berbew | 42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 21:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
Size

290KB
MD5

7e597472e5bdf2f7c9e0d2b54d67a8a7
SHA1

da8d32ea18fa2f457f66dcde567fd46c4da26481
SHA256

42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7
SHA512

ae71985c27fd38da5bc48da929149f44ddffed825e0544e43d95c74387ef7a63068bf8a716fc2403bd32747ed59bed5fa4823b856590155ffabdafb6a0337057
SSDEEP

6144:sOHzauAOI+v4dnLJqx0O22+kKDR+nNB8VcIaEJIPLJqx0O22+kKD:DzalOL0FqqO22+3+nP8VkFqqO22+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojjfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphbfplf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhcgkbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omeini32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfilnh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfihml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhcgkbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipaklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcdmbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oingii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jojnglco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loocanbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leqeed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ninjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jempcgad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhmkbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbknmicj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heijidbn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihqilnig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jakjjcnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfdfdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfgcieii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpapgnpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npffaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfilnh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heijidbn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdmbk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjihci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kccian32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlocka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opcejd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oingii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loocanbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndoelpid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okijhmcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfbemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhqfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcejd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipaklm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmlmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jojnglco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbncof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfbemi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcjlap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okijhmcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kccian32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdfni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdfni32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfkaone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leqeed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbkchj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2524	Hbknmicj.exe
2944	Heijidbn.exe
2144	Ihjcko32.exe
1636	Ipaklm32.exe
2740	Iabhdefo.exe
2768	Iebmpcjc.exe
2916	Ihqilnig.exe
1340	Jakjjcnd.exe
2092	Jghcbjll.exe
3036	Jpqgkpcl.exe
2628	Jempcgad.exe
1600	Jgmlmj32.exe
608	Jcdmbk32.exe
2388	Jojnglco.exe
2024	Kfdfdf32.exe
2012	Kfgcieii.exe
2036	Koogbk32.exe
2560	Kbncof32.exe
2652	Kjihci32.exe
1680	Kgmilmkb.exe
1796	Kjkehhjf.exe
2416	Kccian32.exe
2188	Kfbemi32.exe
1128	Kninog32.exe
1964	Lojjfo32.exe
2964	Lomglo32.exe
2804	Lbkchj32.exe
3032	Loocanbe.exe
2960	Lfilnh32.exe
2712	Lpapgnpb.exe
2764	Lbplciof.exe
3044	Lnfmhj32.exe
2032	Leqeed32.exe
2528	Mbdfni32.exe
3020	Mecbjd32.exe
2784	Mmngof32.exe
1224	Mchokq32.exe
1144	Mcjlap32.exe
1620	Mfihml32.exe
2516	Mfkebkjk.exe
1496	Miiaogio.exe
928	Mlhmkbhb.exe
2072	Ndoelpid.exe
2284	Nepach32.exe
2664	Nmgjee32.exe
2304	Npffaq32.exe
2780	Nfpnnk32.exe
3008	Ninjjf32.exe
2820	Nphbfplf.exe
2888	Nhcgkbja.exe
2956	Nlocka32.exe
2772	Nomphm32.exe
872	Nalldh32.exe
2060	Nhfdqb32.exe
1492	Nkdpmn32.exe
2756	Nmbmii32.exe
1564	Nejdjf32.exe
1980	Nhhqfb32.exe
1972	Okfmbm32.exe
776	Omeini32.exe
904	Opcejd32.exe
1816	Okijhmcm.exe
1012	Oacbdg32.exe
2196	Ocdnloph.exe

Loads dropped DLL 64 IoCs

pid	Process
1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
2524	Hbknmicj.exe
2524	Hbknmicj.exe
2944	Heijidbn.exe
2944	Heijidbn.exe
2144	Ihjcko32.exe
2144	Ihjcko32.exe
1636	Ipaklm32.exe
1636	Ipaklm32.exe
2740	Iabhdefo.exe
2740	Iabhdefo.exe
2768	Iebmpcjc.exe
2768	Iebmpcjc.exe
2916	Ihqilnig.exe
2916	Ihqilnig.exe
1340	Jakjjcnd.exe
1340	Jakjjcnd.exe
2092	Jghcbjll.exe
2092	Jghcbjll.exe
3036	Jpqgkpcl.exe
3036	Jpqgkpcl.exe
2628	Jempcgad.exe
2628	Jempcgad.exe
1600	Jgmlmj32.exe
1600	Jgmlmj32.exe
608	Jcdmbk32.exe
608	Jcdmbk32.exe
2388	Jojnglco.exe
2388	Jojnglco.exe
2024	Kfdfdf32.exe
2024	Kfdfdf32.exe
2012	Kfgcieii.exe
2012	Kfgcieii.exe
2036	Koogbk32.exe
2036	Koogbk32.exe
2560	Kbncof32.exe
2560	Kbncof32.exe
2652	Kjihci32.exe
2652	Kjihci32.exe
1680	Kgmilmkb.exe
1680	Kgmilmkb.exe
1796	Kjkehhjf.exe
1796	Kjkehhjf.exe
2416	Kccian32.exe
2416	Kccian32.exe
2188	Kfbemi32.exe
2188	Kfbemi32.exe
1128	Kninog32.exe
1128	Kninog32.exe
1964	Lojjfo32.exe
1964	Lojjfo32.exe
2964	Lomglo32.exe
2964	Lomglo32.exe
2804	Lbkchj32.exe
2804	Lbkchj32.exe
3032	Loocanbe.exe
3032	Loocanbe.exe
2960	Lfilnh32.exe
2960	Lfilnh32.exe
2712	Lpapgnpb.exe
2712	Lpapgnpb.exe
2764	Lbplciof.exe
2764	Lbplciof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ihqilnig.exe	Iebmpcjc.exe
File opened for modification	C:\Windows\SysWOW64\Npffaq32.exe	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Nlocka32.exe	Nhcgkbja.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Pfgmna32.dll	Mfihml32.exe
File created	C:\Windows\SysWOW64\Eocmep32.dll	Nepach32.exe
File created	C:\Windows\SysWOW64\Leqeed32.exe	Lnfmhj32.exe
File created	C:\Windows\SysWOW64\Lmhnej32.dll	Hbknmicj.exe
File opened for modification	C:\Windows\SysWOW64\Kjkehhjf.exe	Kgmilmkb.exe
File opened for modification	C:\Windows\SysWOW64\Omeini32.exe	Okfmbm32.exe
File created	C:\Windows\SysWOW64\Pbkkql32.dll	Mcjlap32.exe
File created	C:\Windows\SysWOW64\Nfpnnk32.exe	Npffaq32.exe
File opened for modification	C:\Windows\SysWOW64\Lbplciof.exe	Lpapgnpb.exe
File opened for modification	C:\Windows\SysWOW64\Okijhmcm.exe	Opcejd32.exe
File created	C:\Windows\SysWOW64\Ihjcko32.exe	Heijidbn.exe
File created	C:\Windows\SysWOW64\Kjkehhjf.exe	Kgmilmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mlhmkbhb.exe	Miiaogio.exe
File opened for modification	C:\Windows\SysWOW64\Nepach32.exe	Ndoelpid.exe
File created	C:\Windows\SysWOW64\Npffaq32.exe	Nmgjee32.exe
File created	C:\Windows\SysWOW64\Ikmfgnde.dll	Ninjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Nhfdqb32.exe	Nalldh32.exe
File opened for modification	C:\Windows\SysWOW64\Jojnglco.exe	Jcdmbk32.exe
File opened for modification	C:\Windows\SysWOW64\Mchokq32.exe	Mmngof32.exe
File opened for modification	C:\Windows\SysWOW64\Oacbdg32.exe	Okijhmcm.exe
File created	C:\Windows\SysWOW64\Nggbjggc.dll	Ocdnloph.exe
File created	C:\Windows\SysWOW64\Nkdpmn32.exe	Nhfdqb32.exe
File created	C:\Windows\SysWOW64\Gnhapl32.dll	Nkdpmn32.exe
File opened for modification	C:\Windows\SysWOW64\Nalldh32.exe	Nomphm32.exe
File created	C:\Windows\SysWOW64\Jcdmbk32.exe	Jgmlmj32.exe
File created	C:\Windows\SysWOW64\Nalldh32.exe	Nomphm32.exe
File created	C:\Windows\SysWOW64\Ifbpdhee.dll	Mmngof32.exe
File opened for modification	C:\Windows\SysWOW64\Mfkebkjk.exe	Mfihml32.exe
File opened for modification	C:\Windows\SysWOW64\Opcejd32.exe	Omeini32.exe
File created	C:\Windows\SysWOW64\Jngakhdp.dll	Okijhmcm.exe
File created	C:\Windows\SysWOW64\Becbne32.dll	Kfdfdf32.exe
File created	C:\Windows\SysWOW64\Hdhllcnb.dll	Kfgcieii.exe
File created	C:\Windows\SysWOW64\Kfbemi32.exe	Kccian32.exe
File created	C:\Windows\SysWOW64\Lnfmhj32.exe	Lbplciof.exe
File created	C:\Windows\SysWOW64\Onllmobg.dll	Omeini32.exe
File created	C:\Windows\SysWOW64\Doeljaja.dll	Oacbdg32.exe
File created	C:\Windows\SysWOW64\Apcmlcin.dll	Mlhmkbhb.exe
File created	C:\Windows\SysWOW64\Okhbco32.dll	Nhfdqb32.exe
File created	C:\Windows\SysWOW64\Jojnglco.exe	Jcdmbk32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmilmkb.exe	Kjihci32.exe
File opened for modification	C:\Windows\SysWOW64\Ninjjf32.exe	Nfpnnk32.exe
File created	C:\Windows\SysWOW64\Oeegnj32.exe	Ocfkaone.exe
File created	C:\Windows\SysWOW64\Oibpdico.exe	Oeegnj32.exe
File created	C:\Windows\SysWOW64\Lbplciof.exe	Lpapgnpb.exe
File created	C:\Windows\SysWOW64\Afhggc32.dll	Nmbmii32.exe
File opened for modification	C:\Windows\SysWOW64\Kninog32.exe	Kfbemi32.exe
File created	C:\Windows\SysWOW64\Mbdfni32.exe	Leqeed32.exe
File created	C:\Windows\SysWOW64\Oacbdg32.exe	Okijhmcm.exe
File created	C:\Windows\SysWOW64\Hgmgcagc.dll	Oeegnj32.exe
File created	C:\Windows\SysWOW64\Opmhqc32.exe	Oibpdico.exe
File created	C:\Windows\SysWOW64\Kgmilmkb.exe	Kjihci32.exe
File opened for modification	C:\Windows\SysWOW64\Loocanbe.exe	Lbkchj32.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Mhfoej32.dll	Koogbk32.exe
File created	C:\Windows\SysWOW64\Miiaogio.exe	Mfkebkjk.exe
File opened for modification	C:\Windows\SysWOW64\Iabhdefo.exe	Ipaklm32.exe
File created	C:\Windows\SysWOW64\Lginle32.dll	Kninog32.exe
File opened for modification	C:\Windows\SysWOW64\Ihjcko32.exe	Heijidbn.exe
File created	C:\Windows\SysWOW64\Iebmpcjc.exe	Iabhdefo.exe
File created	C:\Windows\SysWOW64\Mekmbk32.dll	Opcejd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	2308	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jempcgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgmlmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfilnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leqeed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghcbjll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjihci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbkchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndoelpid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npffaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcdmbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jojnglco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbncof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgmilmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcejd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlocka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibpdico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojjfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loocanbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbplciof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnfmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepach32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfmbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okijhmcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihqilnig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjkehhjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kninog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mecbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfihml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkdpmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbknmicj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebmpcjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kccian32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomphm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfkaone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfbemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpnnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmhqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipaklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabhdefo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhfdqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophoecoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpqgkpcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koogbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkfmmqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeegnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihjcko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbdfni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhcgkbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oingii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jakjjcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfdfdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmngof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miiaogio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhmkbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heijidbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfgcieii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omeini32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhfdqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oacbdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgmlmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpfkg32.dll"	Kfbemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpapgnpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honblmaq.dll"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbco32.dll"	Nhfdqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjihci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffhfj32.dll"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpapgnpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leqeed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfdfdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhikf32.dll"	Lbplciof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcjlap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbplciof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npffaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfpnnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lginle32.dll"	Kninog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbdfni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okkfmmqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jempcgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Becbne32.dll"	Kfdfdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhfpeai.dll"	Loocanbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jojnglco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaibff32.dll"	Lpapgnpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kccian32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbkchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okkfmmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihqilnig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lojjfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngakhdp.dll"	Okijhmcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jempcgad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfilnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nejdjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll"	Nhhqfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Heijidbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdpfo32.dll"	Iabhdefo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajkhhfhl.dll"	Jgmlmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koogbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfkaone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okijhmcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfbemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbpdhee.dll"	Mmngof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll"	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijllcml.dll"	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhdhoei.dll"	Nmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfdhdkf.dll"	Nfpnnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcmlcin.dll"	Mlhmkbhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lojjfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphbfplf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nomphm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nggbjggc.dll"	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbplciof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhhqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmefoa32.dll"	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbdfni32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2524	1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe	30
PID 1760 wrote to memory of 2524	1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe	30
PID 1760 wrote to memory of 2524	1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe	30
PID 1760 wrote to memory of 2524	1760	42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe	30
PID 2524 wrote to memory of 2944	2524	Hbknmicj.exe	31
PID 2524 wrote to memory of 2944	2524	Hbknmicj.exe	31
PID 2524 wrote to memory of 2944	2524	Hbknmicj.exe	31
PID 2524 wrote to memory of 2944	2524	Hbknmicj.exe	31
PID 2944 wrote to memory of 2144	2944	Heijidbn.exe	32
PID 2944 wrote to memory of 2144	2944	Heijidbn.exe	32
PID 2944 wrote to memory of 2144	2944	Heijidbn.exe	32
PID 2944 wrote to memory of 2144	2944	Heijidbn.exe	32
PID 2144 wrote to memory of 1636	2144	Ihjcko32.exe	33
PID 2144 wrote to memory of 1636	2144	Ihjcko32.exe	33
PID 2144 wrote to memory of 1636	2144	Ihjcko32.exe	33
PID 2144 wrote to memory of 1636	2144	Ihjcko32.exe	33
PID 1636 wrote to memory of 2740	1636	Ipaklm32.exe	34
PID 1636 wrote to memory of 2740	1636	Ipaklm32.exe	34
PID 1636 wrote to memory of 2740	1636	Ipaklm32.exe	34
PID 1636 wrote to memory of 2740	1636	Ipaklm32.exe	34
PID 2740 wrote to memory of 2768	2740	Iabhdefo.exe	35
PID 2740 wrote to memory of 2768	2740	Iabhdefo.exe	35
PID 2740 wrote to memory of 2768	2740	Iabhdefo.exe	35
PID 2740 wrote to memory of 2768	2740	Iabhdefo.exe	35
PID 2768 wrote to memory of 2916	2768	Iebmpcjc.exe	36
PID 2768 wrote to memory of 2916	2768	Iebmpcjc.exe	36
PID 2768 wrote to memory of 2916	2768	Iebmpcjc.exe	36
PID 2768 wrote to memory of 2916	2768	Iebmpcjc.exe	36
PID 2916 wrote to memory of 1340	2916	Ihqilnig.exe	37
PID 2916 wrote to memory of 1340	2916	Ihqilnig.exe	37
PID 2916 wrote to memory of 1340	2916	Ihqilnig.exe	37
PID 2916 wrote to memory of 1340	2916	Ihqilnig.exe	37
PID 1340 wrote to memory of 2092	1340	Jakjjcnd.exe	38
PID 1340 wrote to memory of 2092	1340	Jakjjcnd.exe	38
PID 1340 wrote to memory of 2092	1340	Jakjjcnd.exe	38
PID 1340 wrote to memory of 2092	1340	Jakjjcnd.exe	38
PID 2092 wrote to memory of 3036	2092	Jghcbjll.exe	39
PID 2092 wrote to memory of 3036	2092	Jghcbjll.exe	39
PID 2092 wrote to memory of 3036	2092	Jghcbjll.exe	39
PID 2092 wrote to memory of 3036	2092	Jghcbjll.exe	39
PID 3036 wrote to memory of 2628	3036	Jpqgkpcl.exe	40
PID 3036 wrote to memory of 2628	3036	Jpqgkpcl.exe	40
PID 3036 wrote to memory of 2628	3036	Jpqgkpcl.exe	40
PID 3036 wrote to memory of 2628	3036	Jpqgkpcl.exe	40
PID 2628 wrote to memory of 1600	2628	Jempcgad.exe	41
PID 2628 wrote to memory of 1600	2628	Jempcgad.exe	41
PID 2628 wrote to memory of 1600	2628	Jempcgad.exe	41
PID 2628 wrote to memory of 1600	2628	Jempcgad.exe	41
PID 1600 wrote to memory of 608	1600	Jgmlmj32.exe	42
PID 1600 wrote to memory of 608	1600	Jgmlmj32.exe	42
PID 1600 wrote to memory of 608	1600	Jgmlmj32.exe	42
PID 1600 wrote to memory of 608	1600	Jgmlmj32.exe	42
PID 608 wrote to memory of 2388	608	Jcdmbk32.exe	43
PID 608 wrote to memory of 2388	608	Jcdmbk32.exe	43
PID 608 wrote to memory of 2388	608	Jcdmbk32.exe	43
PID 608 wrote to memory of 2388	608	Jcdmbk32.exe	43
PID 2388 wrote to memory of 2024	2388	Jojnglco.exe	44
PID 2388 wrote to memory of 2024	2388	Jojnglco.exe	44
PID 2388 wrote to memory of 2024	2388	Jojnglco.exe	44
PID 2388 wrote to memory of 2024	2388	Jojnglco.exe	44
PID 2024 wrote to memory of 2012	2024	Kfdfdf32.exe	45
PID 2024 wrote to memory of 2012	2024	Kfdfdf32.exe	45
PID 2024 wrote to memory of 2012	2024	Kfdfdf32.exe	45
PID 2024 wrote to memory of 2012	2024	Kfdfdf32.exe	45

C:\Users\Admin\AppData\Local\Temp\42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe
"C:\Users\Admin\AppData\Local\Temp\42a7893ffdde727b85e17ac0be5132fd58de2e9f6b805e561b08724fe22535d7.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\Hbknmicj.exe
  C:\Windows\system32\Hbknmicj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Heijidbn.exe
    C:\Windows\system32\Heijidbn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Ihjcko32.exe
      C:\Windows\system32\Ihjcko32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Ipaklm32.exe
        
        C:\Windows\system32\Ipaklm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\SysWOW64\Iabhdefo.exe
        
        C:\Windows\system32\Iabhdefo.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Iebmpcjc.exe
        
        C:\Windows\system32\Iebmpcjc.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ihqilnig.exe
        
        C:\Windows\system32\Ihqilnig.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jakjjcnd.exe
        
        C:\Windows\system32\Jakjjcnd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Jghcbjll.exe
        
        C:\Windows\system32\Jghcbjll.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Jpqgkpcl.exe
        
        C:\Windows\system32\Jpqgkpcl.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Jempcgad.exe
        
        C:\Windows\system32\Jempcgad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jgmlmj32.exe
        
        C:\Windows\system32\Jgmlmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Jcdmbk32.exe
        
        C:\Windows\system32\Jcdmbk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Jojnglco.exe
        
        C:\Windows\system32\Jojnglco.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Kfdfdf32.exe
        
        C:\Windows\system32\Kfdfdf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Kfgcieii.exe
        
        C:\Windows\system32\Kfgcieii.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Koogbk32.exe
        
        C:\Windows\system32\Koogbk32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Kbncof32.exe
        
        C:\Windows\system32\Kbncof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Kjihci32.exe
        
        C:\Windows\system32\Kjihci32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Kgmilmkb.exe
        
        C:\Windows\system32\Kgmilmkb.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Kjkehhjf.exe
        
        C:\Windows\system32\Kjkehhjf.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Kccian32.exe
        
        C:\Windows\system32\Kccian32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Kfbemi32.exe
        
        C:\Windows\system32\Kfbemi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Kninog32.exe
        
        C:\Windows\system32\Kninog32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Lojjfo32.exe
        
        C:\Windows\system32\Lojjfo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Lomglo32.exe
        
        C:\Windows\system32\Lomglo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Lbkchj32.exe
        
        C:\Windows\system32\Lbkchj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Loocanbe.exe
        
        C:\Windows\system32\Loocanbe.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Lfilnh32.exe
        
        C:\Windows\system32\Lfilnh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Lpapgnpb.exe
        
        C:\Windows\system32\Lpapgnpb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Lbplciof.exe
        
        C:\Windows\system32\Lbplciof.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Lnfmhj32.exe
        
        C:\Windows\system32\Lnfmhj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\Leqeed32.exe
        
        C:\Windows\system32\Leqeed32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Mbdfni32.exe
        
        C:\Windows\system32\Mbdfni32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Mecbjd32.exe
        
        C:\Windows\system32\Mecbjd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Mmngof32.exe
        
        C:\Windows\system32\Mmngof32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Mchokq32.exe
        
        C:\Windows\system32\Mchokq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Mcjlap32.exe
        
        C:\Windows\system32\Mcjlap32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Mfihml32.exe
        
        C:\Windows\system32\Mfihml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Mfkebkjk.exe
        
        C:\Windows\system32\Mfkebkjk.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Miiaogio.exe
        
        C:\Windows\system32\Miiaogio.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Mlhmkbhb.exe
        
        C:\Windows\system32\Mlhmkbhb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Ndoelpid.exe
        
        C:\Windows\system32\Ndoelpid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Nepach32.exe
        
        C:\Windows\system32\Nepach32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Nmgjee32.exe
        
        C:\Windows\system32\Nmgjee32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Npffaq32.exe
        
        C:\Windows\system32\Npffaq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Nfpnnk32.exe
        
        C:\Windows\system32\Nfpnnk32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ninjjf32.exe
        
        C:\Windows\system32\Ninjjf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Nphbfplf.exe
        
        C:\Windows\system32\Nphbfplf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Nhcgkbja.exe
        
        C:\Windows\system32\Nhcgkbja.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Nlocka32.exe
        
        C:\Windows\system32\Nlocka32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Nomphm32.exe
        
        C:\Windows\system32\Nomphm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Nalldh32.exe
        
        C:\Windows\system32\Nalldh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Nhfdqb32.exe
        
        C:\Windows\system32\Nhfdqb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Nkdpmn32.exe
        
        C:\Windows\system32\Nkdpmn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Nmbmii32.exe
        
        C:\Windows\system32\Nmbmii32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Nejdjf32.exe
        
        C:\Windows\system32\Nejdjf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Nhhqfb32.exe
        
        C:\Windows\system32\Nhhqfb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Okfmbm32.exe
        
        C:\Windows\system32\Okfmbm32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Omeini32.exe
        
        C:\Windows\system32\Omeini32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\Opcejd32.exe
        
        C:\Windows\system32\Opcejd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\Okijhmcm.exe
        
        C:\Windows\system32\Okijhmcm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ocdnloph.exe
        
        C:\Windows\system32\Ocdnloph.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Okkfmmqj.exe
        
        C:\Windows\system32\Okkfmmqj.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Oingii32.exe
        
        C:\Windows\system32\Oingii32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Ophoecoa.exe
        
        C:\Windows\system32\Ophoecoa.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Ocfkaone.exe
        
        C:\Windows\system32\Ocfkaone.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Oeegnj32.exe
        
        C:\Windows\system32\Oeegnj32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Oibpdico.exe
        
        C:\Windows\system32\Oibpdico.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Opmhqc32.exe
        
        C:\Windows\system32\Opmhqc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        73⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 140
        74⤵
        Program crash
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hbknmicj.exe

Filesize
290KB

MD5
607a57320cdf80927849486775436246

SHA1
72f46d684cc19437e41078c896746cae0cdbb7e7

SHA256
5c2c5e41eeeb73c9389ce14ce4413e68daf2e443cf3d5b627d1d503b2150fb81

SHA512
b7ddf33b32dd3262db18ef7612c77341926f97645c695f3eb3a20b6f30a51b9c9d99b11eeb480ca8ab19c4a10726800ed2c651f5ae56f8eac052ca88ad7ec0cb

Download Submit
C:\Windows\SysWOW64\Hlelkn32.dll

Filesize
7KB

MD5
f864d3d65e3c8a84fd3b714cb48b22c5

SHA1
53a5015c2ec966ff374f7fbbb3161f5612c880e3

SHA256
ca6d95cf2718091958ba5f4505987d48a3bde6fcaa3c93ea8069a3f50afc4842

SHA512
163b2dfdeb22b5152437ff22acfe8fc817361c1417328a87426965a2b327caf41c4140bebc8161667e0a89132b6cc022c406b86205c53204d8eaa617e784cc71

Download Submit
C:\Windows\SysWOW64\Iabhdefo.exe

Filesize
290KB

MD5
9b2cd7b4da0dd20628b1143e329b2b9c

SHA1
b393206b671d7611cca6858b1a4427ffd62902cf

SHA256
e70136b57327382eff58b4971e47d0507b0fa90bbfe829ecf74ea7175a584e8c

SHA512
b99fea9e44aba47e9163196401ca0b67e1e27483a89fadff8d9805ddc3dac41588a0da5db5a5363bf7ba8b797291a6cecdd250485ff6569e86bd66639899ffad

Download Submit
C:\Windows\SysWOW64\Ihjcko32.exe

Filesize
290KB

MD5
65be4e9a6c285503789fb972b798bcb1

SHA1
bf6fb667c4ea48f96544e562b3d20e71070b73b5

SHA256
9d0ea494c62fb4d6e48ba23362c756b74475d955267c8727c9dce5639fc3249f

SHA512
6ec96fcd7f05e89f6b733e6de2b8e66d2a25b5e179c40a2694ac491bc4bd3fb592e8ec4fe22cf4597a15f2e41f48b21923008c99ab32c693b80bbf16da3a2cf0

Download Submit
C:\Windows\SysWOW64\Ipaklm32.exe

Filesize
290KB

MD5
f639e1468b6e2e6ce43bc4a52e786bce

SHA1
329429aaf58f5158de1b29b284c34c855eabaec9

SHA256
b51c7bb1ad88ed868d0812a728f5cdd8ba12a369572b1410a63a699378820c4b

SHA512
4e60167835960e3925a40753b6ecb2dab69016db1c802be5bd36606e1dc3c1970f4f08cedbb94684e830001e2e98b90b6ec803f77512e3ae67417d6305315c73

Download Submit
C:\Windows\SysWOW64\Jghcbjll.exe

Filesize
290KB

MD5
3afdea9a23e38fb888a2c53f3876bbd5

SHA1
7e721ae5e880c08b6a7cf853b1d75125e4579e46

SHA256
79e126369cecb97804afa1a561bf50cfb943f65e8fe8fed3af24809f01bad0d6

SHA512
eee38628e2ca2cadbd088e6115ede004413cb2721e91f2d479339ba2b108f689f80a686da22913b41917058580940482350e2642442b2d5bd6515817a83a1a47

Download Submit
C:\Windows\SysWOW64\Kbncof32.exe

Filesize
290KB

MD5
2245044a5f31302ade80f95a5baa5323

SHA1
764a6e739ccecb66794ca03543449aa56765f308

SHA256
faa95cea51f40e8d790721ff6a7e12ca8b16aac79c28a2e905b6ee4406188369

SHA512
2ac9b1e97fb18407abd14bc2aab17ee6dd62d4bbcf9a70f75b2bd5a8168b5690c0c7a9a6156c6dd76ad637bd87bbe6e1dd913fdba2330aac33e2a50cb274df7f

Download Submit
C:\Windows\SysWOW64\Kccian32.exe

Filesize
290KB

MD5
f87c9a8ac07c38def5cbd8a57842128e

SHA1
8c1c3d0d1c5e5ea5ffd5435fd1b1f78ba9bf1fb9

SHA256
3b433254d7542d2a76280385bbce3b50119fba663f3c5daa565146be4a7ed78d

SHA512
0465cb6f4e9155d07b6558f2e8e4ee798604e54e00cb14b1b01121fc0e0710fa189ef04002fc2fabb9fe1e590f559d7d320c6f5db095a2a1847112c8e4a42784

Download Submit
C:\Windows\SysWOW64\Kfbemi32.exe

Filesize
290KB

MD5
430e0575b519eaea6f90d1f13906cad4

SHA1
8dcaba5719c4c7880bcb00d43fd701bd655e931f

SHA256
7acc491301d2da59b253eabd4d4ee3c91fd89c7350a262bcd135f5e2953b31ad

SHA512
7a3f24411ac06d185b7a6df38640be7e5a4b1473ae80a2eadba181d23be19db2555f8db33caa497c66c58626f87631f77058e1340eb3a99a24b874be7369fb83

Download Submit
C:\Windows\SysWOW64\Kfgcieii.exe

Filesize
290KB

MD5
649e27c11ed8372d6911925e79d4dc7b

SHA1
1ddf8199901d3f0bbc7e4468b0a01f79fd2e4784

SHA256
7a01ccb2bfde07196c90b98a90abcd4093ebd12fa70ecd97a4def893929f914a

SHA512
31c663766d6d9c1b4c257dd0fdb89f229aeb9cef968c226a86021228fe83207a09db13d72509407707c9d41809e0dc8c7f06d8937263ae41e9e2b9e11bde8a65

Download Submit
C:\Windows\SysWOW64\Kgmilmkb.exe

Filesize
290KB

MD5
7810edfb124376368dfa7c54eb113b1c

SHA1
90962afdea3e61bd911e3a354ec7e0a21e69b96c

SHA256
b53f619fecbccf5ea1ba5184704da3b9eddea7cf75cc0867347f01a4a0323592

SHA512
bbaef24f54e2f79f1e47cb4bfa9ed1db47539586f6c19e8fd3ffed6664911b6f49e854e4e46a18733d8a2f632e3ae5a3dd57f74ecc42e061a250468eacc45b63

Download Submit
C:\Windows\SysWOW64\Kjihci32.exe

Filesize
290KB

MD5
6bceb5956718b10a71ecacd3bd6339ff

SHA1
affefb32c51ccf037a5d2558e42478676ecdf91d

SHA256
c72ea5c79f2c3e33ca58a4eb244a29430275eebd826b974b516ad39f9c7333d9

SHA512
0f6cfba5179c8f82d77e589f5e5bb44282971efa086cfa0d4c44e7085aa1ae1d60ad07fadf73a618de572b391b4b93783b3293bfe3d76b36b98825e2e51bcab7

Download Submit
C:\Windows\SysWOW64\Kjkehhjf.exe

Filesize
290KB

MD5
6a381b2802e356626749d0e00c8c6fdf

SHA1
5a9e2baffdc5e220a0b59f5b318375e03ba1d743

SHA256
31d9daea4e4078c0f715f9ab7193f32b11561a2501078395b7869f2909cebffb

SHA512
f3bff8db90e1819985bf3f1deac837d76b6c1665496f817a1e1c8e3251fe817127c8b4f982280ce9bbc422f080b6c91ac8042af82fbdea9ee90840391db9b19b

Download Submit
C:\Windows\SysWOW64\Kninog32.exe

Filesize
290KB

MD5
ace56981da49b831a5a49c18b19a897e

SHA1
03b8b1717b18e02fc2237addc06f694458f5ff31

SHA256
7211711eb56368287be420ce355173c539c0d2a033c5e73a96571accb4dbd8cb

SHA512
b28f4b036f3b755f4ec37c27f078726a038d28c71bae0742ceb6f84bccc4d9d4f0fe1f12615b4d3bc3838848f3fc24615b110ba21264fc9cdfd773e60c678c70

Download Submit
C:\Windows\SysWOW64\Koogbk32.exe

Filesize
290KB

MD5
5e0586322c4b2ee06649d9a7ecb7bc74

SHA1
5539d97d44ec7a455475ae6cc48dd1454529fbc0

SHA256
5c8e69d2105edc095ca69cb01b66a16b9a88c9d7156e26f2d6009405371db53e

SHA512
c577dcc25d753149adc2f3f23886c5288fdc9ad9ce2d093812a40df18dcefe0fc7b6032f94654fb167f91029145f460542045959bebf2328166f9c4c3de71092

Download Submit
C:\Windows\SysWOW64\Lbkchj32.exe

Filesize
290KB

MD5
0c6d898e8edf2c2440599f259eaaa3e6

SHA1
241342b16d51217c4d45e5eccbe178e11ca05d29

SHA256
5bd8a6fa9cfeb5f81882aa6bb23a0f00c8533c07824fc0dd68ee919d39f4c34b

SHA512
903f3576a3d885bde67ae0c3b0a475b2bad6b1cd108d432406c486edc8e7ca21c9d672274dd1d1e1a1438ab3d02b070d1df64e6c650a0085b3126577822b24cb

Download Submit
C:\Windows\SysWOW64\Lbplciof.exe

Filesize
290KB

MD5
61e4ab62b0216de9cb8aaa1ed93656f1

SHA1
605d9c378938dacfe4c052512358331009589a3d

SHA256
1da9095dd77af42122bc11339a40124c387bd16930a4b115cb4dbbb21cfee9dd

SHA512
bd9c892e433eb1100d400fd140110f7b89028a123da36d7c1b7c44b01e84c4f3efa5ed22ac057109cd4ad6c3d477e97f06811950024353de9b714982be70329d

Download Submit
C:\Windows\SysWOW64\Leqeed32.exe

Filesize
290KB

MD5
e50c832c87bac559eba028f485c85a8a

SHA1
b9d4c5ffe7e8ee21d5d87c1e001bf0b072302cbe

SHA256
07d8e354071b23aad7277b9c6f725cc3aaf428a6906e2c47732b97e57a15f77c

SHA512
2a4af0d6018587b07f9ed97601f0bb39f8c36ba3e4e0c81fece61d7f9348a616a1b9e54e27f180bf9ada028da9ee212098d92b0bb22ccdbc5378f5a4296393a1

Download Submit
C:\Windows\SysWOW64\Lfilnh32.exe

Filesize
290KB

MD5
1e69241ba48b7f34451cc63e4fa01982

SHA1
07efedf20d409305e1c1d7bc51c57336cb7e0d3b

SHA256
04ef9d4262d2b855c1f00246f9045cee87763dc7ef20295b52883cf83f1a7377

SHA512
29c78daa9f4150bdaf2187af615aa4482df75a60a0f4162df479681f6e9301fe81967d489a7f07211318fa26af6283aca92fa947e406526fbc32ac355675bc68

Download Submit
C:\Windows\SysWOW64\Lnfmhj32.exe

Filesize
290KB

MD5
698f69163728baf8c5eeac6edbb7b020

SHA1
e2a650e6d1f4b591b7a51bc826e941f4974b03ef

SHA256
143acf73b83047ac4dfbb60b4f7e4d70a3c2c3e69751c1c195dc87d5fc25443f

SHA512
848cfa5ffa0bb1b2d32a22f2ebfde17a813d00a0bc0bb512361f9aa5972dac75b2a4908c4fd4fce1efcc37dab4903e917fdb4dcab362fb998d821b98d2d52125

Download Submit
C:\Windows\SysWOW64\Lojjfo32.exe

Filesize
290KB

MD5
b92ac9ae3d4d06c7b910fb91c19b5a29

SHA1
01fab93e508625ff7b2f3e36bc8d2e2bded2c1cd

SHA256
8b5e57ad4bfd638824f5ecb01c2c0203e05110ff6574a574c0718b3e7ecde158

SHA512
344439e11879888f7d76f6b08ab005d2c3a7f00b066cf76c45b875c3d4108421ee48849dafac80f521c6a43d765df4d51484124d3ab91480e9cf8c3a00165343

Download Submit
C:\Windows\SysWOW64\Lomglo32.exe

Filesize
290KB

MD5
4888f180a20948e4d9933c88f39e2af7

SHA1
8acf2cc6cc5680de159fe0ac3673f5377ced451f

SHA256
66d2bfd4e921e1f53402deef16abdacafad9fab01e259bfa5d93e4d7b1cad3cd

SHA512
d003c812a4e42477df4cf936f28365dfe0979a3cbedb0f05ab0a58e6a5e8a9c245a5d51573c44ed102fd32bb1548834f39c176ba49231f6021200da05515b0cc

Download Submit
C:\Windows\SysWOW64\Loocanbe.exe

Filesize
290KB

MD5
a7e721edd23876e7dd065fe5d2d3af01

SHA1
abd298646668d1eb94d523b37cb94f78d7e995f0

SHA256
5d1ff010a0f923e0ef3cf8baef26effa473995e6f2fbaa6d62d33c2a808d05b0

SHA512
c8de93dab17fdfc402f1afcb17ac4874f2e85d9b530ec0701e366e17e61249cbbfb03ff24d4e737b1d1f0d57186c2069b6ba5ef394cb721f4217eb6920be6975

Download Submit
C:\Windows\SysWOW64\Lpapgnpb.exe

Filesize
290KB

MD5
b3275c50674cdee4c8463f56b9eaac60

SHA1
4e2dcaa336b7d8180775156360dc13ce2f14cf6a

SHA256
c588e6b0142e4c43529963e09660014018c8680696949568ce0cf6ef05e2d3df

SHA512
d9d0b892c94cb7bbc34258f6d50063b4ad07370b94929aae7465571b80c8c3f478b2293ac326063b2deef99d45227f386b1667d23f7ef771e714a1066dbd7648

Download Submit
C:\Windows\SysWOW64\Mbdfni32.exe

Filesize
290KB

MD5
5d09f6a3941d0f50ba28cbfb48e05c72

SHA1
f0e7a599d6aec627cd169e8e3964e9a913475d9e

SHA256
b6fe7d4fccb7215435b62e69c5c5f5cf7157c2c0851a078a44e017ebb01c0722

SHA512
ed5d01108abaedb07221e4650d558bf365bc326138c0599aa05824dce629ecd3c7ac43a9096e699bcc2edd9d59da70607525e0ad958a8a56510f9c8bdb474f74

Download Submit
C:\Windows\SysWOW64\Mchokq32.exe

Filesize
290KB

MD5
a0f1b31ac42e7806e739477f712933a5

SHA1
e1e1bd3a5d5fe3aa8e505e251ae16c165325bd77

SHA256
196cb67850eb75d732449d860bdb707eb5c5a323e4c40c4fb90133d2003ed278

SHA512
d7b1b0069807451f69f1527d904691800b9dba117b86a049c472a179db61a9af3ee266720a19ec1cfeb8f2714aa5daf13aef6bdcbd1000f4674608295b53777d

Download Submit
C:\Windows\SysWOW64\Mcjlap32.exe

Filesize
290KB

MD5
c76eccb87cdf2c043c3762a93c839bd8

SHA1
ac04a147056d3100f663d2805cb82fceef498a26

SHA256
a5ee299e6244f34e1dece4a15a37315d5314a1e298772e28ac4848bd32b1c3d7

SHA512
869d8fa49a1f1cea5fbd82e8d6dc3f2475df19bc03b4390ddaa504e94b7c7ceefa7c0d44cb582db7462a67eb90e2f7b1efc84020c3d0837b663f2a7e3ab46559

Download Submit
C:\Windows\SysWOW64\Mecbjd32.exe

Filesize
290KB

MD5
3f61f6788988ebeb8936e78a915a91a6

SHA1
8dcdd7e79c67d9a7ec71825ec5f8a2b45ff18579

SHA256
ff2f860fe25037ab3444039f424497b5f2d88c99940be7ce58a373abc54869d2

SHA512
05803507f7bed9edb258dc526b6775831ad96aae81100bef4b1c871c54e047f9832743af7961fe6273b232a1a47a25492ad50e9b686b1598d62c52b15b54bcd9

Download Submit
C:\Windows\SysWOW64\Mfihml32.exe

Filesize
290KB

MD5
dc28791fb6c0a0c69c9b5e08d6a6e9ab

SHA1
9333543b35160ef2bf12bf69a1a29a05bb8f949a

SHA256
5e132115d57c42c318bed1f778316aa98a821f8d7d0bd2415f73842a8a52b2ad

SHA512
47db41d235b3de817a42175c7511f78f169cf48fa24f950f694a752eae12b18b18dfef1fc8be2fb382f1819ed8963c22408bcb4bdf0beb506559accb3607ab6e

Download Submit
C:\Windows\SysWOW64\Mfkebkjk.exe

Filesize
290KB

MD5
d9fffff1ac1bbe2174647dccd0c22762

SHA1
e1be9c73d79d05c8502f8c3091d45d92e1fc633f

SHA256
54800c0ce92f3ad961cb3c68ec82c8266a2afaba9c19989e7ebc5f90bfdbf5fb

SHA512
1f244b3cc7833a67108ad35f90737dab50f936f20764d285dbc9f4ed21fbb05a55ecdc442dbed781a3459c10f51a8c97a60797f3a69d353c8702680d27e126e9

Download Submit
C:\Windows\SysWOW64\Miiaogio.exe

Filesize
290KB

MD5
f4edf9159cac61c3cc2412081947c202

SHA1
d1a76147466068afd3d2250251290717a9b6d33c

SHA256
7717564f06253a0f800817e6fe1963810829bf4ca1998c325e08c5e3f4f6ebd5

SHA512
46f7fc74367910b4f526db9ccd945f9eca1d08f6d24d58f123221b6c299bbfbfb1e0f7372f3297a2541396e2400c0f33214347f4162905a90711677c20488718

Download Submit
C:\Windows\SysWOW64\Mlhmkbhb.exe

Filesize
290KB

MD5
a8d2b1e233dc5478691aa8e2733a1994

SHA1
f4af2affcb52a08aec545b2930af7e1a7f4bb767

SHA256
702b0df4f9bb26b5844b698d89120ae1c5f5103f254eeaa7542f8558d00e158d

SHA512
b3d43a4fc34eeac889ee763c53d8aef0380276ebbcd2204d3043f4d03beff311b22b495e5855884ae23b8e5d9ac19c4d6c0f480d59e9c7987825968a28ea8931

Download Submit
C:\Windows\SysWOW64\Mmngof32.exe

Filesize
290KB

MD5
a801c79586111ecd9f1263d7a08881e6

SHA1
e6df723bb8e12354218e1591ee3376d3b98deac7

SHA256
f70c3fd182b87f20c841ebea0fb8911e2604983b86e352eda949db7e51e7118f

SHA512
340481a2821459eeb22c8267ac899163a0e876903074685e26f4d513884be3eb0050ff1df3dc5f0ff86b8555f36810378fa13cd3311d39fb803aef912bb899c9

Download Submit
C:\Windows\SysWOW64\Nalldh32.exe

Filesize
290KB

MD5
0255ec45d518c982e07a28ee99324383

SHA1
41454ceb1e7c3ee4b57d3b339710fe3626df7b8f

SHA256
cc02a7289c598d55b0e1a16507da8aab01a53fa691dc442d32f073cb11803b71

SHA512
e15d8716390f4def2a463ce2345a2eb8f31da43f960e39e3449cca09e4822ea2af15aa6c431006a471b42f78c844ed66041464086b6deba68451b196a329c19a

Download Submit
C:\Windows\SysWOW64\Ndoelpid.exe

Filesize
290KB

MD5
5479ce9815438e4aab82a1c6bd7a863e

SHA1
62ccd6c72b14ff289e1198528b51c28c1de9d76a

SHA256
6ccc6847dbfaf8bc9ef9996a9d2284b42cfe326f598909768091f10ef24007c7

SHA512
153bd031af4dfbe7dbf6c09241a67b6533dc9d0e1995b6d037ba5e5fc732311d5137d2ff3011f3b28fd09e6e42724e6667393cb66e7d10163b9a72aacdfab806

Download Submit
C:\Windows\SysWOW64\Nejdjf32.exe

Filesize
290KB

MD5
1ee6d3eff7d513e0461d065ec42f8772

SHA1
c40211c4ed27253450339a38341f3414282fd8c0

SHA256
4345926eaf7855008ee09ffc8f58b13f96c8fe277df5915be69adabec450e7c4

SHA512
79104c36a80946253130c864df98f06b860e419ec82ebff520c1cf2b1dd4858374259f1aa41c2dcd8d03933bc3e4274fe8d604803d83144fb926e841d89db844

Download Submit
C:\Windows\SysWOW64\Nepach32.exe

Filesize
290KB

MD5
12f7c0b97327b626ab2f298632886d99

SHA1
683f71c7ac80cde954852aadaf9fdf96b5b645d5

SHA256
173a5c4517d4853d8c51b488467651a015fa9e9a897448f8847611cd1a6ee5ff

SHA512
06b769fc52a5bfc5902bf526a6a94f641bc210b7bd1f83b343b1189478f0ce47358de4111d1ba44fd7e9696d5972242620621031d713ac4b5edb4abb126ebc74

Download Submit
C:\Windows\SysWOW64\Nfpnnk32.exe

Filesize
290KB

MD5
8bf8d738d675ee236a5e9ed23e8470fb

SHA1
a54d33f983831aae2ff4acdcd3da1a66750426cd

SHA256
ef3f6a68e55a18871083410ac740983af705bb722c2226a3768f73e91b54170e

SHA512
b4f968fbfcbfb9807c3d27ddc13e8ac9b8a8c1221c3f52115297205a1aca6d8abe77729031224ebb42168b79289e158d9b468db5e1529fef205cacb0c32fca38

Download Submit
C:\Windows\SysWOW64\Nhcgkbja.exe

Filesize
290KB

MD5
4f3a3256e5daac84f1ab1c0971270e3d

SHA1
d5af30365f642b5f389ab567a0db4362d322d46e

SHA256
5e32e30a656916673bc5e3f37c23aaebbc7c0fa0feead9f2ab60316366c975b2

SHA512
5cbc7c39d99ff5b5e2e13e90352f7d2e6438fdcff708c7949d51a27af59338c7673c46582c75bd1c59b03a1bd73e76984097ff4fc4fd2659e945bfd7d4651c49

Download Submit
C:\Windows\SysWOW64\Nhfdqb32.exe

Filesize
290KB

MD5
fe74c333a6de1c18869dfe2de5369814

SHA1
4710219f97cea841625889169c677821ba825925

SHA256
730492b676b06f00c88a4a906f4a49512df7d3efa8b430e99130b802a3b8665b

SHA512
441745fc8fed1646fbe769a5e81ab78a36623beb09fae9c845e1ccb6c7a402370b3fa5e3914ea31ad2697249438446ccc2fa4915d0f2bd512d787a65ce4ae54f

Download Submit
C:\Windows\SysWOW64\Nhhqfb32.exe

Filesize
290KB

MD5
5877fa19b8259bd99f5dbef02eb6dde5

SHA1
88899831b9329cc498b8ffa1a4ef3a43c91582ef

SHA256
bc79343bb8bb771dfb02bdd53236c87dec0b05477e64dc9b1f5dcc7755fe781b

SHA512
797596ace3888fc555df3e754809f44e0c8c3ba82e079d60d6bdf2b0fcb1965994f05508b32f90467f2c3ace0661173f8652bdf1dadef707a776db7aaa3cd898

Download Submit
C:\Windows\SysWOW64\Ninjjf32.exe

Filesize
290KB

MD5
a3527dbfd03fcde0e4762086258da075

SHA1
9b9e50354a2fda74c089d0db8525fb5a58aacdc1

SHA256
16b446d335bcd81fe805afed8324bec620b19e0cd415024b46a2173cfff61bdb

SHA512
7e77c79f39021e771cb1115487d409844d2b05ba86c1d3638184cb9656c8b64115f3a1ecc5f043ada028913d8d3115be2138a909363c5cb176fc027181581584

Download Submit
C:\Windows\SysWOW64\Nkdpmn32.exe

Filesize
290KB

MD5
2425750d05d612ced176b209cfbb8088

SHA1
4eb66a9bba4510c112662b7ed28a9811986ec6df

SHA256
45cc9d6d8b862297e4abefcf57041d805f46b56da6ad4744a3a9f8a3107ad43b

SHA512
a93a7d5f6b3960a604dce4a4ea9f5b0a52abc9a04780f3d26fa2119265c2fe4a2497c3f6f0e746252ed859b26ada3de6c60ac0ebf0a761c453067e2d116bfab1

Download Submit
C:\Windows\SysWOW64\Nlocka32.exe

Filesize
290KB

MD5
a8116c250d88cbec2a095ffb93a17250

SHA1
972150152f9eb20dc48f2840f7b0940159d49b73

SHA256
894a0d3a221640623fea9e3fa5f3657a503920d1aef1ce5783f029bc0567ce6e

SHA512
55450c7eaf67850d36fa1773eab0146c5fa9be469cb63c5f341e1fd4af30edccff5cfbe90230f36d96fab67f445de4715bac60ea8337d5a8ee899f30ff585254

Download Submit
C:\Windows\SysWOW64\Nmbmii32.exe

Filesize
290KB

MD5
75cb247759b4aa7bbcd096c658681c6b

SHA1
74111d292f68734a2aea5d2ba13c61ee81a451fb

SHA256
7a8040ab3523bd619652228cb8ac33f86f9871133d3f7f9a5eddad26d8a249cf

SHA512
c4f5e77ef38812e2ea202cade984f9db72347c4a8a7860c13c2fc4088e14b00d9e57510027a8dc2bad64247e69d64df57727a31101dc214783a6ea607339f9a2

Download Submit
C:\Windows\SysWOW64\Nmgjee32.exe

Filesize
290KB

MD5
aac50b3c31f0058284c020621dfe24fe

SHA1
f264dc217cee58ce74d6d9939e17b1f04ed9dcc4

SHA256
5a8107db027eef86576e368ea12dd3635209a0dfd75b9302f84bfb0de595498c

SHA512
7b30acdb2056b6fad9b6f59154d2949dc4d8d7732e19b1663a927bb99ed8afb655eb23247046bc3ab7fd689e237da23416bc615744e94a6e242a27414c774346

Download Submit
C:\Windows\SysWOW64\Nomphm32.exe

Filesize
290KB

MD5
66fd56f525c04485a47fe21ee58bfa70

SHA1
5a7d02e08a1eda84f723376df1f1e9706bcbe829

SHA256
f0e5c5050fd0c879d00e1dac0d0bd1ec6eb6dbe8a245cb30d89bd9602ce602e3

SHA512
5e8bfdb4d2c6c205f6a6dfa1aa3b98a97b2a211e02c3e0fad734b555b746e1717296f6f6c7383b21c8cdf7d2582a4c38f3ce8a1de3096e7d58428d850640acf5

Download Submit
C:\Windows\SysWOW64\Npffaq32.exe

Filesize
290KB

MD5
cec5c944a703ce4313a76a525fd7a988

SHA1
71880b0e784e4b92dde94cb68a72fb5e46e91ca2

SHA256
a0bfaf7a7af3973f3886a8270cc685a58562c575e7b2fef7b023789c37ea892a

SHA512
dfc3baff5eca9ba9b91251a75f0304efe4061224eb614793dbea5ba7e7b9d26f913dfe13e9f37afbed3efeedb4ab3f1208228e1f38a9c0327c45b563043858b7

Download Submit
C:\Windows\SysWOW64\Nphbfplf.exe

Filesize
290KB

MD5
b1e3a98f93ae18c80349eb05b03efd4b

SHA1
b4b2f21c1b31f79a80216e5fcab8e65a94761055

SHA256
8d0302e55cb31384d38cdf5f6da7891672c537399fb2a3aeeb478e205b9ce146

SHA512
03b7ac2152e24a79eb127c768c2f4bf9d72f28718174edd36e38ae5583bded93ccf4b7dd008a70c028aa9b155fd9761d54e62eb818a3f08b49ac70cb36f6e810

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
290KB

MD5
3298c70f8696b5d9c8d6acec68e7fc1f

SHA1
bc394443e22b63c6e25a7cd5ec15c3e9fa54f072

SHA256
c2919214df2d1c9f532710a98edd018321226ed441c2b9ccaa098d95fb8ea4eb

SHA512
54b807130e5a3af215d11426cd93c4bf731766fbe46e9425285e22e88b3e83e536209d51e84356389e0d7077d0dfb3cc78ddb38a8099b9e436bccc0adbadfacb

Download Submit
C:\Windows\SysWOW64\Ocdnloph.exe

Filesize
290KB

MD5
6ef973e5311edca5999ebff393afc568

SHA1
f75ed4d34238a2ded019a9c7fa17d0a4c2a16a54

SHA256
2b3249143e703fa40cbcd4c62a6c8d683eb8a116eef6f3a38ccf69f385288785

SHA512
e85a0b6eedf119db0c8d5b9ec271f8a4d8d9deeac18c508d1c5e909ee1c624dd9b632f9453bc7d57e38c155a79093ac8c42b6418d531dd34a43f2515195e7008

Download Submit
C:\Windows\SysWOW64\Ocfkaone.exe

Filesize
290KB

MD5
c948d926ceba4a77de1b3c051ec02e0e

SHA1
b2e5c9d194e4d31d2f8c9a0e0bb5be06b6544755

SHA256
db4d40d90430967789433d63d5d4d471b557a29e0bd55d812b14026f95fad63f

SHA512
31746691c87ecec6376105321b1731c301cdf68ae18d60d2efee5885405949dc9384852f3fb67986883db88b61a8038f4168c1e6cc611f8626cd85112241a403

Download Submit
C:\Windows\SysWOW64\Ockdmn32.exe

Filesize
290KB

MD5
d30a87ba5245c9eb6ed1d3a244a619eb

SHA1
ceb46b222f22bd639cb7ed3cf0010c1918d31f50

SHA256
2e251489a342aef36e9fd65f804466b75f165fee3067f8d106bc47266e5ae920

SHA512
efd48dc64f86d39c62aae8ff1cb704c3739c0719ba6c02bc33230fac81e530800049e3d2229714eb189b444b2db59f74acaaf07b2169b51a9ec6f62d968ec1e4

Download Submit
C:\Windows\SysWOW64\Oeegnj32.exe

Filesize
290KB

MD5
73a4c2c1d7fbdb42bf44d10257c28018

SHA1
c21762dd881688e9d706f3da7989e9edf4157f9e

SHA256
c3f4741b4ebb6ce4fdd013c491b5bc39924effc12f1696f711fbc1741296c1e8

SHA512
87973b2300e41214ee964097a4de2b6eab5313fc70d981d649dcbc825a956065502b89485ea4eced10f1cc98df475020261d9eb09f75878713fd4a6d516efe42

Download Submit
C:\Windows\SysWOW64\Oibpdico.exe

Filesize
290KB

MD5
859cf9c8237013ca63c12f6e9a13bcb5

SHA1
2722de7056c8f7d471fe64769b275bdc5e47dab4

SHA256
3ffe4e3a7a08d5f99cc18fc6ae3725707d3fc87297866831cb227899c267ad18

SHA512
0760b928bc8ef4e97c80c1c95ed759069e78c508cf827e57f6f7ce028338b789290906cbd82535d5872aff5bbb220bb67fbc1a7984682bf97812ef4f98e2cc05

Download Submit
C:\Windows\SysWOW64\Oingii32.exe

Filesize
290KB

MD5
016d50f5f7493559146e0d2a76326ad0

SHA1
3c76c5413ab8cf50f06ad23222bc503a90c9dd8a

SHA256
00e279a8ddcca682d0713eced48757e024cad42641ea425bfb02e88f08a68e05

SHA512
1ded564e047d46e2cdbce2bb5a84d937c49fde23d94d38405abdc4b6788e27615042e8a355592d33cd080ed91847552fd6bfbcdea9b39c0a7041f6b6a0e8dca8

Download Submit
C:\Windows\SysWOW64\Okfmbm32.exe

Filesize
290KB

MD5
853bda81988006fa2710f04c773b4fe5

SHA1
4ace9fb8cc713ae6dd8d2ec7e8f72abf11163496

SHA256
978ff2ae583fabb8c45740753d44afcc12f38755f2ce0a0c5ad57fa1243346cb

SHA512
59216ecc8df32c918928dd8e9c9c274980c040778092ce641daf0dd437231d42822f6d25b6b8b4fd2f7fb010416c5b73c33431f0932dd62d9bf26e3dfae128ec

Download Submit
C:\Windows\SysWOW64\Okijhmcm.exe

Filesize
290KB

MD5
f7fe3035703eb90ab00e6398c3beb232

SHA1
65d886f1f4d3d7e9080c4f8c8488ceb57cbcbcce

SHA256
4f8db486fbabcb0862f1992ae1f56fc762fb59aaee284dd6bda58eebfeffc8fc

SHA512
d42485289522d93e431e137bb1a7a5e7be18b05ef8f5210b4a6d8473731aaf05a2c12d22da45e2c8e35d352539c98db41db4833bed88be0271bf9abb99474503

Download Submit
C:\Windows\SysWOW64\Okkfmmqj.exe

Filesize
290KB

MD5
2c00355b4a70c15fba21c09b3a178fec

SHA1
b952714ed425b6f91e319cc70a775151d7069dc3

SHA256
5b63175bc29a705ffbdcbcb7bd7b7370a28a17b112669b32f09183d9390d3f51

SHA512
f089431463cce35a39b83f2e1795991a4d8273523d17f087f6e1e12c5da1cdc99d90cee1b2de40f11161812bbf2fd46c8dabb0231fac9c14b43ea3dc8f06c04b

Download Submit
C:\Windows\SysWOW64\Omeini32.exe

Filesize
290KB

MD5
e56e7194de058ac65b4910257c9f812c

SHA1
17c670d23418e22c2bb31d31009039d979d9397a

SHA256
8f74c2a0b1ad6d18c9c199d75063ce07c4f2a4fdacca48dcd17c50d7ed491a1d

SHA512
47d3bc6037597d76ee8caabce009005fac2e1dd2b90c9587c34936ad0d2173817fc2ea371950675918641c803cdb6c9e6b6fc4abfad0cf06747e7389135c03c8

Download Submit
C:\Windows\SysWOW64\Opcejd32.exe

Filesize
290KB

MD5
f7e409f55d865931826c8b5f25ccc9ba

SHA1
f99e304229df3b5a7085850f8dfb20a79f822e70

SHA256
2c22a2aa799fdd46e0e74ea0fa353f17c2bf808c6db1b949b4c2885729571243

SHA512
7a54477e5010a00caf2297b0a3d62192fec176d63c41f815ab45149db86772fdc1832f2c2d01999e4c822eda06709d4b13f9e9ea3d39a295467f8cb7d25586f0

Download Submit
C:\Windows\SysWOW64\Ophoecoa.exe

Filesize
290KB

MD5
3e58a99897e38b9ac42d1f67bac5343d

SHA1
133e6a4976db17f6441ecb01d571e06de4512bec

SHA256
c0dda63350093b0874a7c926d4468be482bb709966e116dc0b9f65f693423e30

SHA512
00f58fcd3874fd29b9d763b41c05b1f48e99f3410fac030ad88e18e5c17ed8cee3dcb16e5eee0d51aa7cec5fc6619b9688ceed6d5c9124e7be4da82b521b2655

Download Submit
C:\Windows\SysWOW64\Opmhqc32.exe

Filesize
290KB

MD5
4020d9a432891834de250af883679350

SHA1
40743d655c6c1a4689f4a1f1a8d588e408ccad0d

SHA256
a3ef3605b73653249fc4ee2f619949fa876897177beed25b8657346a4800fb6b

SHA512
3f98d06b70b5bb35d40642e774995e58c7fe43d810deec131b6f3a379383ad4536e873bf11edf34816198f66ea66ea471106709652a2806d17398fc7eb659c87

Download Submit
\Windows\SysWOW64\Heijidbn.exe

Filesize
290KB

MD5
12b565bd4a974effb6042aa46f82e35d

SHA1
ee37e5869b06bfa36e8da085ddbee9850de02577

SHA256
741b03e93844a755b3277f2b876ad31d8c61c1b5c884f02267ee95a2de162c34

SHA512
7f3ae26b8cbb78a39f5a26b28a32650ec40740f0660c18c45efb863ec272505e296fc32b63c77e1a252aa44830bbc2850dc57783a48cb59a76521d889b1de9b5

Download Submit
\Windows\SysWOW64\Iebmpcjc.exe

Filesize
290KB

MD5
b0b5942a50271ee9c9316807bf569e5c

SHA1
b21a3b5e3cc80bfbf0b8bbbba982332df8911562

SHA256
32c126c2089b304a13dbc859b96a81072b541ac3ee08c2e6e27e834575da98ea

SHA512
accedc3ba970191526b236f647457f3a44558bbdcac74d8eceda3ed135e03a128c0bb0677f752fa9aca12a466802b4ba884f8a78931db3ed49799b286fa8b3bc

Download Submit
\Windows\SysWOW64\Ihqilnig.exe

Filesize
290KB

MD5
162852586588926f4f4474f929b9638e

SHA1
14c95baa0a0622f4290385a2b3e7fe611564feb8

SHA256
0666f8eecd794e152b65d2b2922f2d3622339dee1e7917d3167d84e98f738b71

SHA512
b455f61b3fd034acd63c8d52ffdec716ab5603fc27c581a284247e34a4d095be5eaa173e8185f7de113dcb2750be01e0d9cf051069ff9180a52f6dfa83e11131

Download Submit
\Windows\SysWOW64\Jakjjcnd.exe

Filesize
290KB

MD5
df9235c89833968c5a8dfd3ef8157cac

SHA1
107fd3ff15d9b2f00e46fff78add41ab4d7b5de6

SHA256
856690c80e6ae29c111d8d6f6114121cb01154c4a1525457b14c38a1a6b4f2b7

SHA512
1bb6348e6b9d6e4f8eb23ee63f48de587d0043244221c479b9037e99ddfa74a155f34e805642cddac1cc7352d3e03e1621939f72714c19b2393ee8b366f8eb41

Download Submit
\Windows\SysWOW64\Jcdmbk32.exe

Filesize
290KB

MD5
a91f28a401f06a93030fff773f466b4d

SHA1
08ea826a7351900d2e01a9b1460c56df18e8681f

SHA256
64608a41eab0da9f7d267831fd84181a661310058e6e8d247ca21abb0de6b367

SHA512
e6b708165756307c550a04dc9f6639231c420039b34ac83806926fbe881e9faa829862049452a0d4edd8e34be27d0155baa3208be3b013349e173949d311932d

Download Submit
\Windows\SysWOW64\Jempcgad.exe

Filesize
290KB

MD5
ea3c72317bd503a9a2a4a72552d4790b

SHA1
8ff015d6585ca58ecdc550d95d78be7089c33872

SHA256
3fff1c008dbfb7cc227abe4b6e42e6b5ade70338e1e38e5f498f893bd875e8f5

SHA512
bec4b3db561f3f4c1ffc2fbefcf25920cee498db71d35b530f860a84bc7372b1f138ed3650bd5e3ef8d5064f3d4c91484671a6299cd78b622fdfa9674b2facc8

Download Submit
\Windows\SysWOW64\Jgmlmj32.exe

Filesize
290KB

MD5
beab13f39925c654087910df06cd7206

SHA1
807e56f795d53ce0229f57187b706451f504d33a

SHA256
b1e9262032e9c9ca5f6aacba9d70cbe28c59b3f3e299f53c1831b8add5d0cfd3

SHA512
112348ead862a96c02bb50cd42ce6e78bc9ff012cc84739739668383a3d0948f862c35459c0cd693903622d5d95d4fb7ccfe43dbc4211ead4cac9a7dc7667771

Download Submit
\Windows\SysWOW64\Jojnglco.exe

Filesize
290KB

MD5
57b09473f701b189001d652ce3ad3a56

SHA1
e2c2e4fd814a1446a4fc2ea3731da9d23e5df295

SHA256
35b31e559a5538b095f40ffa7107a45bbe1701d47fa9cb5a5257a38c895b9a2d

SHA512
92e046296db06883084678c9dc91174850e3092f0774e09cf9963228b6d9e30b0d5212d39ecf54873e327e5054e5c13c9ee2e436ec1ede48e9480c4fa1ab5bcb

Download Submit
\Windows\SysWOW64\Jpqgkpcl.exe

Filesize
290KB

MD5
d20b57f997c8d11ee6203b266cf90478

SHA1
2a819348b33c3a610ede9f04ad8a9cc0face93cd

SHA256
1243820a20129c41bdc0fa652d691a53794e8f2b7a2570ec11e14700e17f3b08

SHA512
1267ea4cbdb01a2328c2ca192171b9791b7e02df2f434e35a1e7ca64a9d28e12fe60b84bd902b8278f6789013e2a4af1af7148c1663e2d8d12f0844036727713

Download Submit
\Windows\SysWOW64\Kfdfdf32.exe

Filesize
290KB

MD5
daa19c0442169d98ca4ec783abb757a0

SHA1
10f875c019892bd15cbc8f7a666a93c318b81f59

SHA256
fd84ada1fdf891d7f4e0c0832fd4ae1e414290ccfaf515774e6e83d761ad5b82

SHA512
a4ec74429aa17874a27b9d94f0e17e7e41edde8380844faa02590989d96e1c01fcbf0662a4a3837c511b83a8633145f97bac8978844fdc7790a6bcb0bfe82ed8

Download Submit
memory/608-186-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/608-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-883-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-906-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-894-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-896-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-307-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1128-311-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1144-463-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1144-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-468-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1224-455-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1224-451-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1224-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-123-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1340-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-444-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1492-905-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-892-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-886-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-177-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1620-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-68-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1636-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-371-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1760-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1760-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1796-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-277-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1816-874-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-322-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1964-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-318-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1972-895-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-884-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-230-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2012-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-218-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2024-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-409-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2032-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-240-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2036-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-131-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2144-398-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2144-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2144-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-302-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2188-296-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2284-880-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-915-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-200-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/2416-287-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2416-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-908-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-387-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2524-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-22-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2528-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-250-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2628-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-163-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2628-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-257-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2652-265-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2664-903-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-81-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2740-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-82-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2764-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-425-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2768-92-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2768-430-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2768-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-882-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-439-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2804-343-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2804-344-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2804-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-902-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-917-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-914-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-105-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2944-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-45-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2956-904-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-364-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2960-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-365-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2964-333-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2964-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-329-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2984-865-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-881-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-432-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3020-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-354-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/3036-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-469-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3036-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads