f67a4a9ab860ad7ec2f767c8f24d4c2

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
93KB

MD5
7453be4ab40af86f3ade228466c32362

SHA1
3c888833d664c2428ec72a743a0ac12dc8c65906

SHA256
836329fdabefe64a7abc683a549e33c64af706e3c10b721c96881827faba7ce9

SHA512
b388dbe58d98d9e4e105c1ff10642329b7a24b191800057de93a0bd518ee1bbc74d9a6471666da685c061f215da94df2129aa360d4c53e5df01c113dcfe220e8

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
93KB

MD5
fb57347c1fd173bbec3873476eefaa25

SHA1
b25dfcc5373f121a24786f95c1d04eb397244f90

SHA256
4060559d620b277d029394d26518fad99e5f36f5f70b114f78740627c3a23b32

SHA512
be5ce7f5ed8cd634535fcc535fc7f75ed291de1e2e16a222b4f6951c32698fe7ea84c9e8c590c3c5186ba02410774264598a76fbd251adde257987b78e474199

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
93KB

MD5
c9ca4de8af45bbdc75488e5f373791d2

SHA1
793b6f7aa7ec9656db23d34855f476505fe3e93f

SHA256
e66c341d3f2f93aae338867fbcdc46aec98b8ea42e56e50e7da3147b3be2143d

SHA512
0254a16a8ad1101bd8292dc0c62adf437d0eac3a92f40a50e7cd82560cd45cba7de8b0a61580404b71963bb12d292bcb4f3bb0e1d71de8c6f477b869b6989dce

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
93KB

MD5
d8c85ea8276f1a65df48dd8c36920751

SHA1
6efc53f17e532ea42df735cb5f5bda9b8d8b3467

SHA256
80629ddb4031a5325380e7c771f3ccf49b221d496604f716a5865f8a678e4ed6

SHA512
d433ec2d353e7758cf04c16601ac58c1fd78e019bd126d5f19a837783d2f0886e6d2ff3b6bf1e35d057886d36f60996d3137297d267619ac4be428dce282b3e8

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
93KB

MD5
f4a86ed67b867473b7b298ed14ba7c95

SHA1
b6b2c23e4e9842447577529302b002d4bfcdf72d

SHA256
a8fefb0875fe1130fe270ecd9340e956ec44347dcb8ff255400a3d5737b37c32

SHA512
551855dd6af2bcd812a3173d11528c73eb66dbbd82b80961b6c55de5a405f6df7fede4b362d0ae5a10c094eccf71d10af141df62ee74923ff8bc46b876d40caa

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
93KB

MD5
f632d2c48de490e6eef00b61f8034f76

SHA1
51a3c51882f2a2e15af8753a1d79295d2eafab68

SHA256
a9dcaead0be0252bf9b2e177a242bf2893953f08b6e222a5bcb943acfdb7b9ee

SHA512
f92d2e1771163d481f41f49d2457ab516c030454beadcf3775d4aae05d2a16c1fdbbafc7141d80d921c6708300acba13747be376848a4b01addec217033ed8fb

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
93KB

MD5
65a5d8123ddfe109bba56d35da9687bc

SHA1
7959c5291ec7facff684186829f9d9c489046efa

SHA256
0aff4e98f35f540cf81623f350dbf4b5e2da77ac4212494ef473d81c07331b97

SHA512
4b6610eb94d971c813a48aba233df3a24ea57ddc2484e41609404187906c91990a2e91630d911e61f6be4045abd6a5cacdbd01765ef9264e9e673dc9b99b2347

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
93KB

MD5
b658a082a19694d8d92660171f4c3bac

SHA1
ece4fae0740901a8461ce2ffeca7aa96501da575

SHA256
761f94f626228bf395676f727e6679b5b39200322c238a34928304137819d0cd

SHA512
c8f16b4f6f7a843eab31a324578d1eb6d3b738381140002702e2254a89ebf32f0fb1eb6176efd84927af23285139768e7ada9c219102bab4ad0354b1fc16f3e6

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
93KB

MD5
90bbaaaca6287319baacce639283cd3b

SHA1
ae93435a132e305faa79392c223139b9b28ea171

SHA256
41e19a0f8f80ca6f53b98f79f025c03694f77f3f93868442c9a427e0233aa81c

SHA512
2f86dbe5450b0d5333dd290c2aafa8281d83250fe685b588516742b555bda567d1264353d4b186fb4a2dd0dad39d74bd119442180e1dfd95414c2257cbeda1e8

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
93KB

MD5
a20106b5daa00751374d0e7face6953b

SHA1
d9197fbf421c31d625033b91b941c9e021aa705b

SHA256
67ca524fe42244db2f329d10e0418fe5e864a4e9116d951eb1be1590377e70ce

SHA512
1aa12b34d6ad6c1fa2af6c58c1a6d075de4e4b3624c18067fc484732158b09e8f61c82ab4b6031e93c6ee6c15d6c4f961ce8a941edfadc872ac2ae3b70527d1d

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
93KB

MD5
61903ddafa44ea0cc85fd04992f46a1b

SHA1
cfd57502a9cc5e865d1dc184b606cf8e47f8e645

SHA256
65c891edd4121a129c27cfac35186ff0544c807c7af61fb819a0e1b3a4f3ba27

SHA512
5929f88720f815892b0cb8c6d3de6ce2a1e49085fda5d5f7137c5a633441bb6fd0949e64fdf3f4183c30272a720a4145700459c3518175308050ffb923f292aa

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
93KB

MD5
a55db35fb85f28abf5f66deca7aef5fe

SHA1
f5dbefe1e62585e6690bc04088b70bdf59bf0dbb

SHA256
5b777426a6fe538fca76ae00e1ba8c0375a52065d658a04381ca43567aa16d71

SHA512
09825c1a7e4680121a44a1b254b57153724c738dba45cd1ddd93a3155b1da6605cf7e2e0c2acee83e5606383bee81bf5066b48e10939676bc550b2e375e556a0

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
93KB

MD5
345ece70185b88a7ed47405d54f6d644

SHA1
5d821a8514a748b0767c446198b4197e204ea1cc

SHA256
33a012cdeaf6406ee5b112e06a350fec8e333de2d0e047fa78354898eb0bc1ba

SHA512
977bfa412a6df6346825c94c27db1626a9a28032abf3ee7981e794abe2c3a9015984cef52a0003e984244b37e00768c6ce12b93a311fe02aa9238e648b31b687

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
427e84f4047f3180d8d0d6e3e583c8a7

SHA1
37a238a83d9075d7089b25fbc799e26e7190aa1d

SHA256
6ea598374281f6518769380ac103f37b6f1373e3b60f88efea8dfd8283266351

SHA512
3710ec6f71dad82ca84b2655fdbac5cdc389d699ed7b0c8c53be560823dc316775d6207871093b390adcabddde57e60d7c421d5b62fa909e50a594ff468781a2

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
93KB

MD5
f5942270766981b41ddd89f56e0cee7c

SHA1
9f87f5cf8aaa93be4c98ef3c55d23f7d8dfa2430

SHA256
01579af535c3e5f4c530c3f6a9d8fe562d2458d184f0a7c88a6ae31521a6a36d

SHA512
3345269e79e7014ee2f5a8cbe662f9ba6153a21fb980520107bcea331db4b7e4699fa2f45e5737680eb2e129c824f30ae4c4a7cc3531c35af08d2641d32610e2

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
93KB

MD5
881b0db70feaa6ff10c43c041276e814

SHA1
4eb8c354c8243f5f125249132deace1c8e2896a3

SHA256
a0110818448cf4d6e5d73a683cc5172d14fcfc85161048363f78c843859dc025

SHA512
7b9b3a8ffb0ac861c0bf030f82a0cefabd509ee6dc1e2600aa876e05b245bff9943da5826b8f86662643598b01eb30af129ff51f362c48267cb09294fc3af3b9

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
93KB

MD5
e7278c5f385145dd1c04f83e9aad9239

SHA1
495cd2bad4a8ab513cf8c30ef3cfc329f6a13bb5

SHA256
be1796911bf113cc3ccaa96bbed0f108bf6881904d9751eadbeb787da5c1bf7a

SHA512
5b4fa7a15c497ddd4b6b1193205c4b8c9a3d201b7597f3e9dfa41dd7867c864311001408de0fb1f0f7c18af8ce5b6115b8c54e58c13b1a780e754f4778b27eb4

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
93KB

MD5
68b607adfe5bc669999262ecea4bc9cb

SHA1
882f8a3aeeb2f18ee3f381bf3df0600bc4ecd587

SHA256
2e85942b759f89a798123dd3027d7f2ed9b752cf7688cb481c86ac5f23eae6d2

SHA512
cc477595d6a12ae61d8bb44dedafef69aa6e8a295e3dfcc2f5d3848598174f044b3af846c85a54e3df2391513f35066e5e1cc60c57317c7096ff9ff7a81b2cf2

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
93KB

MD5
f5dcc0dfcda4adcca188b23eb5742b0d

SHA1
12eb6138ee51a5d5cb0f3964ceedbd19b5a90b62

SHA256
6246509df28e6ca5d10d7b28dc4cb988c364470b933fe7b7104b68dbdb883094

SHA512
75aec2b776a1ae15ee3cfc78d86e5fd1d702ad55e8af0dd6485349daaf9ad172237f36f0a7bc8ef608ec6b6adbf89e6867dc2ec4c82bc29aeccf7d31d07212f2

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
93KB

MD5
163aa40a216702f262d2c057a639c3fd

SHA1
ca303b6b0202f1104a13fe7432df09e3114f5931

SHA256
b92ff154541844d9be4f8cd6e821258a3ac02b9bc7e0a35be9f0cc3b7f775bca

SHA512
77caec40694bb4eec34cef02a9fea0c2b4dba38ad6b8fc85bf29c0183cdd40548e5c64bce24c2bfc9eecc736836cc663d2fd8b490810e35d807be4935022b8a1

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
93KB

MD5
a7579f62ee3e9b885b6dd0059344a703

SHA1
8eeb98bfaebc306630b8f11d71a82de2f801571c

SHA256
6f67c722dd4ef0710f0e0eff8f8cf965053151a0d5736b9302906e3113f2b667

SHA512
6d874a3ada3b0f094a1cd7673909208703789fad049ad733137cc9c9df1e7980e807be1e7dbb0e5f9323c5f03f3be6934f77a1af5e47523d1e13832c1cdca548

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
de0f1e6204404d5521891231f3b1052b

SHA1
534c4bd3819b4628465812fa7e12739d576dd46a

SHA256
ea5a9e27f26cc45b094a916c0553b5ce5eb5dbfef30b37290f0f9af6e8de5409

SHA512
accd920ef2e162517e6883340b2bfd4b87371c653f48361a062955cd820bb3c6ef3e176dad0698744d895f0559334e272acc318bee2701e2cdfaecf6ac9c3fb8

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
93KB

MD5
f85d355b6492badb52fe4248d40926fa

SHA1
2bdda711707b20dbc44c51b84bc711af57ed8aed

SHA256
4b990d350ed05bcc1ddea4ae6ec1a577bcac3c5c7fe85ef00fdf224dcb4cbe31

SHA512
8b280ee36f72d07aa035031055d8cb4abed32e1fb90ba8fff22ef8652fe96f816e0056a5142ba73e9793cc422a23dec5e6f4c006fdb250ded2a33a43cbac6962

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
93KB

MD5
1b5942cdded37a595ff1d6f40b0242a8

SHA1
86994f8a9813d806e46ba758b298b949fe6fb3a4

SHA256
75a8f84191c33efdc3cafcbd0e74a5740daa7524190a56ff61be873f9ab7fb1d

SHA512
cd01e2bf4aff35d5acdfad76bcea8cd4c84c6d765af78da6dd83b34ecbbdd8f96a4ef4caef375ee2ed02fcd018c439a826fc8cd84049dc915ef711837c524cf1

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
5bdbad858bf50e6929c0a5a955ff79d2

SHA1
689482887eb9733e530e3c9841db84ed5723faed

SHA256
ff0b857aba34d62f818ae3ce553b7ea6e3f77226af643096cfa08c485287350f

SHA512
bc7eb7d6e4e95fb01eb7e3f49d89bbc97285196289f36778e263f3aec69b9bdf380efcc0e7f2f0797c94b00ab163675302198d00d8dd819326bf898872aa7243

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
93KB

MD5
421878c1b14532252f0de6e0b8a8e9db

SHA1
42201e3018e7faea0d463348fc2be19dabb89a3c

SHA256
74b794f07f0a374dd39eeacd2d1b0523aa1bf39fa56131745383ca9ab3523932

SHA512
bdd5dab7c57c8ae6673156764d2727ee8b2dfb63bef549ba4cf31f288f45db46676218d8d93f9912386541fb2b5816076efeff8614b0865a63158ac6d1ea120b

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
93KB

MD5
dab4e70bc681264cdbfb751f38562940

SHA1
88c1b9832a6f8d531afb554c0f4ecf614525f02c

SHA256
fd10ba2bfd94f69b6d7e6d0c29ac9fa5fd1af0b286f44966b0d0f3979eafbdae

SHA512
10319bfe3fc303f6e50e688af40ba0a3fca62349683cccfc123bf94c5551f6b82c78883f113a446911cbb2677e4a83762f9c2fe265cd4925917108c8875487c9

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
93KB

MD5
411a06bed11dd611b8f0aec6f4f68b0c

SHA1
b94e7e44db56c58568579826613c498c46964cd8

SHA256
070d25ac30a90b28a8505e518ad5a8f92b739639f7b73bcbc1f353fd220f97e4

SHA512
555cacfb46eec38b40fbf30a537187cde117983094312ac205de211bd79f0db4959267f4dde4b0f08c8fdbd1174b39a59104ebb69ac4118fb0551e443d2fe25e

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
93KB

MD5
ae1ec2a13339aff57aec3ae45159baa6

SHA1
e9e7b04027a376a2544dec0629316da4acaa146d

SHA256
8bb9290e4eda522e9f5ceeb4b0aa0185a1cfb30aa857b5462475bad47cdd732f

SHA512
18376947acaf449d334ae901951dd17b4b10d265942bd95314ac5d5d9bde08a5297abe4f47981fc9996ceaa5a0a49bf465c2020e672e0669c03cc24c160109c6

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
93KB

MD5
46701e8759d579ac5454c0936c35b3b3

SHA1
66789a58000d4259b383356cf214c52034e8d352

SHA256
49b43676fcf8a813b03a167d1c4c58869f09b1984d9d0b3cee4053e2db92189a

SHA512
8aa76253dcff51e7948b2642d8799536b6705308b7914313cc36eb0a4fb8e701a3d488a537bac3cb5549dc17017b65ddfdb8c38dc2d86729e9ab22b5e5a93855

Download Submit
C:\Windows\SysWOW64\Mgddhf32.exe

Filesize
93KB

MD5
c2289482c1682d3b132cb9dada0f6d53

SHA1
2b485b5d9de24d86245c39cc2fa3a195b82271cb

SHA256
50956f39773521db1c899e3040b0a01b10588228311e1a36a8c9ff543aa7c0d5

SHA512
af013967d44623d4d494d08fb4b5283a125cb9ae88f082b98ae67d8f59ecf59fce1f7b75ff3fc86186503c4166cb759f6b94fa40fcac7c2c709f94469496bfb3

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
93KB

MD5
6960a9534dafa80aa449f493665004e8

SHA1
2c3325c94dbfb2b0d20d9e40fbe329d1b58ee9a7

SHA256
29cf11874befb2fd2d81e8801eb04327ba4d2a617bc0f30cef69179255d634e4

SHA512
c97d66306efb7b174782e79bd12a416bfa3605708be8b5d6007bfa8eabd123acc4cfa738685c1b57abe41c62c145a98c4c33b9053196c74984e90fcd8c6550d7

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
93KB

MD5
e4886b95dc38c4b76e306f5898a369b2

SHA1
69888a653036caadfc62b3d19ce7d54fcf439b4f

SHA256
e0319fa54f3810d6d3972cf31f251a7ddb10a8d53c467c9d3d53bcbd0c151be0

SHA512
7d913d27fc4b564f093d4140cd5d2051fcd9a4b4ae34e86cf7d85facfd5f2b13f5f51217ffc695a23fb6270a7eb9cd71f72db196950d9aab7bfffcb8905c955f

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
93KB

MD5
5dc0f6eaa24057b6b2fbf9fcb198b8bb

SHA1
904101b8f96adb22d64c0601b46f1c1f20b61340

SHA256
bb5194106f7be5788cad9c1e35bb0b91defdaeec8eaa04cb09a15912f49ce52e

SHA512
17682e790c3f4e143ea8cc3ab467c3a9791b33a8bee54971a72a7147e194f5e055a5c271f82d06dc647783f60315e47f1d044c21c42b4d7cf09e1bb22251b60a

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
93KB

MD5
40674dd20dbc8c0fd5e87461bce8a47e

SHA1
125822727486ce03dea06d34f70c64131298ae40

SHA256
7bd9520c4300086050f1f7d49f41c912bd5343b126f11c890ff1b965737fb4e4

SHA512
0d2077d6695e52c01d7e5ea3d2ed83537df52ea7dad2151a01c2f5fdf060c3934e03f432e519719a7e77ed9e029cff7af9367a89e596d89deee0fe5b4e970e91

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
93KB

MD5
1ac3fc4d6c019c4aa26713fc69a1821a

SHA1
ad3390afedead71e9ae7825fc920c0d1b5f5dfe9

SHA256
a76e399e68064ed919e6272ca67c066f6ce784fc3b4b0ef3b4912b98a235239a

SHA512
20a44ee167a2e46e70c8dadfd0c4047e66ce55e4413d252d7c89d83809d9e0f7544f65c76edc8730fde8cfd4a99167a040337b810da243ca9af3ffa9f4980a95

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
93KB

MD5
21f20ba672e66e0d3953dece7b91b0ac

SHA1
0e49e42d5e96616f7d86e4f14c03782cb7ba2c98

SHA256
acc46a7fa9616f8ce47615dd58810bfedcf3597b5277f5607ea23e0e5043d2eb

SHA512
7abba24daca0f435020eb7ed73eeb433d5ee155571c77d0aefed955ef9712fbfe49ceeec26e7881b63f6e5f966bafef40d1c2ebfb7dfbb689bbdf35389c51083

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
93KB

MD5
50cac991753d7e61a9c7115836881a1d

SHA1
47721ee96378e3c4873876919604853f49ca2644

SHA256
4065735b99b468b0d0e06cf17b4abc8f9a27e960c9834d43bc2436459a005680

SHA512
3bc930919a8b89bd126cf869274cbf7f4c365cbcf8edcdb353be7a41f7d1d2ac071ae0117e3f7ee96307a8db36a133ee28736abbfc465745e719b73c75592d2a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
4a4fc36b907633e9fe1df4febfe99acb

SHA1
c9afdb48d0fa80093865594fe423e758ce78c77f

SHA256
949b47ce5bb2c7ccd29b21e7925517ef42795a6ae461ef85d2ce3b84f1d19eea

SHA512
0cc1424d6626a4c924d15809a2ab2326ee0545a903735a1d159e87c2eb12ae8a1a7042df9ccdab6d0ce61e718ce66123c39c04c541432305f9fc4bca5ea557fa

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
93KB

MD5
bca83958650f56699cd36ac333746319

SHA1
a7ef60980048b58c078909146a65f2b0e6d055ed

SHA256
9e69f84d96264dbf5491d6b948852cef3963c2ae24f1f50b43e3c3e1072dea3f

SHA512
640e7193fa6c56eb3935446fb516df6b096a243fe079013b00e78c359ab82299556cd1fcb0684afb63d0b99ff991b87842594bd06bf409c4ac642fc0dd748818

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
93KB

MD5
37a8034857f83a9e9438205f2c021df0

SHA1
6c3b2325998328d63c75e518240ecc0c5c99de86

SHA256
b2da4f37e4f1c94de6fcf7b7d76b0af25352db2b991ec7dbf2d039ec11db3d38

SHA512
b3b45602c7107495747a11ec9a9f42400afc9eaf6d0aa10dc7145828a1397bf7801a85f4505e1b24a0b5d962b072a5d5ee73a4227465819cd01df1e8a6f361c9

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
49cb2ea64813102524deecc5f37c1c81

SHA1
197b771598230f316b9f00571875d65de124cac6

SHA256
12b3e14fbcfea875360c12347de2ae540346ee209c8923b6ba6b05d1ed2d2158

SHA512
85da25063e34c382b753053f7ea2ec7657626e91bc1f697acbbca10726dcbac478e28f52d8e11e3c58ad23e56d70f23958096c6af53f4a83cd66912326108d86

Download Submit
memory/528-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-735-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-799-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-756-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-792-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4328-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-804-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads