berbew | 19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152

Analysis

max time kernel
113s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Size

128KB
MD5

adf8527fd0cd380fb7f55d9eaa214700
SHA1

bd2fd5691bfcdfb5a7b46b7972c6c6569bdb7208
SHA256

19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152
SHA512

c1dbf8ac06fb7ab0f8783c8535847711d1c5eaa2b558b496b24cf918c02e1a50f582967b53a74c28af5f5c2a7f7cbb893b7e41dadd4d5a6d725db88ac1f462a3
SSDEEP

3072:+LCGvY2v2lSs2Mymz7E5AtiUF78NPBYBoBd9B9pax3FQo7fnEBctcp:+LtjvESs2My2uAti+wNZYBoBd9B9paxK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjojo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpekon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdklf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiqpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leljop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilfcpqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmebnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jqlhdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keednado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kicmdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdklf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2292	Jqlhdo32.exe
824	Jfiale32.exe
2904	Jqnejn32.exe
2788	Jghmfhmb.exe
2636	Kiijnq32.exe
2532	Kqqboncb.exe
2380	Kfmjgeaj.exe
476	Kilfcpqm.exe
292	Kofopj32.exe
2800	Kbdklf32.exe
2864	Kmjojo32.exe
1800	Kohkfj32.exe
1572	Keednado.exe
1096	Kiqpop32.exe
2008	Kaldcb32.exe
2468	Kicmdo32.exe
2912	Knpemf32.exe
3036	Kbkameaf.exe
1828	Lclnemgd.exe
860	Lghjel32.exe
1088	Ljffag32.exe
964	Lmebnb32.exe
2268	Leljop32.exe
1832	Lcojjmea.exe
2180	Lfmffhde.exe
2316	Lndohedg.exe
3040	Lgmcqkkh.exe
2604	Ljkomfjl.exe
2660	Laegiq32.exe
2740	Lmlhnagm.exe
2516	Llohjo32.exe
3004	Legmbd32.exe
532	Mmneda32.exe
1036	Mooaljkh.exe
1116	Mffimglk.exe
2676	Meijhc32.exe
852	Mponel32.exe
1248	Mbmjah32.exe
1076	Mhjbjopf.exe
1804	Mlfojn32.exe
2020	Mbpgggol.exe
2540	Mdacop32.exe
2480	Mofglh32.exe
684	Meppiblm.exe
1720	Mdcpdp32.exe
1644	Mgalqkbk.exe
1624	Moidahcn.exe
1228	Magqncba.exe
720	Ndemjoae.exe
1956	Ngdifkpi.exe
2592	Nkpegi32.exe
2728	Nmnace32.exe
2536	Nplmop32.exe
2556	Ndhipoob.exe
2784	Niebhf32.exe
1156	Nmpnhdfc.exe
2768	Npojdpef.exe
2832	Ndjfeo32.exe
324	Ngibaj32.exe
1728	Nigome32.exe
2040	Nlekia32.exe
2000	Nodgel32.exe
1980	Ngkogj32.exe
1208	Niikceid.exe

Loads dropped DLL 64 IoCs

pid	Process
1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
2292	Jqlhdo32.exe
2292	Jqlhdo32.exe
824	Jfiale32.exe
824	Jfiale32.exe
2904	Jqnejn32.exe
2904	Jqnejn32.exe
2788	Jghmfhmb.exe
2788	Jghmfhmb.exe
2636	Kiijnq32.exe
2636	Kiijnq32.exe
2532	Kqqboncb.exe
2532	Kqqboncb.exe
2380	Kfmjgeaj.exe
2380	Kfmjgeaj.exe
476	Kilfcpqm.exe
476	Kilfcpqm.exe
292	Kofopj32.exe
292	Kofopj32.exe
2800	Kbdklf32.exe
2800	Kbdklf32.exe
2864	Kmjojo32.exe
2864	Kmjojo32.exe
1800	Kohkfj32.exe
1800	Kohkfj32.exe
1572	Keednado.exe
1572	Keednado.exe
1096	Kiqpop32.exe
1096	Kiqpop32.exe
2008	Kaldcb32.exe
2008	Kaldcb32.exe
2468	Kicmdo32.exe
2468	Kicmdo32.exe
2912	Knpemf32.exe
2912	Knpemf32.exe
3036	Kbkameaf.exe
3036	Kbkameaf.exe
1828	Lclnemgd.exe
1828	Lclnemgd.exe
860	Lghjel32.exe
860	Lghjel32.exe
1088	Ljffag32.exe
1088	Ljffag32.exe
964	Lmebnb32.exe
964	Lmebnb32.exe
2268	Leljop32.exe
2268	Leljop32.exe
1832	Lcojjmea.exe
1832	Lcojjmea.exe
2180	Lfmffhde.exe
2180	Lfmffhde.exe
2444	Lpekon32.exe
2444	Lpekon32.exe
3040	Lgmcqkkh.exe
3040	Lgmcqkkh.exe
2604	Ljkomfjl.exe
2604	Ljkomfjl.exe
2660	Laegiq32.exe
2660	Laegiq32.exe
2740	Lmlhnagm.exe
2740	Lmlhnagm.exe
2516	Llohjo32.exe
2516	Llohjo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Jqlhdo32.exe	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
File created	C:\Windows\SysWOW64\Kmcipd32.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Kmjojo32.exe	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Ihclng32.dll	Kicmdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Nmpnhdfc.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Kicmdo32.exe	Kaldcb32.exe
File opened for modification	C:\Windows\SysWOW64\Kicmdo32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Pghhkllb.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Jpfppg32.dll	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Lcojjmea.exe	Leljop32.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Bpmiamoh.dll	Keednado.exe
File opened for modification	C:\Windows\SysWOW64\Lgmcqkkh.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Ibddljof.dll	Llohjo32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Kbdklf32.exe	Kofopj32.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Lmlhnagm.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Jfiale32.exe	Jqlhdo32.exe
File created	C:\Windows\SysWOW64\Olliabba.dll	Lmlhnagm.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kiqpop32.exe	Keednado.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Knpemf32.exe
File opened for modification	C:\Windows\SysWOW64\Lndohedg.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Fdilgioe.dll	Lpekon32.exe
File created	C:\Windows\SysWOW64\Jhcfhi32.dll	Legmbd32.exe
File created	C:\Windows\SysWOW64\Imbiaa32.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Hqalfl32.dll	Kbdklf32.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Knpemf32.exe
File opened for modification	C:\Windows\SysWOW64\Llohjo32.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mooaljkh.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Kmfoak32.dll	Kmjojo32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Qocjhb32.dll	Kiijnq32.exe
File opened for modification	C:\Windows\SysWOW64\Ljffag32.exe	Lghjel32.exe
File created	C:\Windows\SysWOW64\Gcopbn32.dll	Lmebnb32.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mffimglk.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mgalqkbk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2160	2352	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqlhdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiqpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndohedg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghmfhmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kohkfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Legmbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqboncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmjgeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kicmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llohjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqnejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmebnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiijnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmneda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mponel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfiale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbdklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaldcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljkomfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knpemf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmcqkkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlhnagm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kilfcpqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmjojo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbipbbd.dll"	Jfiale32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legmbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiijnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knpemf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llohjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll"	Jqnejn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfadj32.dll"	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpfppg32.dll"	Ljffag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npojdpef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmiamoh.dll"	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lghjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqnolc32.dll"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Legmbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogikcfnb.dll"	Lgmcqkkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmcqkkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kohkfj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2292	1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe	28
PID 1044 wrote to memory of 2292	1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe	28
PID 1044 wrote to memory of 2292	1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe	28
PID 1044 wrote to memory of 2292	1044	19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe	28
PID 2292 wrote to memory of 824	2292	Jqlhdo32.exe	29
PID 2292 wrote to memory of 824	2292	Jqlhdo32.exe	29
PID 2292 wrote to memory of 824	2292	Jqlhdo32.exe	29
PID 2292 wrote to memory of 824	2292	Jqlhdo32.exe	29
PID 824 wrote to memory of 2904	824	Jfiale32.exe	30
PID 824 wrote to memory of 2904	824	Jfiale32.exe	30
PID 824 wrote to memory of 2904	824	Jfiale32.exe	30
PID 824 wrote to memory of 2904	824	Jfiale32.exe	30
PID 2904 wrote to memory of 2788	2904	Jqnejn32.exe	31
PID 2904 wrote to memory of 2788	2904	Jqnejn32.exe	31
PID 2904 wrote to memory of 2788	2904	Jqnejn32.exe	31
PID 2904 wrote to memory of 2788	2904	Jqnejn32.exe	31
PID 2788 wrote to memory of 2636	2788	Jghmfhmb.exe	32
PID 2788 wrote to memory of 2636	2788	Jghmfhmb.exe	32
PID 2788 wrote to memory of 2636	2788	Jghmfhmb.exe	32
PID 2788 wrote to memory of 2636	2788	Jghmfhmb.exe	32
PID 2636 wrote to memory of 2532	2636	Kiijnq32.exe	33
PID 2636 wrote to memory of 2532	2636	Kiijnq32.exe	33
PID 2636 wrote to memory of 2532	2636	Kiijnq32.exe	33
PID 2636 wrote to memory of 2532	2636	Kiijnq32.exe	33
PID 2532 wrote to memory of 2380	2532	Kqqboncb.exe	34
PID 2532 wrote to memory of 2380	2532	Kqqboncb.exe	34
PID 2532 wrote to memory of 2380	2532	Kqqboncb.exe	34
PID 2532 wrote to memory of 2380	2532	Kqqboncb.exe	34
PID 2380 wrote to memory of 476	2380	Kfmjgeaj.exe	35
PID 2380 wrote to memory of 476	2380	Kfmjgeaj.exe	35
PID 2380 wrote to memory of 476	2380	Kfmjgeaj.exe	35
PID 2380 wrote to memory of 476	2380	Kfmjgeaj.exe	35
PID 476 wrote to memory of 292	476	Kilfcpqm.exe	36
PID 476 wrote to memory of 292	476	Kilfcpqm.exe	36
PID 476 wrote to memory of 292	476	Kilfcpqm.exe	36
PID 476 wrote to memory of 292	476	Kilfcpqm.exe	36
PID 292 wrote to memory of 2800	292	Kofopj32.exe	37
PID 292 wrote to memory of 2800	292	Kofopj32.exe	37
PID 292 wrote to memory of 2800	292	Kofopj32.exe	37
PID 292 wrote to memory of 2800	292	Kofopj32.exe	37
PID 2800 wrote to memory of 2864	2800	Kbdklf32.exe	38
PID 2800 wrote to memory of 2864	2800	Kbdklf32.exe	38
PID 2800 wrote to memory of 2864	2800	Kbdklf32.exe	38
PID 2800 wrote to memory of 2864	2800	Kbdklf32.exe	38
PID 2864 wrote to memory of 1800	2864	Kmjojo32.exe	39
PID 2864 wrote to memory of 1800	2864	Kmjojo32.exe	39
PID 2864 wrote to memory of 1800	2864	Kmjojo32.exe	39
PID 2864 wrote to memory of 1800	2864	Kmjojo32.exe	39
PID 1800 wrote to memory of 1572	1800	Kohkfj32.exe	40
PID 1800 wrote to memory of 1572	1800	Kohkfj32.exe	40
PID 1800 wrote to memory of 1572	1800	Kohkfj32.exe	40
PID 1800 wrote to memory of 1572	1800	Kohkfj32.exe	40
PID 1572 wrote to memory of 1096	1572	Keednado.exe	41
PID 1572 wrote to memory of 1096	1572	Keednado.exe	41
PID 1572 wrote to memory of 1096	1572	Keednado.exe	41
PID 1572 wrote to memory of 1096	1572	Keednado.exe	41
PID 1096 wrote to memory of 2008	1096	Kiqpop32.exe	42
PID 1096 wrote to memory of 2008	1096	Kiqpop32.exe	42
PID 1096 wrote to memory of 2008	1096	Kiqpop32.exe	42
PID 1096 wrote to memory of 2008	1096	Kiqpop32.exe	42
PID 2008 wrote to memory of 2468	2008	Kaldcb32.exe	43
PID 2008 wrote to memory of 2468	2008	Kaldcb32.exe	43
PID 2008 wrote to memory of 2468	2008	Kaldcb32.exe	43
PID 2008 wrote to memory of 2468	2008	Kaldcb32.exe	43

C:\Users\Admin\AppData\Local\Temp\19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe
"C:\Users\Admin\AppData\Local\Temp\19029cd14895aecaaf282ddbf2aaa5e9f2fecc00f55d79bb73473c68cda8c152N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\Jqlhdo32.exe
  C:\Windows\system32\Jqlhdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\Jfiale32.exe
    C:\Windows\system32\Jfiale32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\Jqnejn32.exe
      C:\Windows\system32\Jqnejn32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Jghmfhmb.exe
        
        C:\Windows\system32\Jghmfhmb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Kiijnq32.exe
        
        C:\Windows\system32\Kiijnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Kfmjgeaj.exe
        
        C:\Windows\system32\Kfmjgeaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kilfcpqm.exe
        
        C:\Windows\system32\Kilfcpqm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\SysWOW64\Kbdklf32.exe
        
        C:\Windows\system32\Kbdklf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Kmjojo32.exe
        
        C:\Windows\system32\Kmjojo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Kiqpop32.exe
        
        C:\Windows\system32\Kiqpop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Kicmdo32.exe
        
        C:\Windows\system32\Kicmdo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Lghjel32.exe
        
        C:\Windows\system32\Lghjel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1832
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Lgmcqkkh.exe
        
        C:\Windows\system32\Lgmcqkkh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Llohjo32.exe
        
        C:\Windows\system32\Llohjo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Legmbd32.exe
        
        C:\Windows\system32\Legmbd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 140
        68⤵
        Program crash
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cljiflem.dll

Filesize
7KB

MD5
095cacf5e875d07ef7547fa71cba80ba

SHA1
5766645946f0e8093fd118dfdc250fd5a3b7791d

SHA256
1ade0c9f5d91c20077851c1a7d52c8f9239380f91a60027e887b447d3662c6d7

SHA512
05a5db9a62e257cfa86195c2855f7507cfe789989fad3234917a738f4801f903d096f0a8067e74210c9535c93daffd320a072b021879038b127195d1ae9b966b

Download Submit
C:\Windows\SysWOW64\Jqlhdo32.exe

Filesize
128KB

MD5
8fdc1727c28230a941f830e3c5deb97a

SHA1
71fee3c5b178edb1f06fc80bcec1d00b9a9e6596

SHA256
b053bd1e208aef52b361a2e2eb0d3136f1d5027847967088332619902f03c91b

SHA512
592fd9ec6f928493f5c56612ae83cc35b8f42d798d7d2f2de583b77865cbea976c7118e983f3deef6f205e223bc4e45d6f57b6c314825fb1877da61dc53d239c

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
128KB

MD5
baf377e7446dbddc6a6609ce89bb962a

SHA1
bbd95c77ced9da72bff5e4274a41dbc7a63e5929

SHA256
59d69bfc045398a4f7bdb83bcec4d9e5299e86a67fa74345777e0871f2736447

SHA512
b5edf59b01741e64be73690d3b994de27d97f2e46b6bbc483d3f702f2c0aeb84221653ceef0ae57dc98046a24ab6895833627a02e3edcc79fc772539ffc92159

Download Submit
C:\Windows\SysWOW64\Keednado.exe

Filesize
128KB

MD5
4590ecc78689d07534ab5b3f730cb0a9

SHA1
2002f847a0664dbf1e39b907ded520f4ba8831a8

SHA256
f26f36ed7d0879dbe830feac3d90afb2b60ddf64d9a6c47c145017fb948e524a

SHA512
b143f66a260a9cdc91f5f1b4b73f8f812719d57cef6a58e3e44ae61fe01dc3141c81c2538eeb098c1f6d7c79574584667cd234b270529a13a5e073d61b0c30ee

Download Submit
C:\Windows\SysWOW64\Knpemf32.exe

Filesize
128KB

MD5
01afb77d3b4a3765a578a1e11f60f318

SHA1
d776ec3dcba945feca5871044b9bebe0007a45e4

SHA256
f3dc1cc17bb4bb4f7b2c143076458356cfbac0ad6cb10787627181ba62caa431

SHA512
3b9e7bda211f67f2dc2d098a7fce401d97d3ac5d9cd5cb8bcd2dc089ab8ea8edd4f179833df2c82ccad2cd069ed39527b6d137f463fd6f7de5e28397f7c84c06

Download Submit
C:\Windows\SysWOW64\Kohkfj32.exe

Filesize
128KB

MD5
4753b28e02a93eac49333223bfa8411b

SHA1
b761bdd60f3841eea8184989a46a4370d7bae300

SHA256
8ffe4b8fdf0e518432206c50c7ec7e69b4b0a8158491fe04973da830d7775817

SHA512
d3eb7d1825e828a59d672958b35797e215e263c4911a850030cf9f700b32a029a4e246285d067f8930cf543a80cca22d38f621fcbe67a9c7fc95fbcce448a2d7

Download Submit
C:\Windows\SysWOW64\Kqqboncb.exe

Filesize
128KB

MD5
f3686777e24539cb5081b047714a4d35

SHA1
bec74478727592af39d03ab4e4b8b6016fbccdfe

SHA256
ad9a882c8a825074e2b7d3ab61b9e44bb5ffd5242d44a26e3361719925269761

SHA512
42f9c1c5051ed719efc1b7e29f2e1edf0a27d2f5407e418d17d6d4264e464973986c897cebe562ec6954a9934ebc58720d81075a0df2ba9b8f13ee10ddddc76b

Download Submit
C:\Windows\SysWOW64\Laegiq32.exe

Filesize
128KB

MD5
f450707e6bcb78af65fac3953e2325f4

SHA1
f830e3bea0d605eb5bf3f90851896beb69a44236

SHA256
f77db91d8aa9c7747f1fe814929f04b47d034c9c45a1f4ac765b5b91c3aec1b6

SHA512
c486770523430a6343567e88c0a638c7a9108e1928a81e722fd49a9414a9a835d872cabea4f22c4b6a36e8842b8c322b11f791a162be7106bd496367e374473a

Download Submit
C:\Windows\SysWOW64\Lclnemgd.exe

Filesize
128KB

MD5
d7c0bf90d126a41e818f8db76728ed16

SHA1
baf894de394630b8e7418078c961eacdedff69bb

SHA256
8f455a02cb946d79fb73af9b74505a90cf8893369a0bd074fae066300e263a18

SHA512
5ef54e51246b0aed1faa3f6f559085d0ece0e4c06d38edb2ffb43573072047fe73922901f26338b59e078801e760c710819256840170dfbbb4cd8cbad5a1143e

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
128KB

MD5
f1a8950a0a0f26ed100b55f491574b87

SHA1
af743848a9573afad6ea17f6dc1a2675adc9a1b3

SHA256
9b6c276b6c5656c1a85b8a953bdb749cd873c672d65d99801da8522a1de0f0fe

SHA512
d0e2976c2969b039409a0544477bee4c8fc40ffc61ffb88f584548037d6b8ed68633c24b690e16cfc30a35e8d3d9e604c72f936be46e0ee9a1d2f910760e52f8

Download Submit
C:\Windows\SysWOW64\Legmbd32.exe

Filesize
128KB

MD5
850c0ca54d92572bb2e5adaad2d0c0fc

SHA1
d86150ca53a1bc13a80ce9eedec7f0f573c8c6f2

SHA256
feee4c90b12e96359ac779adedb9ac773bc435c702a277c000beaf41d7c7cf1e

SHA512
b816dd0d2f25621ff87e86ada1719f6e52c078e75b8acb0f7db1fdc13eb775eaa6ec3cf87de4032b317641a740c9a19eafa35317f1ee88d9fc65994ac7b46dfc

Download Submit
C:\Windows\SysWOW64\Leljop32.exe

Filesize
128KB

MD5
bc7da3a2fa56896e7e9ad2cb6a7d9244

SHA1
e5dbd1e5fdc0b645eac11a1b3c2acd73e0e96664

SHA256
77ab3a86a11a4c0c727e46720e779706b313607857db7a20b613a99812f89997

SHA512
261c68b431c7e54745e824bf6c6b50ea8be8ca9705e77190950d1b9f4444334c2f1ff5b0bce9e22cf724d48f85ee2f18902d96c63b5857a0d13fd94440d96bb7

Download Submit
C:\Windows\SysWOW64\Lfmffhde.exe

Filesize
128KB

MD5
f0aec6864616b8c4ab127e0f48fee759

SHA1
ef9dca196d33ccf050896a4326260c0143cb16de

SHA256
149f2db6fe397eae09015d18a818c81e5a4232efa32230b6b97fde3393cb617f

SHA512
9803c7c6477a6ab5577bf1cdfa051ef44fd2739b0231b55981a071187107dbbc07da370e13ab9710333a94c3d521eaca29eab8a3a59c9f199e8483225a931470

Download Submit
C:\Windows\SysWOW64\Lghjel32.exe

Filesize
128KB

MD5
411c6bdd40c929ca737317f1995f24a2

SHA1
6f46752cdac1b802f64961989c7c43cd8fd2db6c

SHA256
85278699931122329e7c04c7c0e1a000f73dd359b740831ed1b170c0b4ad2764

SHA512
4205223904513ab610fd10ce50dc3d383a8bd754c5f710049a0a30970b7dbd7c93a12220d90fde71e83cfead2b45dec617109f4ed2233ecbd96e90877a9ba53b

Download Submit
C:\Windows\SysWOW64\Lgmcqkkh.exe

Filesize
128KB

MD5
b0761c9cb6562926f5eb115e87892dae

SHA1
ffd3aa3793ba91ccb3b5b5bf8bbfa1e9b150466b

SHA256
a9900283e06c3de2068090fc417707372f5152aabbf3c31c8197a05401cebe2d

SHA512
9b4415391a4f9133902d8da9176dd9345a40649ba50634b2b2036a23839705ed5d88130c6b78812e7f24799b9fe4ed34c6ddad6b9262e99097ded4fdec17e9d7

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
128KB

MD5
f9eb725f0d04c68c0dd485978bc6efa0

SHA1
81700ecf14aa5034c57f63d2ebf1503d029e1ca7

SHA256
fc714f27eefe5d98f79b4f58c2003ec1f148690a7fe92ae80c8888e761cd25d7

SHA512
f7012d126af6e357323eddc2c9865a67cd228727ca1e293275eca2b4267bdaeeb4c3df52ebb0f773c91b16907cbc6590f02bfccd413d1dff8afb5b9529fe07a6

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
128KB

MD5
4ea1617d1fdae383c0b2bc00dd94721c

SHA1
11cc0bb81b594bceec87b4bdd91276469240d106

SHA256
4876ba6d86e6f71c8b391141d2d2bbdbeaff0518d7d2210ab42548ea9c1b03d5

SHA512
3e133343a0eb31d002f9a3c6b7924f185697678e8834c9152a63cb7028f5fb4bc59e4636e157f625ac6eba7c19f2df0f54527af03e0409403f6d332eb955689f

Download Submit
C:\Windows\SysWOW64\Llohjo32.exe

Filesize
128KB

MD5
ce21708f1eec517cd1496e7ea52d89da

SHA1
75cb1910552d348b4ebf0c9c69070695a2cbe759

SHA256
68b241fc84a3b30ba3015eb5f1d272c4f77ed126ec39ddeeaa776d2f235a4213

SHA512
66c652a3154a41ad48644ff29f4f2947a4a92ed0ccb06eddad9be077bcfbbe0ab0ac7a79de67356ff8f6917dda9dbe6608d3853582827667e71de38a974c749a

Download Submit
C:\Windows\SysWOW64\Lmebnb32.exe

Filesize
128KB

MD5
f344b4711593cd3d5a4e2bf5a6193652

SHA1
491c4c319fb34844caea0e41d25e1c9463d780a0

SHA256
1bd76fca772e40a1555ddfd0c1fa5952fc1b90de490867b384e2cd0d87e21e51

SHA512
095696e3dd4a13f8222baa3671f89534dca78664d1a3521ff93709db7449256e35b5026452fed675e7e36a6281ee73c29e8a189f4747183f4ed99ea1fff985b3

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
128KB

MD5
4d8064ac3e90797f219a2129a0a7d2e2

SHA1
424a491691c8d45ba014252a357b0c8f1e3c68f4

SHA256
7f8a05094002826986b45e0251993d66b5fc2350caa20448459aa9c73438849a

SHA512
af0193b109b2282ff5f2b9fe2fe47cb0f8397eb660c9ea66e02dedbfbd9c3982eecf746e69042f5b9860a1a0cd27c60c165cbda8faa8f4dee7a07ea64c0f25e4

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
128KB

MD5
68fc19a489ef8b5b4646903637896fcf

SHA1
3d164091c87830a8ac0f9744d3ee60c0b584c6a8

SHA256
a6ed03401ef424c671f2184b39dff20592e6060e0ccb21777ece416ba2339c6c

SHA512
15bd366d49aa9029f2022dd649cd4ccb96610eacf2e6c658600a869f7f3575fce1d90ae9368a5754de0f4f33b34a7210256fdb46b8f046729708276cdfdfea2c

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
128KB

MD5
aa7cac2ec6748049bffc016d57cf424c

SHA1
bfff86be2fb40846af85dd4ec42eb32a699f851f

SHA256
f11095e56d576733efa10a8a95966558c266c227727ac30e6a3f96b551d11f26

SHA512
218fd4cc5e998dccf2539ca75b554785cac0d48bb7763fb6b43aebeeadcffbe7c53c73c2a93de8ccf8efff36302d45721b54df5c327ec60d6d01a4dd3b354b30

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
128KB

MD5
57e9b9bea58389d60bdc70ebf8481514

SHA1
7dde512ec4b28c75010cf8f395262e3ea384e6c5

SHA256
a2b907bd8a98c009553bec6317da80704860a2b633a928f5b5a8e732f9a18317

SHA512
8c1f5738bef9b9723f0e755c05942c2ff0097bcca0bf2043c4ba2ca1572b1743f9ebe53e7683e4fd28e835eb476e24f743b0e339293207854ae6aa73229263dd

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
128KB

MD5
a0d50c6cb17212ed71636f3c0f44030f

SHA1
ccf8b336c18f67a2d82a59ab2e58b6ce790a3eec

SHA256
6375a166abe691545620b7d8b4783b5218435cf68fde93441bfac14f30ac0d5b

SHA512
bde00e3b50ef3874a244e1c85a150fbfc41ef4dce9ae348180c0251cd3a9d9a617441242ffd252536d6d82a3bd0f1c77ff4473214e5f36c026fd1c9737066589

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
128KB

MD5
69b311e6c4418aa45b40d18e69ff9e62

SHA1
8b20d0edcc3db6d97555c970d9bc434df92ef52e

SHA256
b3a135ab4d937b9b46d4e9da7e5ca8cddbc81fdab0fe954caf1aa9227d47e5c3

SHA512
1e3b92be0ffeeaafe2171b144c91ced1713b16fa6b4c426ea7e0b13c01c2ff0623bb52bd194668c7c20c771de6d60cfa14b0cebdbb5ec30bc751dbbb1eed4eb7

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
128KB

MD5
9345e3e299d1514f6d62cc445081b0d0

SHA1
d70212d3ab2752ab8328c8181291075fecc54c35

SHA256
d681da2e5479ce0718d37c23c852dce8e7cd95f40f2520704463083d9b807712

SHA512
699d330eb90b18a226550fbb978dc5937c97ea64691045ed1cb260072c669af5fd47737b309666c816fdc687f4c5ef6b14b9371b5ab01bb5c37b5fdbfecf78e5

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
128KB

MD5
acc232e2c6c36db841a9d37a1be83045

SHA1
a68b8b290d7ed5bd2821822a8efb98919475b4d5

SHA256
95a369532df5a7531f11f2b2103f736053f52c054cbb394835961ce1030e9b14

SHA512
b766a1d1fc3e6f5ec3b6b648cd45c46637ddc52abdf8a9d73b302326805ba5de27ff7b2e760f666a27bca23fbb1902eb4d5a0baea45a00627fe0f6e0bfc69949

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
128KB

MD5
5df69c59a733ae5933fca21a03b7e951

SHA1
173f4fc901ba90d4c83b57b9cf0c0cd0e1f88f5a

SHA256
14e461636a3eb5c98c4abac10756577e7662ac8757a9cececbe789250a7dc334

SHA512
17b465be6def649bf92f1f9ff9aade8330c81b9d895f4ae0d57c82b82b2715938c1effe180c7183d3e1bb62ca6e3bf676e9d41becd36d5354c8ab48a3018bbdc

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
128KB

MD5
6ff4cea1b93ae47484a0d9e2c7a02c52

SHA1
7939f1727c174d249cbd8d18299e5e76303a0185

SHA256
f13091f31cb776e68889616859af433c780e428ed278f4e81d8079456f04b9b4

SHA512
10346bcbf49e2340dc2f981de439d65920ebbb71146332dec0e0d2257753262d765174f29e9d5b7d263d189ca4d1bf44f26b064bf798c3d1a111c7b08e52d2af

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
128KB

MD5
ca1465918434e0a1050b73c119e52733

SHA1
831670ec446f95026783aabb41b4d7309aa9bd41

SHA256
479b52aaa8ebd40641caf6117d2ef94fb0f550061455e786b974c5c526f73046

SHA512
ef9b7efe6054ea6507b13809c2008fbaa1ebfedd6ccbc28e419fa0a882db0ef6c6fcf72e73fea81c12f753ad4a86f1501b4223ced93fb194c7d29d0a18b81409

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
128KB

MD5
1006050d6177491a56bc56309cf33785

SHA1
9b40abfc5833dfa92e69a44def7c13b90c300283

SHA256
dcbeaf34cc100038e503a71c60cb139e95fa8a71396a4df2baeb93f0b83c0cf1

SHA512
63436d5cb77f4c685344d0ad132fb7a7436ef5c9f93ba56954b68acb74114af8110d79d395869e80cb3a16f8ca3785df8ed376d68696515e27a5d405fbff131d

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
128KB

MD5
97c33f0bf5758a0cad403f7038cddd8e

SHA1
e4caf2a9675119db954eb8a2a3047929cb660356

SHA256
6158dc468c03340c7adbdf6a3a9c0c1b76c665c5421121ea2e4d3b1888260d7a

SHA512
d4e33365de3f0fc8d9f8885df8be0489dc427ad56d3eee34dc4b7550c5f60f8cb50107ee241b8b590707e3b9dce6e61a9c83df7bb4d6cb08b639cccef72a43df

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
128KB

MD5
9571d5d14fdc39352bdabc293f6aa3d4

SHA1
346ed72c0f4b98ffe9487a796638a1fe30542c73

SHA256
09ec097d4ea7cf9160ca49390d61125e93b6f26d45c35aeef5120a87e09ea93b

SHA512
0799cff4c90f33fb8fa03297669c9f35e1a00710a175669533f6aade2786991cc7e69839e9f5f0f7e25e365873d65c9f54f14b5ac0362d67ecf7b85ea5228146

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
128KB

MD5
b197346b99ead2de7787728587daf9e4

SHA1
2fd5613f8d88381cb64a2542d79124a7fa214c7c

SHA256
5e975e16db1ca90797665e3328ab8a4eb2297270bd376d76bc0d79e8f4ce7fc2

SHA512
1e0fbe83559f6cebf9c88fe435c2b13f1d7a6a9d64fb91de78ac9ca4ba21bed1b232ccc98d66a148742e98d1a29a061b1519d324902924014e33724d138b334f

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
128KB

MD5
5441784b817e5b5638ff7187e5302bd7

SHA1
aeb3c57485ee1839ed09f2208caecca624a65cd3

SHA256
724e88619a301eac019118becbe0eaf983e1754b969bfb2032b41809c1b2f32f

SHA512
9949be81eb107439e459141ca1005e52bc6a84067fc5a3e500537817f98914cea325f540c0017c2d4ea7bf267ba6d23436d163c8504f0c2bea45fa4cb4f23d5f

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
128KB

MD5
58129a459b6eb39949c88421a623b303

SHA1
7daef86ed161d804b7e56572b78882e352e10ec0

SHA256
13dc2844ed90a6d83f35504d387b51817ca919bad7989a450c4117ef6b7b7883

SHA512
345a4037c9ad0e0533a5c3d2ff17be7350f5fa76891eb85aa83a3eb39c6796fa27294257b33deaf451cb1a257e51109f06fefe60c2ce5013c454d66fba6b7f83

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
128KB

MD5
b5365c6adea40cfacce8f9320fe1bede

SHA1
b749c4b4dae43bb6c3729e18c8faffc07da0d6dc

SHA256
04ded29515a9003df9c5cf65dbe9bf7adb3db43cb38b82014d19684a38625ab3

SHA512
fbb24b1b857900b1bc7f3af70ea8478de2078b3af7dbdeb0e42ea1bb86aef6053d2d33dc5f5b313901eaf519bb4fb34832f9ac192b56c93851b76f7c1bf4942a

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
128KB

MD5
c07fdde5f4770e486c2e1f8df7d047da

SHA1
96362eac19552bdb849c0141fed7cc774dea3c6f

SHA256
4cc1691f190733c31bc2e95f23b75c0976f89cc1ff2c070e789c66de1bf78624

SHA512
e9908568713e465e36dd34d2c34ba43fd8434dc4128fb63bd1e53dc2884471279dc16e429a5f6046b3f2c95b725301dd62f4009a56d2b4b7f4aed756e45781fb

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
128KB

MD5
2f4cd45f6a75e05402b6d051a1bf824b

SHA1
91a776647db925cd90f114066bf745216313303e

SHA256
46a5958f6368952a55d60e1035e5c26c04027a6ee8224125d650412de52b9fb6

SHA512
c7e6b081b8ec4e0d22b4a44aa1f9f3ba28a1072a76602ac129328c61bbe965f81b3b9d03cc3e4e1861a8ca7f49d23c7daa4c11da4f742e2c80b61a186beaa2eb

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
128KB

MD5
32c7f9317c7e5532d03a46144575313b

SHA1
ccb67f0cd41d1a5b1d24f157f315a9ee71d15a09

SHA256
88639d0df7b1ff0dbff54d564fa84e009dd8ca490271b759a9b07ee0d343bc11

SHA512
4f82a4e200afc667b40304dad05427c4013eb2d193dcf28bf53c845383b1063a78ce380f1458da72cd00c019008dfbf5982e86e9c10db473c33a3ff403bcf06d

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
128KB

MD5
1f122ef7744fcc7a5677fe2081b29f3c

SHA1
55fc5b724230c935e1e7007d78e37b6d85d092fd

SHA256
506d6fd8a48116ead15e61b949b177a7f5d8c1d073fb8eada6f160b6a6516982

SHA512
657e38983b417f6c630f9b5b284f84ae1447b1025514ab5096f05851b1e77cfa40a66612e620a18f28bcfc086eb09d58e7d19fccc535f9124998da4163c1aeb9

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
128KB

MD5
982193c42e1d59709dfe68fe883dcc87

SHA1
c56dd0330b5ca99229734cb613c8bcc9ac651fd1

SHA256
638994edbfa54003ef6cc99f4eb0c5dbb324e72eeef8c8a29882acf0f3a39472

SHA512
bd68f6de9134bbe86ce78d86209482a2de308bfaf173fa7559f5e3a8adbed77e7d6789267975b418f5bfb0adb25f1ece944973b731211a55c43a5e0355ba0b2a

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
128KB

MD5
38ad95a56aaae3fe5f15fb9243798b40

SHA1
6bf81cfc3f0a4006c71bbf48124655713ef273f2

SHA256
fdd60fda2ca772b8a59210bc9f5abb2eac96ee7538dc15a4ba10b3bb607301e4

SHA512
c62ca6e1a1b6cba797e9d26cd29ecfb741252f9cb2b4c1c6e1d11b7211298cc356adb15f0fb0655b1b7d40b518f3ee7524422ec6e8b0b8f256cb45382543fc66

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
128KB

MD5
b824b382a033eed06a17063498fac754

SHA1
138326915b272f0ec3112807326bf281f3b854ba

SHA256
2590255f9f9eaccf16b8f92c479f62d25098706e3d6e8b19bbe4b1af0d5e8377

SHA512
3c2ec8fe8a1bdc26ca0ea0b0a203266fa3b99d77a68c365cea04aa906ad34e7364a736fd3e3628cbda62cecb1815667b4d896817615df3e91b7c9cf7bd70ded9

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
128KB

MD5
906667dc0a22a590163ce6b3a148880f

SHA1
2247d4a8c417ba6a5733a98b12b7aaedfebaa95e

SHA256
dd0aaaab395612c130a944bfb4fbb6c72c18d04a22f161192a5522566c390232

SHA512
857f591debb4ae257c03bec52071bc1d9f69ca51a3fce5e21aefed1e060cbad57b28942103f8f8a293f03dba20e6a3e48de8aab5af9d14a57db27819cf188fb3

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
128KB

MD5
53c90e13447323372aa8ced59ff468e6

SHA1
157fb24db78b357f348411f30ca50b4745608188

SHA256
c87935865a436ea552cda77a8b041d08308311a1bd06398f450f72c7c77ec79d

SHA512
25b5dc327eeb2d9d43763c4ad73d9659d8ed578bdcecd99f6bf81338574ffdc5c626aeacb1e1a743fa994a42313489f3f1255a606069c0080f24487972b01169

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
128KB

MD5
18a347c57fe7cbaf65059a66eda070b2

SHA1
64e1e742805f5e8a02245af17c34553808ef27af

SHA256
5626313095c213e759f9af08bbec477c462ba76e0c6b47c5725e736b767aa6d7

SHA512
6fba8a0f11fdf7c688d8e114268cc503834845786ab94c55afd3501ca2507a7b12101459077850577700d710bd8ca6608b3884a1d3f52b77e3bcbadf3ec8a5ef

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
128KB

MD5
d6f68b50fd976a2beaabc77153557a98

SHA1
4c979d36702c681b420b4130e1a22a35c1626d2c

SHA256
4caa2aabbe4b861f397df0ba47b1962b4fe80f75ca75384fcd558e0efddf9983

SHA512
7fb4d2391340fe773770f4dcac702126448631a4ea3f50f2dc3c8749235dee1049fc2822bce8264328a5c8c049b1b7b95b704b24d47e801625d0d9a220b2656c

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
128KB

MD5
d6763788873cadf4d14bd15bbcd5fb8f

SHA1
fc563201170c3f93e1d3c4517db4241c380c95ed

SHA256
cd2f110208e27c2535153ffd81eef6411a86b4f3afc0f3b5506c2ef771a58201

SHA512
7c3809b14d521e3fae062db2a97ed432cbfb0af01ac98ae5c1c4d43a057b9f24055748a644b9df997d2b5df29d70dd2c3cc4aacdb3d90156e91c1cde9888806f

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
128KB

MD5
5c1e8632e80e67ef6fe1d1a53872f9bc

SHA1
ac5c74b48849d53640aacae71fe834339bad74af

SHA256
785a3350e26252980e9bc27b4be14181896c1d6871e06911397579b9bb645417

SHA512
df4d0b6f7ed2c7add7a9a2fc246287c2a120a9e403857d06b4b8527a43880d27d1b02e3a9755e51db753e467485a6f07bc2e0437008fefc82318cb951cf031fa

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
128KB

MD5
c792d1c76a44746bd0e9879208ed3c8b

SHA1
f27e346b03209491bb9ffc43daae85ffc1e9f4b0

SHA256
3f24c594b91715832bf04f010f7d04427f857adc8ef9783aada0c39d49c93336

SHA512
4ff373a0d2c10788dbe2dbb667dbddb746bc9591784119128d7636df911db40098184eeaa8c37d16fa7316c88d8bf4a72f1433e0e332f457a16a43fe986efef8

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
128KB

MD5
d08b4c774322e89cac6e62b80546ff03

SHA1
61beadc4a5c85449b636996ef652c4e56255e804

SHA256
fab9d050156ab90efb8ac56e57b133a0eadcacab749f153d0b93c5ac5be27aab

SHA512
980f1d5d5034a09519f492d65a712e0bb99f5ca116be45162c374cd3293eabb6c61531c5f92da0abd22ae43f76c25794a9119bed62620b0a8e53aed03bcbe130

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
128KB

MD5
541f32f0e6ca0dff35437cff882081be

SHA1
98289cda96e342547c871c1bb5745e4efd06e7ed

SHA256
0d04088650f4f231bb751285c652636c3a007e0903fa0688ec5b3c8829f03396

SHA512
9c2ccab8686f0d6dddf955e3e612af41515b3f51f58609f6003c8e43e589c5ce8efa24d1a1459e87ef60eed8281d93de9e2e8a593ecfffd9e8fa11382887e37a

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
128KB

MD5
ee9dfb2602020ab8c0e5207675f2b627

SHA1
863bf36869b6e62248bc60ebd2477ad0cd69ab9e

SHA256
b79cd30e655f988f57b90c866821015879182b714c48ae3d939f7c6ceff95b52

SHA512
d475708910fac55aa03d5534602934e6e84d8c162f9e82000867d1e00d122871605670c38415f6df46cf63f7c07aa69604f50e672a55283e03d52fdc07750443

Download Submit
\Windows\SysWOW64\Jfiale32.exe

Filesize
128KB

MD5
3fd2477294cb07a43bbc121ad22cb502

SHA1
06d64dd6633dcb4204682f8d371fb9cf367d66cd

SHA256
127bdea7a98667438410b3987b2bb2d2a2e3cfcbd680fd8c3f57d76bde781eaf

SHA512
708d6d6f74db23d194d5900a00b3d0cd7de878ff160ad566cc61c3d786e341ee4934be9d40af6e1128755319e9b6593817907bc648fe55266a98b13bf19eec03

Download Submit
\Windows\SysWOW64\Jghmfhmb.exe

Filesize
128KB

MD5
5db1c7f25b3f1d763d281e8cc2eff3c8

SHA1
6277057f2aa3984117539a4896a83f62b2130634

SHA256
47ae9678d4ed9e8c795315717b568cc6b5559174fb107deb2db973229c5ee502

SHA512
494bf06f37e0660bbc4295e321195e962da55e63244a08bb36391f85974cd435fff211e3db2d188986d1b8fdfc7855b8e3f7e87a40f57767b64876bb37c1b087

Download Submit
\Windows\SysWOW64\Jqnejn32.exe

Filesize
128KB

MD5
7f6b9e625db0de71f72e74148289644d

SHA1
f8317b1a87413a01aa05509ff88d54860e6486e1

SHA256
5341ed99a7dc519a60b97f51209ea2ac566fce708033ae6659278e394852046b

SHA512
6e526841ab7cdcd399bc6be814d28d333c4347ffe1c9f99800240e872e899657bf44979c7c878c4c5d61fef67c6fc70696c30f526e686f53f154db34cee0caa8

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
128KB

MD5
a8a4a1d381e10c6959ace62e35faf3ca

SHA1
e78727a03af69f39ffd655dea3f93728d876ef28

SHA256
b7e7e380a28309380563a7f096bc3b0d39d11c3944cfbe8813d77b29e427ae42

SHA512
7057be92d25c7b118c0d440ccc138fff0d4ccd5e159192e7684d8386784ed41315be5988f0feacbccd7c0c773b48d6b6c59d426361317be62ee29e1c85b2b1cf

Download Submit
\Windows\SysWOW64\Kbdklf32.exe

Filesize
128KB

MD5
896b4c857994d4eca893b1377e0c84bc

SHA1
58d97d8026f4b23c8cb5785c465f2f4997ac3876

SHA256
ee52b6ea9e577b0bea6f093c3afecb5fa6f7adf5c597de098d479aa596f7eaea

SHA512
eeeddc0be412ad63bac88650b53e6e637098082b213956a55e1e89287de6bb543f9f15e5d1463ecbcd363d0b8d7637086451dbe947cb6cc6f3d951a2fc21e847

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
128KB

MD5
896c553b113693b19f347531581eac72

SHA1
b089a428bff2b66efab585ec685b88a19bf18d97

SHA256
d70dd8b99b54f450fc0b40172a9363178b13167f8cfab7a704a2196744cda3a9

SHA512
31646e5fd9e52541b5500ce3cec9dc54fed9ef5c19e3f277cb7bf251d81afafdfbc4b2392c9046d9e3e9696df71e803a791f2e53a249dc85c1f401d7305fd14f

Download Submit
\Windows\SysWOW64\Kicmdo32.exe

Filesize
128KB

MD5
6f35793c6abfe61e26784444a8afb154

SHA1
b199d476e49f85f57ae1a0d8dea491767cbe3a90

SHA256
355c4615f587bc6c2f0bb0cfc5f24f850145864118af32e258f7cced2fae53c7

SHA512
156517b377ae4a2298bea9cafec2417a256cb202c6d7bd50af3b023202f07a3f1768fcfb39d60773de8e7a34c78d36a6e1406de429b2b28b1854c9e32ecfc654

Download Submit
\Windows\SysWOW64\Kiijnq32.exe

Filesize
128KB

MD5
099187978273db3018b2b1380b6929a5

SHA1
d3565565a46de9ace8fa0717c22d62715f69201d

SHA256
449145d7c45692050260861b81a252075b0ccca9682ed26268aca7c2a4626c11

SHA512
faaf480c05e90161743537e6ae5c453bcff7f9e531af5ecd36f5565e3063c3c0718ed70ecbd3c48d1f4700b61f3fec4c952fbb5e7ffc76163ceb943824a9921a

Download Submit
\Windows\SysWOW64\Kilfcpqm.exe

Filesize
128KB

MD5
208b76d384834281251e8c490d95fed7

SHA1
4219516b1c92a4f92d2c791d9faace6acdd9a918

SHA256
674e8215c61f764a1d3b0060cb8f8b25f37bbca432349e114a0c0958ed55b3c2

SHA512
d4751055de7051692693c21762ad5c936700665cf935a96e2e0acb2b3e59ae5ee79b5033ae2adddbb34109ca945f17be4aedf0d28995282363f85377a04b76f6

Download Submit
\Windows\SysWOW64\Kiqpop32.exe

Filesize
128KB

MD5
67229998f2b1bb452c178a1b6956b68a

SHA1
99d4f8b754ac843f644e54e6b4cc250b03ad9a0d

SHA256
a7b25d006182abaf8c22ef2edb73b783f032f1a5e4914f034ae4d91016e200cb

SHA512
c2374bd2e2d98609fe14a0e7547eb6163eeade48b1bc0e247f93562141e0041d2a6e02aa4f120583ef93e079691735a1e714886c04a3418919dcba1cc28bbed5

Download Submit
\Windows\SysWOW64\Kmjojo32.exe

Filesize
128KB

MD5
98228e46dfa181dd04556c1d33f9051a

SHA1
a835c16e2af37d8896d1907d2b87c9c61301ba9e

SHA256
efcea1fabd16c85eed7db2a9b46764e69dd268f405c3448490703d1f66e3876d

SHA512
17e68ec0650a7321570ead39151e6aa82729ad9ae260a08b6346dd53d4ec2ffedc5101d317849df15cd4d1f81c1b7435e14c7427768e69c4aac13f221db955a9

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
128KB

MD5
051f4fc17fea52b9033e1c144bd6050f

SHA1
95307bade0c31fcf9d52992b8bca1bee6f97d5ec

SHA256
84a80e1b07b27521c56910eb5c7cca9f52ce7b9d8c9c07b5314a89bb676bcf77

SHA512
46373bbeec6d78c9cca6a6dcb5da44c34157c2e999bae6fd2783c9a8c03508747e8a6f5dac9cd512f773d7ad51b8ed11a65e45876b6752394b8761549b501de9

Download Submit
memory/292-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/292-135-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/476-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/476-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/476-117-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/476-439-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/532-411-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/532-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-406-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-41-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-36-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-263-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/964-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-285-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1036-422-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1036-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-423-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1044-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-13-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1044-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-11-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1076-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-472-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1076-477-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1088-275-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1096-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-199-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1116-434-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1116-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-190-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1572-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-172-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1800-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-303-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1832-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-307-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2008-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-317-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2268-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-296-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2268-295-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-354-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-355-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2292-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-320-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2316-319-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2316-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-108-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2380-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-331-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2444-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-330-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2468-226-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2468-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-410-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2532-90-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2532-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-366-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2660-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-375-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2740-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-389-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2788-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-63-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2800-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-144-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2800-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-374-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2904-50-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2904-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-239-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/2912-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-343-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/3040-342-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads