berbew | 01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Size

194KB
MD5

a938b7e0b3944f81f094d99d469e020b
SHA1

dc12dc4ec278a08f669b9ff2d67819903ed65537
SHA256

01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1
SHA512

014f0c76552aa5b916f7f09d7799d80d94c144455a2ea8424bd4f62bc587a0d75a56d87715221584f0317c87cc66db4dd061e8e273da23d2f43f59548822e6b7
SSDEEP

3072:5l8Y/g6lfjIH0qFBFH1mMIM/kEmMIGumMIc/1GV:66lfE715/pbuh/UV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lchclmla.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkfdfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ninjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbilhkig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkobgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljnaocd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnkfcjqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbdfni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjneoeeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khglkqfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffohikd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loocanbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lighjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdoci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfpmifoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhfhaoec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noplmlok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noplmlok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljnaocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlmjgnaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjddnjdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmhfpkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npffaq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjneoeeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfgcieii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkhalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npffaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljeeqfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koogbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojjfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odanqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oegdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfgcieii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacbdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiljcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqjfpbmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpcdqpqj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpjmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfbfaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdbml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkaaolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqemeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kninog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klonqpbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpjmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omjbihpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfpmifoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmilmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnkfcjqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkfdfo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1156	Jkdoci32.exe
2824	Jgkphj32.exe
2872	Jpcdqpqj.exe
2916	Jfpmifoa.exe
2880	Jljeeqfn.exe
2768	Jjneoeeh.exe
2000	Jkobgm32.exe
2812	Kdgfpbaf.exe
1912	Klonqpbi.exe
1600	Kfgcieii.exe
3060	Koogbk32.exe
1072	Khglkqfj.exe
2096	Knddcg32.exe
576	Kgmilmkb.exe
2180	Kqemeb32.exe
2192	Kninog32.exe
600	Lojjfo32.exe
1092	Lqjfpbmm.exe
1056	Lchclmla.exe
2320	Lffohikd.exe
1704	Loocanbe.exe
1512	Lighjd32.exe
968	Lkfdfo32.exe
2020	Lijepc32.exe
2652	Lkhalo32.exe
2864	Lnfmhj32.exe
2820	Mljnaocd.exe
2924	Mbdfni32.exe
2740	Mcfbfaao.exe
2712	Mlmjgnaa.exe
2080	Mnkfcjqe.exe
804	Mffkgl32.exe
888	Mnncii32.exe
2700	Malpee32.exe
3052	Mhfhaoec.exe
3044	Mjddnjdf.exe
1120	Mdmhfpkg.exe
1888	Npcika32.exe
972	Nfmahkhh.exe
1612	Nilndfgl.exe
2156	Npffaq32.exe
2260	Nbdbml32.exe
2384	Ninjjf32.exe
112	Nlmffa32.exe
372	Neekogkm.exe
1076	Niqgof32.exe
2016	Nbilhkig.exe
2540	Neghdg32.exe
2348	Nlapaapg.exe
1616	Noplmlok.exe
2940	Nanhihno.exe
3040	Ndmeecmb.exe
2788	Ngkaaolf.exe
2816	Oobiclmh.exe
1864	Oaqeogll.exe
2276	Odoakckp.exe
1520	Okijhmcm.exe
1956	Oiljcj32.exe
1216	Oacbdg32.exe
2088	Odanqb32.exe
1908	Ogpjmn32.exe
1472	Omjbihpn.exe
648	Ophoecoa.exe
1492	Ocfkaone.exe

Loads dropped DLL 64 IoCs

pid	Process
1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
1156	Jkdoci32.exe
1156	Jkdoci32.exe
2824	Jgkphj32.exe
2824	Jgkphj32.exe
2872	Jpcdqpqj.exe
2872	Jpcdqpqj.exe
2916	Jfpmifoa.exe
2916	Jfpmifoa.exe
2880	Jljeeqfn.exe
2880	Jljeeqfn.exe
2768	Jjneoeeh.exe
2768	Jjneoeeh.exe
2000	Jkobgm32.exe
2000	Jkobgm32.exe
2812	Kdgfpbaf.exe
2812	Kdgfpbaf.exe
1912	Klonqpbi.exe
1912	Klonqpbi.exe
1600	Kfgcieii.exe
1600	Kfgcieii.exe
3060	Koogbk32.exe
3060	Koogbk32.exe
1072	Khglkqfj.exe
1072	Khglkqfj.exe
2096	Knddcg32.exe
2096	Knddcg32.exe
576	Kgmilmkb.exe
576	Kgmilmkb.exe
2180	Kqemeb32.exe
2180	Kqemeb32.exe
2192	Kninog32.exe
2192	Kninog32.exe
600	Lojjfo32.exe
600	Lojjfo32.exe
1092	Lqjfpbmm.exe
1092	Lqjfpbmm.exe
1056	Lchclmla.exe
1056	Lchclmla.exe
2320	Lffohikd.exe
2320	Lffohikd.exe
1704	Loocanbe.exe
1704	Loocanbe.exe
1512	Lighjd32.exe
1512	Lighjd32.exe
968	Lkfdfo32.exe
968	Lkfdfo32.exe
2020	Lijepc32.exe
2020	Lijepc32.exe
2652	Lkhalo32.exe
2652	Lkhalo32.exe
2864	Lnfmhj32.exe
2864	Lnfmhj32.exe
2820	Mljnaocd.exe
2820	Mljnaocd.exe
2924	Mbdfni32.exe
2924	Mbdfni32.exe
2740	Mcfbfaao.exe
2740	Mcfbfaao.exe
2712	Mlmjgnaa.exe
2712	Mlmjgnaa.exe
2080	Mnkfcjqe.exe
2080	Mnkfcjqe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnncii32.exe	Mffkgl32.exe
File created	C:\Windows\SysWOW64\Lojjfo32.exe	Kninog32.exe
File created	C:\Windows\SysWOW64\Becbne32.dll	Klonqpbi.exe
File created	C:\Windows\SysWOW64\Dgiglh32.dll	Mdmhfpkg.exe
File opened for modification	C:\Windows\SysWOW64\Nilndfgl.exe	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Fafeln32.dll	Ocfkaone.exe
File created	C:\Windows\SysWOW64\Oegdcj32.exe	Oomlfpdi.exe
File opened for modification	C:\Windows\SysWOW64\Oobiclmh.exe	Ngkaaolf.exe
File created	C:\Windows\SysWOW64\Eaqehcbj.dll	Jjneoeeh.exe
File created	C:\Windows\SysWOW64\Kqemeb32.exe	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Noplmlok.exe	Nlapaapg.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Oophlpag.exe
File created	C:\Windows\SysWOW64\Ikaainpb.dll	Kgmilmkb.exe
File created	C:\Windows\SysWOW64\Lfflopbf.dll	Jgkphj32.exe
File opened for modification	C:\Windows\SysWOW64\Khglkqfj.exe	Koogbk32.exe
File created	C:\Windows\SysWOW64\Lqjfpbmm.exe	Lojjfo32.exe
File opened for modification	C:\Windows\SysWOW64\Npffaq32.exe	Nilndfgl.exe
File created	C:\Windows\SysWOW64\Jfpmifoa.exe	Jpcdqpqj.exe
File created	C:\Windows\SysWOW64\Khglkqfj.exe	Koogbk32.exe
File created	C:\Windows\SysWOW64\Mdmhfpkg.exe	Mjddnjdf.exe
File created	C:\Windows\SysWOW64\Njbnon32.dll	Koogbk32.exe
File created	C:\Windows\SysWOW64\Malpee32.exe	Mnncii32.exe
File created	C:\Windows\SysWOW64\Hbfdeplh.dll	Onlooh32.exe
File created	C:\Windows\SysWOW64\Jdekhe32.dll	Lighjd32.exe
File created	C:\Windows\SysWOW64\Omjbihpn.exe	Ogpjmn32.exe
File created	C:\Windows\SysWOW64\Lchclmla.exe	Lqjfpbmm.exe
File created	C:\Windows\SysWOW64\Hqebodfa.dll	Loocanbe.exe
File created	C:\Windows\SysWOW64\Pmhikf32.dll	Lkhalo32.exe
File created	C:\Windows\SysWOW64\Neghdg32.exe	Nbilhkig.exe
File created	C:\Windows\SysWOW64\Mcfbfaao.exe	Mbdfni32.exe
File created	C:\Windows\SysWOW64\Gnfmhdpb.dll	Mbdfni32.exe
File created	C:\Windows\SysWOW64\Hnfgbfba.dll	Npffaq32.exe
File opened for modification	C:\Windows\SysWOW64\Oacbdg32.exe	Oiljcj32.exe
File opened for modification	C:\Windows\SysWOW64\Koogbk32.exe	Kfgcieii.exe
File created	C:\Windows\SysWOW64\Nilndfgl.exe	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Olopjddf.exe	Onlooh32.exe
File opened for modification	C:\Windows\SysWOW64\Mhfhaoec.exe	Malpee32.exe
File created	C:\Windows\SysWOW64\Niqgof32.exe	Neekogkm.exe
File created	C:\Windows\SysWOW64\Kgmilmkb.exe	Knddcg32.exe
File created	C:\Windows\SysWOW64\Lnfmhj32.exe	Lkhalo32.exe
File created	C:\Windows\SysWOW64\Oaqeogll.exe	Oobiclmh.exe
File created	C:\Windows\SysWOW64\Joapmk32.dll	Jkdoci32.exe
File created	C:\Windows\SysWOW64\Hdhllcnb.dll	Kfgcieii.exe
File opened for modification	C:\Windows\SysWOW64\Ngkaaolf.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Oobiclmh.exe	Ngkaaolf.exe
File opened for modification	C:\Windows\SysWOW64\Oophlpag.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Fohecb32.dll	Kdgfpbaf.exe
File created	C:\Windows\SysWOW64\Ffngbf32.dll	Nlmffa32.exe
File created	C:\Windows\SysWOW64\Jjneoeeh.exe	Jljeeqfn.exe
File created	C:\Windows\SysWOW64\Knddcg32.exe	Khglkqfj.exe
File created	C:\Windows\SysWOW64\Fchpmeni.dll	Nanhihno.exe
File opened for modification	C:\Windows\SysWOW64\Ophoecoa.exe	Omjbihpn.exe
File created	C:\Windows\SysWOW64\Cfekom32.dll	Oeegnj32.exe
File created	C:\Windows\SysWOW64\Jpcdqpqj.exe	Jgkphj32.exe
File created	C:\Windows\SysWOW64\Lncacf32.dll	Oomlfpdi.exe
File created	C:\Windows\SysWOW64\Okijhmcm.exe	Odoakckp.exe
File created	C:\Windows\SysWOW64\Ngkaaolf.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Lffohikd.exe	Lchclmla.exe
File opened for modification	C:\Windows\SysWOW64\Lighjd32.exe	Loocanbe.exe
File created	C:\Windows\SysWOW64\Ninjjf32.exe	Nbdbml32.exe
File created	C:\Windows\SysWOW64\Oheppe32.exe	Oegdcj32.exe
File created	C:\Windows\SysWOW64\Eodinj32.dll	Oheppe32.exe
File created	C:\Windows\SysWOW64\Kdgfpbaf.exe	Jkobgm32.exe
File opened for modification	C:\Windows\SysWOW64\Oegdcj32.exe	Oomlfpdi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	1740	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojjfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Malpee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlapaapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmhfpkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoakckp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlooh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgkphj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffohikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkfdfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchclmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okijhmcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jljeeqfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkaaolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lijepc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpjmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npffaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neekogkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpcdqpqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnfmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfbfaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnkfcjqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfpmifoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeegnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olopjddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffkgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noplmlok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkdoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koogbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgmilmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kninog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaqeogll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiljcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odanqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knddcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhfhaoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klonqpbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqemeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbdfni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neghdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfmahkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfkaone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegdcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkobgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loocanbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkhalo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnncii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheppe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfgcieii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqjfpbmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbilhkig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oobiclmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niqgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndmeecmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophoecoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomlfpdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjneoeeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljnaocd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqlhflgh.dll"	Mlmjgnaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfekom32.dll"	Oeegnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmlkk32.dll"	Khglkqfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeodd32.dll"	Lojjfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkplgm32.dll"	Mcfbfaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odoakckp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpfkg32.dll"	Kqemeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll"	Mljnaocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfidah32.dll"	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neekogkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmiqo32.dll"	Noplmlok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfpmifoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcfbfaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiglh32.dll"	Mdmhfpkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnncii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmilmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqjfpbmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niqgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegobiom.dll"	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfamj32.dll"	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdfni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjddnjdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffngbf32.dll"	Nlmffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiljcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpcdqpqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenggfi.dll"	Mnncii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lchclmla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll"	Mbdfni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnkfcjqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbofhpaj.dll"	Npcika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjneoeeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koogbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khglkqfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljakp32.dll"	Lqjfpbmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oeegnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ninjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mljnaocd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbnaedb.dll"	Mnkfcjqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejegcc32.dll"	Omjbihpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klonqpbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnfmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfgbfba.dll"	Npffaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neekogkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiljcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfgcieii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpcdqpqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnfmhj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnkfcjqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlapaapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knddcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkfdfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglnpia.dll"	Mffkgl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1156	1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe	30
PID 1768 wrote to memory of 1156	1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe	30
PID 1768 wrote to memory of 1156	1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe	30
PID 1768 wrote to memory of 1156	1768	01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe	30
PID 1156 wrote to memory of 2824	1156	Jkdoci32.exe	31
PID 1156 wrote to memory of 2824	1156	Jkdoci32.exe	31
PID 1156 wrote to memory of 2824	1156	Jkdoci32.exe	31
PID 1156 wrote to memory of 2824	1156	Jkdoci32.exe	31
PID 2824 wrote to memory of 2872	2824	Jgkphj32.exe	32
PID 2824 wrote to memory of 2872	2824	Jgkphj32.exe	32
PID 2824 wrote to memory of 2872	2824	Jgkphj32.exe	32
PID 2824 wrote to memory of 2872	2824	Jgkphj32.exe	32
PID 2872 wrote to memory of 2916	2872	Jpcdqpqj.exe	33
PID 2872 wrote to memory of 2916	2872	Jpcdqpqj.exe	33
PID 2872 wrote to memory of 2916	2872	Jpcdqpqj.exe	33
PID 2872 wrote to memory of 2916	2872	Jpcdqpqj.exe	33
PID 2916 wrote to memory of 2880	2916	Jfpmifoa.exe	34
PID 2916 wrote to memory of 2880	2916	Jfpmifoa.exe	34
PID 2916 wrote to memory of 2880	2916	Jfpmifoa.exe	34
PID 2916 wrote to memory of 2880	2916	Jfpmifoa.exe	34
PID 2880 wrote to memory of 2768	2880	Jljeeqfn.exe	35
PID 2880 wrote to memory of 2768	2880	Jljeeqfn.exe	35
PID 2880 wrote to memory of 2768	2880	Jljeeqfn.exe	35
PID 2880 wrote to memory of 2768	2880	Jljeeqfn.exe	35
PID 2768 wrote to memory of 2000	2768	Jjneoeeh.exe	36
PID 2768 wrote to memory of 2000	2768	Jjneoeeh.exe	36
PID 2768 wrote to memory of 2000	2768	Jjneoeeh.exe	36
PID 2768 wrote to memory of 2000	2768	Jjneoeeh.exe	36
PID 2000 wrote to memory of 2812	2000	Jkobgm32.exe	37
PID 2000 wrote to memory of 2812	2000	Jkobgm32.exe	37
PID 2000 wrote to memory of 2812	2000	Jkobgm32.exe	37
PID 2000 wrote to memory of 2812	2000	Jkobgm32.exe	37
PID 2812 wrote to memory of 1912	2812	Kdgfpbaf.exe	38
PID 2812 wrote to memory of 1912	2812	Kdgfpbaf.exe	38
PID 2812 wrote to memory of 1912	2812	Kdgfpbaf.exe	38
PID 2812 wrote to memory of 1912	2812	Kdgfpbaf.exe	38
PID 1912 wrote to memory of 1600	1912	Klonqpbi.exe	39
PID 1912 wrote to memory of 1600	1912	Klonqpbi.exe	39
PID 1912 wrote to memory of 1600	1912	Klonqpbi.exe	39
PID 1912 wrote to memory of 1600	1912	Klonqpbi.exe	39
PID 1600 wrote to memory of 3060	1600	Kfgcieii.exe	40
PID 1600 wrote to memory of 3060	1600	Kfgcieii.exe	40
PID 1600 wrote to memory of 3060	1600	Kfgcieii.exe	40
PID 1600 wrote to memory of 3060	1600	Kfgcieii.exe	40
PID 3060 wrote to memory of 1072	3060	Koogbk32.exe	41
PID 3060 wrote to memory of 1072	3060	Koogbk32.exe	41
PID 3060 wrote to memory of 1072	3060	Koogbk32.exe	41
PID 3060 wrote to memory of 1072	3060	Koogbk32.exe	41
PID 1072 wrote to memory of 2096	1072	Khglkqfj.exe	42
PID 1072 wrote to memory of 2096	1072	Khglkqfj.exe	42
PID 1072 wrote to memory of 2096	1072	Khglkqfj.exe	42
PID 1072 wrote to memory of 2096	1072	Khglkqfj.exe	42
PID 2096 wrote to memory of 576	2096	Knddcg32.exe	43
PID 2096 wrote to memory of 576	2096	Knddcg32.exe	43
PID 2096 wrote to memory of 576	2096	Knddcg32.exe	43
PID 2096 wrote to memory of 576	2096	Knddcg32.exe	43
PID 576 wrote to memory of 2180	576	Kgmilmkb.exe	44
PID 576 wrote to memory of 2180	576	Kgmilmkb.exe	44
PID 576 wrote to memory of 2180	576	Kgmilmkb.exe	44
PID 576 wrote to memory of 2180	576	Kgmilmkb.exe	44
PID 2180 wrote to memory of 2192	2180	Kqemeb32.exe	45
PID 2180 wrote to memory of 2192	2180	Kqemeb32.exe	45
PID 2180 wrote to memory of 2192	2180	Kqemeb32.exe	45
PID 2180 wrote to memory of 2192	2180	Kqemeb32.exe	45

C:\Users\Admin\AppData\Local\Temp\01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe
"C:\Users\Admin\AppData\Local\Temp\01e4fe342a0c713fd85e54033dc7cc5fac20641223544494a5b2ee7ca22aa5f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\Jkdoci32.exe
  C:\Windows\system32\Jkdoci32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\Jgkphj32.exe
    C:\Windows\system32\Jgkphj32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\Jpcdqpqj.exe
      C:\Windows\system32\Jpcdqpqj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Jfpmifoa.exe
        
        C:\Windows\system32\Jfpmifoa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\Jljeeqfn.exe
        
        C:\Windows\system32\Jljeeqfn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Jjneoeeh.exe
        
        C:\Windows\system32\Jjneoeeh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Jkobgm32.exe
        
        C:\Windows\system32\Jkobgm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Kdgfpbaf.exe
        
        C:\Windows\system32\Kdgfpbaf.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Klonqpbi.exe
        
        C:\Windows\system32\Klonqpbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Kfgcieii.exe
        
        C:\Windows\system32\Kfgcieii.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Koogbk32.exe
        
        C:\Windows\system32\Koogbk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Khglkqfj.exe
        
        C:\Windows\system32\Khglkqfj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Knddcg32.exe
        
        C:\Windows\system32\Knddcg32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kgmilmkb.exe
        
        C:\Windows\system32\Kgmilmkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Kqemeb32.exe
        
        C:\Windows\system32\Kqemeb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Kninog32.exe
        
        C:\Windows\system32\Kninog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Lojjfo32.exe
        
        C:\Windows\system32\Lojjfo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Lqjfpbmm.exe
        
        C:\Windows\system32\Lqjfpbmm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Lchclmla.exe
        
        C:\Windows\system32\Lchclmla.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Lffohikd.exe
        
        C:\Windows\system32\Lffohikd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Loocanbe.exe
        
        C:\Windows\system32\Loocanbe.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Lighjd32.exe
        
        C:\Windows\system32\Lighjd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Lkfdfo32.exe
        
        C:\Windows\system32\Lkfdfo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Lijepc32.exe
        
        C:\Windows\system32\Lijepc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Lkhalo32.exe
        
        C:\Windows\system32\Lkhalo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Lnfmhj32.exe
        
        C:\Windows\system32\Lnfmhj32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Mljnaocd.exe
        
        C:\Windows\system32\Mljnaocd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Mbdfni32.exe
        
        C:\Windows\system32\Mbdfni32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Mcfbfaao.exe
        
        C:\Windows\system32\Mcfbfaao.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Mlmjgnaa.exe
        
        C:\Windows\system32\Mlmjgnaa.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Mnkfcjqe.exe
        
        C:\Windows\system32\Mnkfcjqe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Mffkgl32.exe
        
        C:\Windows\system32\Mffkgl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Mnncii32.exe
        
        C:\Windows\system32\Mnncii32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Malpee32.exe
        
        C:\Windows\system32\Malpee32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Mhfhaoec.exe
        
        C:\Windows\system32\Mhfhaoec.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\Mjddnjdf.exe
        
        C:\Windows\system32\Mjddnjdf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Mdmhfpkg.exe
        
        C:\Windows\system32\Mdmhfpkg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Npcika32.exe
        
        C:\Windows\system32\Npcika32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Nfmahkhh.exe
        
        C:\Windows\system32\Nfmahkhh.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Nilndfgl.exe
        
        C:\Windows\system32\Nilndfgl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Npffaq32.exe
        
        C:\Windows\system32\Npffaq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Nbdbml32.exe
        
        C:\Windows\system32\Nbdbml32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ninjjf32.exe
        
        C:\Windows\system32\Ninjjf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nlmffa32.exe
        
        C:\Windows\system32\Nlmffa32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Neekogkm.exe
        
        C:\Windows\system32\Neekogkm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Niqgof32.exe
        
        C:\Windows\system32\Niqgof32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Nbilhkig.exe
        
        C:\Windows\system32\Nbilhkig.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Neghdg32.exe
        
        C:\Windows\system32\Neghdg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Nlapaapg.exe
        
        C:\Windows\system32\Nlapaapg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Noplmlok.exe
        
        C:\Windows\system32\Noplmlok.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Nanhihno.exe
        
        C:\Windows\system32\Nanhihno.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ndmeecmb.exe
        
        C:\Windows\system32\Ndmeecmb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ngkaaolf.exe
        
        C:\Windows\system32\Ngkaaolf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Oobiclmh.exe
        
        C:\Windows\system32\Oobiclmh.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Oaqeogll.exe
        
        C:\Windows\system32\Oaqeogll.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Odoakckp.exe
        
        C:\Windows\system32\Odoakckp.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Okijhmcm.exe
        
        C:\Windows\system32\Okijhmcm.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Oiljcj32.exe
        
        C:\Windows\system32\Oiljcj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Odanqb32.exe
        
        C:\Windows\system32\Odanqb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Ogpjmn32.exe
        
        C:\Windows\system32\Ogpjmn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Omjbihpn.exe
        
        C:\Windows\system32\Omjbihpn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ophoecoa.exe
        
        C:\Windows\system32\Ophoecoa.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Ocfkaone.exe
        
        C:\Windows\system32\Ocfkaone.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Oeegnj32.exe
        
        C:\Windows\system32\Oeegnj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Onlooh32.exe
        
        C:\Windows\system32\Onlooh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Olopjddf.exe
        
        C:\Windows\system32\Olopjddf.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\Oomlfpdi.exe
        
        C:\Windows\system32\Oomlfpdi.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Oegdcj32.exe
        
        C:\Windows\system32\Oegdcj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Oheppe32.exe
        
        C:\Windows\system32\Oheppe32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Oophlpag.exe
        
        C:\Windows\system32\Oophlpag.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 140
        74⤵
        Program crash
        
        PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jkdoci32.exe

Filesize
194KB

MD5
441ada0927d09e140195f70f079db636

SHA1
29ebef92e5b43ba3ce741f7145921da42d1f4e5f

SHA256
c51564e1dcb77070d81c05f9531d34600acf27845c40a3e2cb2b181c3f94412b

SHA512
a38d0129b1b87aa7bebc5107f398872f66174a7766eb32e11bdd39951e6928775388a6d4bd21203bb9663f18660583bd0fff9bb47284d526c09ae2257d286476

Download Submit
C:\Windows\SysWOW64\Lchclmla.exe

Filesize
194KB

MD5
57a9af2c024091fdcffcecdc83275fb3

SHA1
f20bc1b79a08ac7112348e6067b21df05d49421e

SHA256
fc026cba2745025efc8da2307b5af78112999609ec18285202d9eed58a476e22

SHA512
676531e1ff5cddb7e45e3368251482aa0c91b5c3c89a4fe826e4e13b45c7cb11de9e60729c01b5d995625b1d9964e1f906463645461960296677cc231c7e524e

Download Submit
C:\Windows\SysWOW64\Lffohikd.exe

Filesize
194KB

MD5
f4ed901db324c9526325bbbae5355342

SHA1
af7a3ec00b8985b81cbc9abe4227011c000426ab

SHA256
4b6110a4b699c6dc1dd082b8bf2aacde3ce5f865e9a856f82f06ef4af650c606

SHA512
0c54afdd9fe0c73520de9239f263ea0f31d34219a50ae3a04930d356cbc95bc0d8a64b6525f2084132040a79dcde15f2fda9ffe97f7e9eeaa9924f36f8bf5b80

Download Submit
C:\Windows\SysWOW64\Lighjd32.exe

Filesize
194KB

MD5
65c337edeb825bdcf49d01803b96a998

SHA1
e267fc5ce295fd9c38e8a2bf561bb34f9a03186c

SHA256
ef8bb96b5a262c4cf91cc5594b1ad4922ced26b51d01f23945e006015b1515b9

SHA512
1e9ed3a7460b73c8cc1a5f4d2fd884258aa97cdd407503ae130384fdcb2dec526d593092160b460d4f64e1f6baabdcb498fa2481f2299939f60ce57334c2d715

Download Submit
C:\Windows\SysWOW64\Lijepc32.exe

Filesize
194KB

MD5
f79a5a57c4667ce76123be98d8fcf7db

SHA1
7c0987e9ca7d3802e0d9cf1f566fca3e53eff320

SHA256
6b8ccf3767f1c90dd9caa4ffd4b62b18feacd2c93e3eeb3621231eef6576d09c

SHA512
8fe721303a9dcc99374f4e242bcc22e6f6af630d1c1b2ba125591d38f33f06ba5d38a801da47bf7e27dea83284e455efcabc0bd330fdb45b5b312ed6d9547147

Download Submit
C:\Windows\SysWOW64\Lkfdfo32.exe

Filesize
194KB

MD5
c61d330eccb2855059ffffcaf45a8899

SHA1
d3b3cb6e999a4a4607c590770269b3e8400a0090

SHA256
0c333743787e07432a87af330c4f5a760e867d49f948f5b99036293d1f53add6

SHA512
d30a0743308bf8adcbe54d96d5e6eb06bd034d32a0bb9230f324fc9aa1b6c86874c07654405c9adbc0c4a5170bc76d10373dcc57576113d8ce6ef06c57aa67ae

Download Submit
C:\Windows\SysWOW64\Lkhalo32.exe

Filesize
194KB

MD5
176e17cff191a88485979da06555885b

SHA1
13ad2c9fba897a198feb48c906986f218fa8a166

SHA256
77c63625635c4af52c9382891e6f68e51eadc80ddc9c6b978c0c246c966fb4eb

SHA512
99d1661b46febe7ad1fe52e2fc05ae4e2f7bac106d4bae2d647c7db7120f5d01ec6d4334a2c0237b39db715e2c261f39b566b143a1f93d7574aeae8a10d5eac7

Download Submit
C:\Windows\SysWOW64\Lnfmhj32.exe

Filesize
194KB

MD5
c6fe36647d412859940ae4060f5d44b7

SHA1
e061fd5f1760c97546267c2156a8e3f19ad4dba2

SHA256
5af37d7233b18229b02f3f0306e609ed856785b9bc77bda9b1213dfd8a7c282f

SHA512
7e7f12a3321a151cd8ed78cb476435acc08028a5b03d4ebf9bf83edb6b54112bf8efae59edc5216589c9b1130da198ad20e037854ff61d0f3e7e34ca0cc2d6a2

Download Submit
C:\Windows\SysWOW64\Lojjfo32.exe

Filesize
194KB

MD5
aa51b605a4f1c54113e0c375253de187

SHA1
b0ed7a9fafba6f584eb49699d8d9e0128f961b48

SHA256
df6ff879f0db283d0fdfb98569fa5825264aa63769add0e707f1f85267136a21

SHA512
a0f33c184f206fe896fe814bdfe2c996bd8855fd4e4862f865a5e554ee231acb704193daa286aa7bdf622f62c1efab48ffa2a80188c107f0ab1380930d8bf7fe

Download Submit
C:\Windows\SysWOW64\Loocanbe.exe

Filesize
194KB

MD5
6862617c54cfbfa51096d9c59ca9d908

SHA1
174a819b5bd3737d596cce74c7a739229118dcc7

SHA256
a6e0185d9d3d27f5b8caf955cefd24be44a0452e5240d16cf7f00ddac1f038e6

SHA512
0333caf2387069028cb9ffc85a7022ae26456da9b1c63bf2f4558b065f42c4894f6a895b454baf9b24128f5112c14081cf8129aec8cfda52bbb746f7ef3ea4ad

Download Submit
C:\Windows\SysWOW64\Lqjfpbmm.exe

Filesize
194KB

MD5
f221dda286a8f2fe05d519474fb16350

SHA1
d4b3f21632e1742cd676a27dd0f4666b6702dc37

SHA256
13bc3f6892a54c0c823b17d8205a55364ac9850e34cf1ac57a88bfd2478bda25

SHA512
eb5b5b2f5cc7800a9e067c6deaa6ae7955eb68fc6ca7d2452e06a633de7ac5af4d2fe50976eede11ee6625c822a68e86572d05af9c57e074f0cd83533680ee8e

Download Submit
C:\Windows\SysWOW64\Malpee32.exe

Filesize
194KB

MD5
6cddfce5c320ba041e26210e21698382

SHA1
6248c7b41e1ae35fbf2336731c578870f974a06c

SHA256
954d561fee2b24bf6a1263667151ea3f90b64740421521ebfdc0476f8bca9709

SHA512
8f64882c35ad9081815e528e7b9544c59ffcea329fe65116e6b26177ac5bd0d25e5c519026edfb01342d918782b39712883a34a0fb2971285acede0e6e965099

Download Submit
C:\Windows\SysWOW64\Mbdfni32.exe

Filesize
194KB

MD5
482d7eced58354a3e2c3edbb4494ee30

SHA1
853d84d176a1b9c4bc8d13c88f19605c9d313818

SHA256
54f2b379702ee992ac44577423260be21283b1f91664aa3b7a020c6103d8c0a8

SHA512
73378465760c12337a3322ee2a9ee6bde037563c8c9814b6c5eef9722451dcad84fc843b58a1e91f46ff1a3092183b4bcd8ca4c1e256c5aeff2b07a6ee5d66b0

Download Submit
C:\Windows\SysWOW64\Mcfbfaao.exe

Filesize
194KB

MD5
8ca9a64e9ef048e21fb379051b3557ae

SHA1
50fab66d864e09d79f0985e9bb75cea736d10f88

SHA256
e04209762d5ca6e189fda49517eeade3e6302c79a15ccf97949b7e241530769e

SHA512
8bbc3c63ce3b05b0bb4ed5361327a3ca708c13ef2ce05d721c72e01199c16cfe04309496de0374f1be1f234d019c42a6c015c93d46f5829a8bbde53ec6e646ac

Download Submit
C:\Windows\SysWOW64\Mdmhfpkg.exe

Filesize
194KB

MD5
c2d6c7de98bf74777e651096851b6d67

SHA1
c925153ce0181af4463e4bff101cbb7a72c5dff6

SHA256
7d137cef0beec1eb104902400dce50b6771127406b2008b516b2d650171590a9

SHA512
71b5e6ca7f5fb21c36b85fc501068cab1c1d039f9fdaff291b6662d4cea0a62425bcf14de4a9b232b5bc08121ae1cc3eb45f857478b019cd30c9a1b401f22ba8

Download Submit
C:\Windows\SysWOW64\Mffkgl32.exe

Filesize
194KB

MD5
b15d0f13590cc4601cbc3af3072d77cd

SHA1
11deba573afec764cb8e65e5c8521c6e8ff62a37

SHA256
fe20bd034c1c7b9aa059ef4f32b35552fff36eab620dad0f5aaa02e15458a8a6

SHA512
81ca261d261c9f2a541616859ec9833766fec647c8a7c198e6ab67960880f8dd353f66a4c7c2bb9f75a491fe8cbd2414c98f2c302b8376749d24ae1b4d7abf85

Download Submit
C:\Windows\SysWOW64\Mhfhaoec.exe

Filesize
194KB

MD5
399f79f768b2865d6becb03835c06263

SHA1
6686bb20d67ff62d2a15d4cca2f2881e420fe9a2

SHA256
8a161ae2689cd7925e0683d2086b43182b532ecd0ee894c825e3f4078076d7b7

SHA512
3fd0ee926b38b1067e72335f52c5c6e879168b99814a4d90691a88b181d10bb66f6307f6313bdfdcf5e840bb4e5e9c293e749dc756434abf58e0a9633cc58041

Download Submit
C:\Windows\SysWOW64\Mjddnjdf.exe

Filesize
194KB

MD5
d7d945737076e1846ebe00288af2750c

SHA1
7c27f7e7f91dda9ecc65cc25ea49b96b00e1edbb

SHA256
7d7ccdd7305f1577d12c63a20e8224fdf5d7c22b0dd110b3eef77c40a0667100

SHA512
8b86177d109d6beefee0a281c45a1c01c057eeb6e66cd2b1e9c562ded5dceedf4d30786d5773d4d83d0a1211c4a94504857b9f686fe2a2e108eac06d703b059d

Download Submit
C:\Windows\SysWOW64\Mljnaocd.exe

Filesize
194KB

MD5
64b35aa222592689cee89202f082594f

SHA1
1ad3bd41d0dcc43a2c36b75888c2b9dd25984e35

SHA256
33aff1641a1200f35ac17f6a0847452b83c181f4b4a073129e1d75ab3a792e66

SHA512
3c1db25c36de40f03073530be6e7010666dff85a8b7e4397d71777da9f5a9cdfc78bd19441a94dfa76574f38308c0e36173f88c669c759f623e74689087e6aa2

Download Submit
C:\Windows\SysWOW64\Mlmjgnaa.exe

Filesize
194KB

MD5
35b893316cb42cd72dae33bac01708b2

SHA1
8b5dcd99650f9ba6449be154226b397ae7c5839a

SHA256
b42709c2d75b9e5d7949d365917792ce4e6c7326c5f2e8632b9a37d0d8ed6944

SHA512
e2b4d80efb8baedc3db7f2c7cd4a566efed4f226d7692aae1bf1cc7d675b854ba384ed529aa7fd7ac0986ae5cce295c7b9d5cb1264ecae685cd692edd3575193

Download Submit
C:\Windows\SysWOW64\Mnkfcjqe.exe

Filesize
194KB

MD5
b707262ae6c5a2b011963aca35abfaa7

SHA1
0f17532adab9aa9c4115ada066a3e150c81dae22

SHA256
411e242a08e0efe4f54e44d8ce73e2a0e4cee141bc7ab8ee82e9c0a08b200108

SHA512
8f947fee3db88ec002821cb072d2a829eadad247f1a81ea4a8adc7ad7e4d5bb68625f3ea3a3b5dc8040b868487e2e49ca55bd1b2b1a0d9e8c8c797ce079c0998

Download Submit
C:\Windows\SysWOW64\Mnncii32.exe

Filesize
194KB

MD5
195b85a209694d0862fca1700d48a990

SHA1
e5978fe3c63bb4d6df67c59d6e1da1ebf4386b8f

SHA256
63635ccf6bbd181df4e05341a6e94923629daafd876f3d735273a12c73fd0c71

SHA512
bf60d642c4811ea437795a7992ac46b29cff080be27f11a0c07b7746aa684accd7134cb2629c72c6015dc6bfe348cd0020b926dc4a83732ee1470759ceed23a0

Download Submit
C:\Windows\SysWOW64\Nanhihno.exe

Filesize
194KB

MD5
cf9f83dda7fdad01da43245e722ea7ae

SHA1
94d4b70fd2409f299ce6ea2f94ab614d1bfa4be3

SHA256
f20ec64ba4d39ca3c421a5405b24250c7292bccd38be52248a1540c6b5123fbd

SHA512
6e2e7c5bc2aeea4d08f862e35e4e06cae50507c9c962bfd2e4acca3a2f2f43e603deea90666b8383c68c2aa326ceb044f91ae00fdb10115c9aea46cb61de5837

Download Submit
C:\Windows\SysWOW64\Nbdbml32.exe

Filesize
194KB

MD5
b88d0e90b5e29a2be8dbd5efc486506c

SHA1
a15cb0c855afecddab8e81bf8a1f9214cac29590

SHA256
0144c8c331dd147acf598df24910e6ae76cc1bfca715c6375ac9ec2ac450853f

SHA512
f65cfd862e3e34537c15abde333d1e5088bb57a43a1dee921a905e86c441e5c755e4a6a85081676d26a902db7c59e535ad8db5c7195721becc1724d2df41f441

Download Submit
C:\Windows\SysWOW64\Nbilhkig.exe

Filesize
194KB

MD5
5c3ca5703f7ced7f3aa4ef75a6b79da6

SHA1
b33b5dd8cdb3058f646e9382629ab9f3e6d6c0a9

SHA256
84fa6613f6fbc9672c6f7b749de7c181e53949ad097bbb8685a1d15bcde23add

SHA512
3f9353b23ff76c2c9bb4ebce799ea46d51afef98feb47ee13e076e4bf97a1cf275fe73197f0ffb826670a39cb0cbef82ea210e973ff7c7c08b47df4e8d1e42c4

Download Submit
C:\Windows\SysWOW64\Ndmeecmb.exe

Filesize
194KB

MD5
fa40ec88b4403ef62ffd2c1550830655

SHA1
a3120ea9d9162ede3add832eee80cb2d5cc30a35

SHA256
25941a266e50832320a4d3a356e74e8471929120bb4156bda9914b04f5a812ae

SHA512
084510e3e68a27c3b5d5bcc6f3933ca94ddb891488327ac91fd418044b8189cee26875acaba5ccdf833532c0445c8b136e690bd2bf0415af61a8ad34caa621fe

Download Submit
C:\Windows\SysWOW64\Neekogkm.exe

Filesize
194KB

MD5
5f0b8856c4518feb10f4ae47eab4ee07

SHA1
a80f6f846d922b48909142c54f0a491113909617

SHA256
2ea58a1a74d2f160c8bc7f00773ce6dfccc1fd11b7f2dd618540f2411f199d65

SHA512
69d1863ab6042331bd9352cddef1e129e79f17c65687ab4bd6759294c9948a6261e257bc3fbfa93cbc38d948a9d6dcdb273a545b7e0848f47ed8a9d3b1cccad1

Download Submit
C:\Windows\SysWOW64\Neghdg32.exe

Filesize
194KB

MD5
514c58923516c10817625a049cb58098

SHA1
3a63fb3cd8a59eae436b4137ecb740e122c03b28

SHA256
e0de952359ae0b3a3a7c550e608aaa5bc10473276fbea904f926ab9e0cfd50e1

SHA512
08cbde8431061bab6f8460a56e23ae9336e54745f89942fb65a075824f9fd2c11a610c9ba4edc47fe99d3ccae916558c6f8d59234fd1ab508a62edcfe742e24d

Download Submit
C:\Windows\SysWOW64\Nfmahkhh.exe

Filesize
194KB

MD5
d2440cddd5f9c741733a1dee10e6941c

SHA1
9e4c78e9b43a7f1eb0dcf107be472776364766d1

SHA256
c264eba47aca757901b5aa62ec0cce9c3fab751e2dccaeec7fe6302f903c26d0

SHA512
878b0f700f23336abe3878bdf8a85de3bfac93c7f5c4fc5fdb5ae1555557bf158c5f16591e7faf216049c40e4db092a74be4da74f27a6ae6678b539365664bfb

Download Submit
C:\Windows\SysWOW64\Ngkaaolf.exe

Filesize
194KB

MD5
51e962d708c7face195f57667a07bbf1

SHA1
183f22b42db548afca14e09be445a3c7b271bf74

SHA256
165c20115a061193aaecaa68ab3a79011b3f4f4f161d20ca3f262b7f7991721d

SHA512
7642253336de761ef22d29774762582d17d3019dd4e4bb287fdd5e815d38346f9ff3a327f069a8a792036fa7409b80720190941acf61ffd72d22fe057f3e2588

Download Submit
C:\Windows\SysWOW64\Nilndfgl.exe

Filesize
194KB

MD5
8ee97a0010bab5d8db90b78dbd2ef8af

SHA1
553dab2a33046208a1ebd789501ab1e3b10564b4

SHA256
01ec719b0c772028119bec30f3a58925504eed28628f698d7129cf5119650551

SHA512
73fbfcb043c65b42c19ddd5d5655ebc503a3ddad300a5b6f998e87efd01234fbdb28c4b91356ccc09766ff98566e561c660c4ba16eac0e8735da2ef24b18dd31

Download Submit
C:\Windows\SysWOW64\Ninjjf32.exe

Filesize
194KB

MD5
0973975cd56540fed87678401330e129

SHA1
29a6d43375c06c702f99b499eb8352c97e7dfd72

SHA256
bc0f57a0f0505f5c7a0b18c751bb022d1357b2aa72824c4abe66b08bcd4097f8

SHA512
7ec3be20bec77fb6e5db902044e41453438ffd3798503379c5937056ba2ec4c5ff53fd4908bb0357492a7d87674e29c1bdee5e4f6f7edbbeff1c849e49854567

Download Submit
C:\Windows\SysWOW64\Niqgof32.exe

Filesize
194KB

MD5
748ce48a05b8fc6268c3a4307ced54c2

SHA1
de40c838559039508c77e787d9997727aab668a6

SHA256
bb1ae96f5b903947b0d4ab1957ffa90a9978bc35396ea6b6528cad607cc7ad2b

SHA512
31756ba905465f61d2c01733206a4f16ec394638e97bd1329a38608baedf79e91ae4a352f1a8e11dde3f8433ca5c65c7368dda930bfed536435ed71169e90ade

Download Submit
C:\Windows\SysWOW64\Nlapaapg.exe

Filesize
194KB

MD5
4832de778a93c523d6064298b5f11f97

SHA1
12d3c43b9164d60710cd022dfdfb326941cd5985

SHA256
0234fe3895665f76ac42261bf44839661319b7b77e7fb337e97a6de6ff4d164d

SHA512
8ceb999810990c4db05b45f0edb145ef21e85629d44c06e0bce2110469e5399f99e4c51e30a2ccd01f8321f41e77fb8157ba0ce4ed23e650961ab00262e4fad4

Download Submit
C:\Windows\SysWOW64\Nlmffa32.exe

Filesize
194KB

MD5
03bddaae98d00f26bbff4f58366332ba

SHA1
4a6a7d0fc229e1e18accb2c0e5f9937af7069f74

SHA256
598c6b26f139769384ec1a79e3ca76a8e1840ed33f563c878d9d587dcc0c8a65

SHA512
6528395328a20d2950b35cbb564afef4113852b0eba8ff65bb3291d76212219ee8f427f57647114fd88eaea3578e03b3b43ab712bbe17af10da8348090067a02

Download Submit
C:\Windows\SysWOW64\Noplmlok.exe

Filesize
194KB

MD5
af369f59a667d06214dd6b4e17cc48a9

SHA1
f648dce4d1a5a9db78471859d9ebe527f5bda65e

SHA256
5e26f89c0ff917aec25635ff8d924de0454a9c64d992af53f6ab3372c9326c55

SHA512
c73fbd6b8ae89f69068f63877df7acfa28f45c92319d4b2ed69afcc77bec5af2da2657c18b7979da272eea0debd3d4a231bbddc3039d9af51552b8e080d09128

Download Submit
C:\Windows\SysWOW64\Npcika32.exe

Filesize
194KB

MD5
6b31d4a758a830a9f6656aef73fea53f

SHA1
9154d18b904bef5d62529078499683681029bce2

SHA256
f6540f00a5de8e0c98321f08dfa73e3379693e93fea382dc21632e0c5dcc421b

SHA512
0d5a9fcf3fff3c90e4d59dc5de1c2e2d1efa00d74d1b440bde52e457183655bc19c486c4ad303a4c680727b6c5ff4d2b57f87dcd5b779a4ca4577a6445c6b136

Download Submit
C:\Windows\SysWOW64\Npffaq32.exe

Filesize
194KB

MD5
7cf2dc321a259863f75042d8f03f3d96

SHA1
5ac5ec6c393f62646e6ce1900e438c1342c9d2b6

SHA256
68da00cce22000f069f24f67e62d0ddf964cf93cc5592c2beb9ddf52b9acf4c8

SHA512
df1f07337167f2024ac83b58df8279fafaada6fada792c8ab729f1d048284d61dfdae326709144ae613c530d811ad55f6d54334001985361727e0a6ea38fb88c

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
194KB

MD5
5f14f1884e492eb24802bc8b6a775b24

SHA1
cbd603fba9bd76816f8b5aa5ef8c048488da3061

SHA256
5cb25498e2323723ca7849cc901ebd2711b39964e98a7e4d439c22f8f992ad59

SHA512
e292c231acd4e8210dc759a3690ee45519a9ad2b78cf8b9dd1f8f20d070ec7d618a2c709a24f389d79e63633d0c8ef6edd52b3c3e2a7e9f17abe49bf063cd8ba

Download Submit
C:\Windows\SysWOW64\Oaqeogll.exe

Filesize
194KB

MD5
44dabc5aa5c7f2e491e5dd5726b9855f

SHA1
f70559dc8f7fdee725fa1b2875cb3daeaa59e185

SHA256
a83fb5fd78f74a805b8a1f45d43690620634fa9a825617f5b3c2cabeb6c89e73

SHA512
01d15b15ae52934b6687673be7acf01c1873c127ada5adbda8608657699088e1dd2263fd43b06ccb2a3f1f1b59b826bff3df91cc7b3e8f874231416f9d76da6e

Download Submit
C:\Windows\SysWOW64\Ocfkaone.exe

Filesize
194KB

MD5
2ac68b9b9c3e1ee97423341031850935

SHA1
9186f53f4834eb32a04f6c7afd8910a601be8566

SHA256
0d427a4b94e0818dccbd5b4ddb1d7ca4c2d8a7480b79d89e5f175f4c41027b3a

SHA512
013e799cbeda0a8f59bf229a8ee9ac7ba60173c5c678f90de4f1bdb9c0b4d1bf1620e9acb67f322cb86b0c9536005df22ae51fe084fceadb74ce76528b949463

Download Submit
C:\Windows\SysWOW64\Ockdmn32.exe

Filesize
194KB

MD5
e444e84e41b58b6e16989af326bfdf27

SHA1
1b51253c4a66112e56f1dbea3948bdc5f6e62a19

SHA256
982c4feaf018cd1a910fd34ec932b3f3c7451e2ffe45bacdaf93d8a7f982e7fa

SHA512
d85ce1e853704076de3ef46b60908c5b67817fb50ce01593d20cff002a08a587a6c23e0c529f74680e1d7574dc759910bcc5c4ff9ba119d64bb84673738cfe72

Download Submit
C:\Windows\SysWOW64\Odanqb32.exe

Filesize
194KB

MD5
a8730583f5b2ffc5ab1a30ceaf9e89cf

SHA1
4e8f9571a8503be34c19493a992faf3311c3ab32

SHA256
9a38a44ddd6a9080c73e326426de3584af199292d14d290a31151dec4fe028b4

SHA512
e4fbef2b0173df9144cc0744fd3ebf91fa277317d7f75e5f13f752bd1a3c59166f0e0cbeef41788f28da2ae1ce5ea79986a8912e9201e0e0da397b5189e6df0c

Download Submit
C:\Windows\SysWOW64\Odoakckp.exe

Filesize
194KB

MD5
b08f71de96c667328aa9e6926a140156

SHA1
816caa074b2238e7a19ee2be50f860a1e03315f9

SHA256
c2e7f79614b738b04cf80cf7bdf8d6bd23c378dbc8b65a9e5e71a7dbf532e249

SHA512
e9ccafc806c0d073c99039b182edce9b40dfc476e45d65680d67834bb80e039e53e9bf89dc7725fde7a7c1c3ebb562b95e5bc2e134679d7c4914c8d351b08727

Download Submit
C:\Windows\SysWOW64\Oeegnj32.exe

Filesize
194KB

MD5
2685f7ba580129c173736783c6e3f0ca

SHA1
2590bfca30a47d4370581af62c7bbeedd66f3c69

SHA256
75e17be4150ae221a5f3ba843f0e9700ef4ef3edbfd4b659fbf19da1b000f947

SHA512
f7d04c57d8131593dea6ab827c5f7aa1133585b8b22e038be2f44dee408ac76cfc3b5e9b32dc4f210bc79dab7ddb005a26eeae800b24b32d14e27d84cb3358de

Download Submit
C:\Windows\SysWOW64\Oegdcj32.exe

Filesize
194KB

MD5
18c119eb0356d5786872579913b3b4b1

SHA1
477718abbc4907bc28e958cf35b8b23ffddabc46

SHA256
4e400dd0657484b4685dda5ef4db7d98f93868638797a000e9b12e22390f2689

SHA512
efbffa89c0a925368bf6c082c9c48777e3068223aa6795d83def438eb89b5e255438661c3507b1d350ad0e144c3d8a5b3f3b91650be7012b64625374a013cc24

Download Submit
C:\Windows\SysWOW64\Ogpjmn32.exe

Filesize
194KB

MD5
c90f8057c85c1227065d002ed1bfea84

SHA1
e3c6faa899b90bab7f75376fcb0558978958baef

SHA256
4f38a836cd2a4e1ae047a9a051b6d2474abd8bc0b4f5d9cf2451d9861cf064da

SHA512
10776c453e9801af482deb881a8c88d771538f3335dca19d54877d9134c3089b975733eff430bc9c2ffda316aa1342da7c24f5ef865790dc1a775c60c9916fe8

Download Submit
C:\Windows\SysWOW64\Oheppe32.exe

Filesize
194KB

MD5
00d5354b2a7313003884d4d89f7277f7

SHA1
b0e8df187afaf5b624dfb9c9db38628cdfb159dc

SHA256
9d3a523bca8bcd1c01f5a46156ea28d44368527377f238800f424363c4f05a6e

SHA512
0de012ad2dbbe265da38e05d6eb1c823364f18c6235f901a5a686f6e9b1e22cb5be104f24165b613c1562d5b8807d46e5199da99938808965a8bac9a798170eb

Download Submit
C:\Windows\SysWOW64\Oiljcj32.exe

Filesize
194KB

MD5
6bef2c20c33a6db0083aee066d9da9a0

SHA1
1fa9a35518974fe7b26d5ddbbace5b8b056b6bf7

SHA256
c31aefab8c9e30ee73a4e04bd80a41baaf2732a1ce882fb1f0873fac9529ed1a

SHA512
7a5e88676efcffdeb1d0c43cd6f70611b2ba13b97a1434b49101b1e6c317bb4fdb50fc6fe1303e0f151c8fc14ab7e7537743ee146d1f59d3d94815db982e5afc

Download Submit
C:\Windows\SysWOW64\Okijhmcm.exe

Filesize
194KB

MD5
570b82b33a6441f3b4f4a62d9d3fde37

SHA1
8b3d824d9b98a2decb2a4679e356c8402630613c

SHA256
001c09ad798aae4d2de951428f42c537d5c6bd9f3c72d95b8b92353d10242893

SHA512
413848c66ee40f20dd7fe12ccaccbbbaf61d6bd8fea9d1cc0ea6c3a811fb3d2feb63288f115db8b955f4dbc1847fb402433ac874f7f0ac18d50359930cf34562

Download Submit
C:\Windows\SysWOW64\Olopjddf.exe

Filesize
194KB

MD5
467235e90f7691f9965665693b5c1cb1

SHA1
1c1ab1d46f1c9aaa7be5b6da0ca5404db4cb4784

SHA256
3b3264b2d58e503fa3eafa6af4da3539a2c57d885664a56506f32c3c2527175a

SHA512
a2cd39f8efb1a36d4fdef3366cbc3d24050d683e7882e9c476cce59e642985684d1af9431ec84c6453c3ab4a37c5b54c5f39ea25dfd15dedb7617b6fbba014c7

Download Submit
C:\Windows\SysWOW64\Omjbihpn.exe

Filesize
194KB

MD5
3b7df108f81f6c02b7bd8c3fcd0b699c

SHA1
4342c13689f7d8b2f1a01d08f033844397ef85fa

SHA256
35307d19d45051353b6f0f4ee7077f6808a04ea35c3590dfefd904113af96836

SHA512
eb4db3e211433159f232b34d5950b1dd22cbaf21c8ab034ec74ef1d2e6e3ce30a803156951737cc39faad197a38deacd64549c113b3e3940057491c9feaf72f0

Download Submit
C:\Windows\SysWOW64\Onlooh32.exe

Filesize
194KB

MD5
4882df4cf9ef0bb3576da9fb006b98fe

SHA1
1077a880e58084f4ac652af8d20a247db45320b1

SHA256
82160d7ca9031d67d3a8b0a0b51b0ff7a559979d95ac9a264d5ffe7a801711fe

SHA512
104311b010178e0a0bf16820a0da56f43c95dd1868641428614f31da257a28edc27f692cca71835e05db4a297431695321e1a04264787f1681e50f56c9d9727f

Download Submit
C:\Windows\SysWOW64\Oobiclmh.exe

Filesize
194KB

MD5
39313df9a0fc394e038c60fb707eac2d

SHA1
fa416232fd91a5047ba59ffd7ad3a8d2d2959e16

SHA256
5b2e0c470cbfdd9fa8a8d8ce34c2b8a6b0429bccc2fff2974bf12062c5854cc5

SHA512
6def197ab4128e3596ab47dbcbeed0c298559e275aed1322069ccc7dcac483714ac42f798838f07fdfe5227b90e06d8d3d4e697880b68748d3bb650387a102f6

Download Submit
C:\Windows\SysWOW64\Oomlfpdi.exe

Filesize
194KB

MD5
c2fe2ef40a483faf3beb40e7e43aa843

SHA1
5465f81c70ec266583ff6f18614735b9fd54fc90

SHA256
c51e19e44fd001470f3cdd14bbf209ecb473b762a1fac9101cb30ab905dda709

SHA512
8e4b1e292263f327d1f115a5974ff3d5d4bf5b9cc54d2ad660f9be0ebc8bcaaceb1139a69a7cf49c4ae8e01434f2025cf808e997701288963714b55fd922d573

Download Submit
C:\Windows\SysWOW64\Oophlpag.exe

Filesize
194KB

MD5
5192d8b195964f55f3e291d191282410

SHA1
6b200d177ce2ec3f541ef1366dfb824a96fce2d9

SHA256
65f32b3c763852c4284d2d8c001147f06f08673b24c750e7b337bc0a19fe55aa

SHA512
5a1e5431f488a4eedcf876abb7047250330899186b110c1a6d1e99283a33946aa5c19a81ec69a9c341c18ccd78283faed76c9235924d8f6f17cc10ae75d5f586

Download Submit
C:\Windows\SysWOW64\Ophoecoa.exe

Filesize
194KB

MD5
723a7eb184cb2a12d209500f0b0ec50a

SHA1
2f48f23bebe406fe376fcb95ec419321bf8149f0

SHA256
29906d450396b9cc1dd2f7aef01aab3e6fc84510fb2703a5e0b341a83c63f4c7

SHA512
3cbc59e2ad43ff31f23b56a01bb5cd583b1cac3bdc5911129233d4478e261a0be83e386a23bef1fa55af727a8fee0230063dd626b5876042f462a6002b306ef0

Download Submit
\Windows\SysWOW64\Jfpmifoa.exe

Filesize
194KB

MD5
9ffab26bb848e1474e2884893526cd10

SHA1
f74ca19599e952bd580cd94814dd08d54e73dc63

SHA256
ac9221f798c4d3e568fed417b10031fa27c46412e1277a314568fb5162b6674b

SHA512
3c572f4b75ea09f667e5af9ee8f36e867bdd5bcc426089caeec3b412d96c9fa76077843b157e73619a9610968dbeabd6d34b67158cf7914a070d693ac578201f

Download Submit
\Windows\SysWOW64\Jgkphj32.exe

Filesize
194KB

MD5
fc73899f2d802baecbc186a436950035

SHA1
748f8209b0abb4feb5d7063b48fb93935fe55466

SHA256
0e471d1bd4596ea71d2da9eca25a4920a65465c1f771b243e1a62b629617574f

SHA512
c2c0e9ed3600bccd4f98c6c98b281688e74bd7f740f6d76c9b599abee1baa6c312c64813256d70b2f5c48372453eb273d00352347d1da803278472b4a40b858d

Download Submit
\Windows\SysWOW64\Jjneoeeh.exe

Filesize
194KB

MD5
11e65bfba72e9c3f74edd8e43d416da5

SHA1
7d8c72438bad6973384ca8e9f8888be445d85708

SHA256
163fa96b705f71a4237faca741c788a22f51a1035b3297b3ef444430084114cd

SHA512
a60c234c9e62f1db87e9902611098e34accced16eabad9043c6e548c321b776494f870e9712f3f6ce08b500e5f01a37bdb526cc9742a51f6c160c65e275b198a

Download Submit
\Windows\SysWOW64\Jkobgm32.exe

Filesize
194KB

MD5
4f057f59f921d379cfa8efce17051ef4

SHA1
99a9113c45a3d9ad13b70dd1917f2dc91c45c55f

SHA256
9b6d1b64ece5d90b6518a9223877513709bcad5ed1c8c190d444ff8c7b79362c

SHA512
5cd2add93b95856e3561652d74965e0a98b4460e578d305243b95fa01a9197331052a716097d3a1eafd9b0359ddb8c830dce2fab4d832c481e3dc36d671ce2bb

Download Submit
\Windows\SysWOW64\Jljeeqfn.exe

Filesize
194KB

MD5
5c214e16014f23f9291925c6b67779d3

SHA1
a1ffe55b12fe43a61754f84a440f98fe5e4304b5

SHA256
bd761c530529f789113429ef18933e171c40aca15d22d0e7848df226cbd27e1f

SHA512
48425f9126089a6eeaa2d93e0cc765a89ad7d275e92a00e69ed43e646c588d55077813203b80f35d7d808d39d4f96f9dda7b198a9740296573e4672fcadf3105

Download Submit
\Windows\SysWOW64\Jpcdqpqj.exe

Filesize
194KB

MD5
ba6d367aa4b4cdea5f545809307026ea

SHA1
3ad73de0edc744b2e2fa4d1cb2c0cf1f20a53d2a

SHA256
95e6b311a383701709cb566f9760451d5ff676036c745dc1dad224b788bd2d91

SHA512
8ae047156f83c112c8a4585da5dd4523473a0bd3b12af2896dd8fc01446400f23aa6bbab4241a303e017e16c7cbb7876ba6d57dfeaa6c21eda5f07c01943d3b9

Download Submit
\Windows\SysWOW64\Kdgfpbaf.exe

Filesize
194KB

MD5
46eece9e351fb7e197024e4b16375a26

SHA1
97657868a6ab5f4f120a1d55b69649803f677c28

SHA256
f7e39a1781c33e60328ef4eb7df67c5dab2a1d791715f725c5e4733b00882bc4

SHA512
fd8b7800493238512746f97ade9e99a14fd32b9a7dc70fd4aebbd76f2eb36a5a28afec1b6c4003e30e142f4f63d272c7d3da748546bf33068361c31ec2cd5529

Download Submit
\Windows\SysWOW64\Kfgcieii.exe

Filesize
194KB

MD5
6dfedf03e212fa27ffa02359462aedea

SHA1
05dd1e61dbda728958cb8d196caad3cb6a3edc34

SHA256
1c5b5cc26f3656feb9fedab4a0265205d12a0da99d33b1b1004aaddd9c144f57

SHA512
652b312e5d55834aa96ea008335712fcb094caf13314081d3d1be6f4a732d97e03fd6ae1096f41e1fea64b234706a1a4b73089c45b000352e48dde18000a03ad

Download Submit
\Windows\SysWOW64\Kgmilmkb.exe

Filesize
194KB

MD5
fc3d51223e8ade860f76191e54ca4314

SHA1
9dd0b8c73653d3e69d43bec11647c504272dc78a

SHA256
70b832a3f099b8a9f3d544e0715bc3292365b721fad72125b7c868a8e0b66a44

SHA512
abcf2b33e13f625847d338d9c155e84509cdbf676620bf9a8cd6c43335d85d742b20d5bf282a42610d3735dacb966aeda78d14af06e35d2f2b0cb337963369cc

Download Submit
\Windows\SysWOW64\Khglkqfj.exe

Filesize
194KB

MD5
9b916cce8a428edc053199439c3be7c3

SHA1
139d42ca0cb542992c92f58ce43275fb4db4da2e

SHA256
d5ad7ec55292dd387e0bcda370a7c534741f642ddd81f1f118418a92ef12bc14

SHA512
4add7f5476b764a8e5ea347d2f6f15a236ec8e1128cb53da8a5df8c0d393d60b6611c94a678d70083a2d74b98c66bec03bf7fc6639aa5322bde461a882d4171c

Download Submit
\Windows\SysWOW64\Klonqpbi.exe

Filesize
194KB

MD5
4f47e33b616286ad4e5a250634ba8500

SHA1
c000dd79fd842d0d7cbd16a20fcc116a3caee2bb

SHA256
6d3b3084dc9c09a914a8922f16db5b4f2ee0a7a53aab55a8f6b654da0f490a4a

SHA512
d466e155d7b8db36f2a3ba566ebd233859b93525bb1fb7d3f9be8d360df13233a8f20bb8ed81aa6306de75f4c53ca440de695c01f3a875ae8a05eb59abc72285

Download Submit
\Windows\SysWOW64\Knddcg32.exe

Filesize
194KB

MD5
fa0e58d60e4f7d192bf542ab1d70f6c0

SHA1
42d1b099708fbb721b682d929867c652d12c5035

SHA256
f8987fcc0da5470b4d040684f9c9b638f9babd69ee90bc9027c1ca349813aac0

SHA512
f3e74da3b4eafa53a9563043f100dfa76855e64182961ea4737702ab236b8e5a84a7eafb8a536d7399692b8f7e0af18c42ef0b00953e32fb0474942e5a671c16

Download Submit
\Windows\SysWOW64\Kninog32.exe

Filesize
194KB

MD5
0491aa42c90e5709ca5a76c052f8cbf1

SHA1
0593dd509d9cff93cb5910b62327d5ef55144db1

SHA256
bd75c57d4cc79341a515c1ead9c1bd51c463550ab331bc3f58a5f8f43ecbfc97

SHA512
8df76a0fb582feddc33277334db4f5b23ee4fe367cd1cf2297b3fde58fc2c8013046a989267a1cee1127ec6802778f08fa68cb79778ead8628a04a6c7e36be10

Download Submit
\Windows\SysWOW64\Koogbk32.exe

Filesize
194KB

MD5
a76938cc6d85dee1677b7ea949b12794

SHA1
50f54e21080cf81c7b4fcd84c1b2d43143ee69c0

SHA256
4607b4038b0e4a02e404dc28ee2f0405d548817e9b15b3e897e4f8b4336a2298

SHA512
6649a366449e5de75e1f3b6cee98e5cf31b2ccddee51e1f0c9940dd5c241f498d40c6b0b6845c3e27d15e066aef8f0ee6b243c8deb7077192012f70776b82ffb

Download Submit
\Windows\SysWOW64\Kqemeb32.exe

Filesize
194KB

MD5
fa89c2a702567f1e983cfac075cbaf6f

SHA1
aea08de63d533af0065668832774fb70381f21d2

SHA256
8725d9de59422f019f22f409337c042a578d0cd90cc35cfab23babf554138663

SHA512
b4f82af697dd302c0e96a5dfe77cc5995527f1bab6ee9feb8b53dd9bab95bb07513a9020ab8ff049cbd0b7d751d90d4e4c3c90d60bda48ddd00974f702ca63cf

Download Submit
memory/112-508-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/112-519-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/112-520-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/576-205-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/576-518-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/576-193-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/600-240-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/600-244-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/600-234-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/804-393-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/888-407-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/888-402-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/968-308-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/968-299-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/968-309-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/972-467-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/980-858-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1056-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1056-262-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/1056-266-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/1072-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1092-245-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1092-254-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1092-260-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1120-439-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1120-445-0x00000000006C0000-0x0000000000719000-memory.dmp

Filesize
356KB

Download
memory/1156-25-0x00000000002E0000-0x0000000000339000-memory.dmp

Filesize
356KB

Download
memory/1156-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-291-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1512-298-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1512-294-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1600-149-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1600-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1612-471-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1704-283-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1704-287-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/1704-277-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1768-12-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1768-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1888-449-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1888-458-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/1912-123-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1912-131-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/2000-103-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2000-95-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2020-321-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2020-324-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2020-314-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2096-185-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/2096-502-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/2096-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2096-191-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/2156-486-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/2156-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2180-207-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2180-215-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2180-220-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2192-233-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2192-227-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2192-229-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2260-491-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2260-496-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2320-271-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2320-273-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2384-507-0x0000000000330000-0x0000000000389000-memory.dmp

Filesize
356KB

Download
memory/2384-506-0x0000000000330000-0x0000000000389000-memory.dmp

Filesize
356KB

Download
memory/2600-845-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2652-330-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2652-325-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2700-408-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2700-421-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2700-422-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2712-380-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2712-370-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2740-371-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2740-359-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2740-369-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2768-93-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2812-109-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2812-121-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2820-341-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-350-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2824-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2864-331-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2864-340-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2872-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2872-47-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2880-75-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2880-68-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2916-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2916-66-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2924-365-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/3044-438-0x0000000000300000-0x0000000000359000-memory.dmp

Filesize
356KB

Download
memory/3052-428-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/3052-429-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/3052-423-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3060-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3060-159-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads