berbew | aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54f

Analysis

max time kernel
29s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
Size

256KB
MD5

f12e96a396bed3f7c7760ed8d23615b0
SHA1

52dae444a49a45434719cfbed4f30a048c447649
SHA256

aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54f
SHA512

63937de0a69c4811a3b34a8c2ffa9ec15b7b17381d5bb4f4d837fbce806e5c0477ad472aa97d3e8501c8622d5b5cd65718ff14d86ff1c27918e1da8d66b71ed6
SSDEEP

6144:Ah1l1Rd853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZj:eLQBpnchWcZj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpjmcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcjdpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjifhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjfjbdle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkaiqk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2880	Jcjdpj32.exe
2608	Jjdmmdnh.exe
2904	Kjfjbdle.exe
2660	Kqqboncb.exe
2664	Kjifhc32.exe
2564	Kofopj32.exe
1824	Kebgia32.exe
704	Knklagmb.exe
2560	Kgcpjmcb.exe
2600	Kaldcb32.exe
2036	Kkaiqk32.exe
1728	Leimip32.exe
796	Lnbbbffj.exe
1992	Leljop32.exe
2152	Lgjfkk32.exe
2428	Lndohedg.exe
2352	Lmikibio.exe
2156	Lphhenhc.exe
2376	Lfbpag32.exe
1788	Liplnc32.exe
1832	Lcfqkl32.exe
720	Lbiqfied.exe
1968	Libicbma.exe
2240	Mmneda32.exe
2772	Mlaeonld.exe
2656	Mooaljkh.exe
2848	Mieeibkn.exe
1340	Mhhfdo32.exe
2576	Moanaiie.exe
1936	Mapjmehi.exe
1156	Migbnb32.exe
2028	Mlfojn32.exe
2796	Modkfi32.exe
2800	Mabgcd32.exe
1816	Mencccop.exe
1648	Mlhkpm32.exe
1508	Mofglh32.exe
1960	Maedhd32.exe
2008	Mdcpdp32.exe
2076	Mholen32.exe
2920	Mgalqkbk.exe
1796	Mkmhaj32.exe
2160	Moidahcn.exe
2140	Magqncba.exe
1556	Ndemjoae.exe
1296	Ngdifkpi.exe
2584	Nkpegi32.exe
944	Nmnace32.exe
2924	Naimccpo.exe
1940	Ndhipoob.exe
2636	Nckjkl32.exe
2548	Nkbalifo.exe
2888	Niebhf32.exe
2520	Nlcnda32.exe
2704	Ngibaj32.exe
2988	Nigome32.exe
2980	Nmbknddp.exe
852	Npagjpcd.exe
2460	Nodgel32.exe
2032	Ncpcfkbg.exe
2468	Niikceid.exe
2680	Niikceid.exe
1724	Nhllob32.exe
2992	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
2880	Jcjdpj32.exe
2880	Jcjdpj32.exe
2608	Jjdmmdnh.exe
2608	Jjdmmdnh.exe
2904	Kjfjbdle.exe
2904	Kjfjbdle.exe
2660	Kqqboncb.exe
2660	Kqqboncb.exe
2664	Kjifhc32.exe
2664	Kjifhc32.exe
2564	Kofopj32.exe
2564	Kofopj32.exe
1824	Kebgia32.exe
1824	Kebgia32.exe
704	Knklagmb.exe
704	Knklagmb.exe
2560	Kgcpjmcb.exe
2560	Kgcpjmcb.exe
2600	Kaldcb32.exe
2600	Kaldcb32.exe
2036	Kkaiqk32.exe
2036	Kkaiqk32.exe
1728	Leimip32.exe
1728	Leimip32.exe
796	Lnbbbffj.exe
796	Lnbbbffj.exe
1992	Leljop32.exe
1992	Leljop32.exe
2152	Lgjfkk32.exe
2152	Lgjfkk32.exe
2428	Lndohedg.exe
2428	Lndohedg.exe
2352	Lmikibio.exe
2352	Lmikibio.exe
2156	Lphhenhc.exe
2156	Lphhenhc.exe
2376	Lfbpag32.exe
2376	Lfbpag32.exe
1788	Liplnc32.exe
1788	Liplnc32.exe
1832	Lcfqkl32.exe
1832	Lcfqkl32.exe
720	Lbiqfied.exe
720	Lbiqfied.exe
1968	Libicbma.exe
1968	Libicbma.exe
2240	Mmneda32.exe
2240	Mmneda32.exe
2772	Mlaeonld.exe
2772	Mlaeonld.exe
2656	Mooaljkh.exe
2656	Mooaljkh.exe
2848	Mieeibkn.exe
2848	Mieeibkn.exe
1340	Mhhfdo32.exe
1340	Mhhfdo32.exe
2576	Moanaiie.exe
2576	Moanaiie.exe
1936	Mapjmehi.exe
1936	Mapjmehi.exe
1156	Migbnb32.exe
1156	Migbnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Lndohedg.exe
File created	C:\Windows\SysWOW64\Mooaljkh.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Leimip32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Naimccpo.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Kaldcb32.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Leimip32.exe	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Leljop32.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mofglh32.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Jcjdpj32.exe	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
File opened for modification	C:\Windows\SysWOW64\Lmikibio.exe	Lndohedg.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Gpbgnedh.dll	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Kjfjbdle.exe	Jjdmmdnh.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Nkbalifo.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Qjfhfnim.dll	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpjmcb.exe	Knklagmb.exe
File opened for modification	C:\Windows\SysWOW64\Leljop32.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Leljop32.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Enlejpga.dll	Jjdmmdnh.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Mhhfdo32.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Gcopbn32.dll	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Kkaiqk32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Nafmbhpm.dll	Jcjdpj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1244	2992	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqqboncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaldcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leljop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjfkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphhenhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndohedg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcjdpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnbbbffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebgia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmikibio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaiqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjfjbdle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjifhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmneda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpjmcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdmmdnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabgcd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjfjbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjiem32.dll"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leljop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knklagmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkbalifo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlejpga.dll"	Jjdmmdnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knklagmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcjdpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcjdpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcopbn32.dll"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nkbalifo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebgia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdcie32.dll"	Leljop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2880	1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe	28
PID 1860 wrote to memory of 2880	1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe	28
PID 1860 wrote to memory of 2880	1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe	28
PID 1860 wrote to memory of 2880	1860	aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe	28
PID 2880 wrote to memory of 2608	2880	Jcjdpj32.exe	29
PID 2880 wrote to memory of 2608	2880	Jcjdpj32.exe	29
PID 2880 wrote to memory of 2608	2880	Jcjdpj32.exe	29
PID 2880 wrote to memory of 2608	2880	Jcjdpj32.exe	29
PID 2608 wrote to memory of 2904	2608	Jjdmmdnh.exe	30
PID 2608 wrote to memory of 2904	2608	Jjdmmdnh.exe	30
PID 2608 wrote to memory of 2904	2608	Jjdmmdnh.exe	30
PID 2608 wrote to memory of 2904	2608	Jjdmmdnh.exe	30
PID 2904 wrote to memory of 2660	2904	Kjfjbdle.exe	31
PID 2904 wrote to memory of 2660	2904	Kjfjbdle.exe	31
PID 2904 wrote to memory of 2660	2904	Kjfjbdle.exe	31
PID 2904 wrote to memory of 2660	2904	Kjfjbdle.exe	31
PID 2660 wrote to memory of 2664	2660	Kqqboncb.exe	32
PID 2660 wrote to memory of 2664	2660	Kqqboncb.exe	32
PID 2660 wrote to memory of 2664	2660	Kqqboncb.exe	32
PID 2660 wrote to memory of 2664	2660	Kqqboncb.exe	32
PID 2664 wrote to memory of 2564	2664	Kjifhc32.exe	33
PID 2664 wrote to memory of 2564	2664	Kjifhc32.exe	33
PID 2664 wrote to memory of 2564	2664	Kjifhc32.exe	33
PID 2664 wrote to memory of 2564	2664	Kjifhc32.exe	33
PID 2564 wrote to memory of 1824	2564	Kofopj32.exe	34
PID 2564 wrote to memory of 1824	2564	Kofopj32.exe	34
PID 2564 wrote to memory of 1824	2564	Kofopj32.exe	34
PID 2564 wrote to memory of 1824	2564	Kofopj32.exe	34
PID 1824 wrote to memory of 704	1824	Kebgia32.exe	35
PID 1824 wrote to memory of 704	1824	Kebgia32.exe	35
PID 1824 wrote to memory of 704	1824	Kebgia32.exe	35
PID 1824 wrote to memory of 704	1824	Kebgia32.exe	35
PID 704 wrote to memory of 2560	704	Knklagmb.exe	36
PID 704 wrote to memory of 2560	704	Knklagmb.exe	36
PID 704 wrote to memory of 2560	704	Knklagmb.exe	36
PID 704 wrote to memory of 2560	704	Knklagmb.exe	36
PID 2560 wrote to memory of 2600	2560	Kgcpjmcb.exe	37
PID 2560 wrote to memory of 2600	2560	Kgcpjmcb.exe	37
PID 2560 wrote to memory of 2600	2560	Kgcpjmcb.exe	37
PID 2560 wrote to memory of 2600	2560	Kgcpjmcb.exe	37
PID 2600 wrote to memory of 2036	2600	Kaldcb32.exe	38
PID 2600 wrote to memory of 2036	2600	Kaldcb32.exe	38
PID 2600 wrote to memory of 2036	2600	Kaldcb32.exe	38
PID 2600 wrote to memory of 2036	2600	Kaldcb32.exe	38
PID 2036 wrote to memory of 1728	2036	Kkaiqk32.exe	39
PID 2036 wrote to memory of 1728	2036	Kkaiqk32.exe	39
PID 2036 wrote to memory of 1728	2036	Kkaiqk32.exe	39
PID 2036 wrote to memory of 1728	2036	Kkaiqk32.exe	39
PID 1728 wrote to memory of 796	1728	Leimip32.exe	40
PID 1728 wrote to memory of 796	1728	Leimip32.exe	40
PID 1728 wrote to memory of 796	1728	Leimip32.exe	40
PID 1728 wrote to memory of 796	1728	Leimip32.exe	40
PID 796 wrote to memory of 1992	796	Lnbbbffj.exe	41
PID 796 wrote to memory of 1992	796	Lnbbbffj.exe	41
PID 796 wrote to memory of 1992	796	Lnbbbffj.exe	41
PID 796 wrote to memory of 1992	796	Lnbbbffj.exe	41
PID 1992 wrote to memory of 2152	1992	Leljop32.exe	42
PID 1992 wrote to memory of 2152	1992	Leljop32.exe	42
PID 1992 wrote to memory of 2152	1992	Leljop32.exe	42
PID 1992 wrote to memory of 2152	1992	Leljop32.exe	42
PID 2152 wrote to memory of 2428	2152	Lgjfkk32.exe	43
PID 2152 wrote to memory of 2428	2152	Lgjfkk32.exe	43
PID 2152 wrote to memory of 2428	2152	Lgjfkk32.exe	43
PID 2152 wrote to memory of 2428	2152	Lgjfkk32.exe	43

C:\Users\Admin\AppData\Local\Temp\aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe
"C:\Users\Admin\AppData\Local\Temp\aa86cf424e47e526b7e988d281bebc795dcad89c4cb653379b54c93d19eea54fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\Jcjdpj32.exe
  C:\Windows\system32\Jcjdpj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Jjdmmdnh.exe
    C:\Windows\system32\Jjdmmdnh.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Kjfjbdle.exe
      C:\Windows\system32\Kjfjbdle.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Kjifhc32.exe
        
        C:\Windows\system32\Kjifhc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kofopj32.exe
        
        C:\Windows\system32\Kofopj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Kebgia32.exe
        
        C:\Windows\system32\Kebgia32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Knklagmb.exe
        
        C:\Windows\system32\Knklagmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Kkaiqk32.exe
        
        C:\Windows\system32\Kkaiqk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 140
        66⤵
        Program crash
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jjdmmdnh.exe

Filesize
256KB

MD5
e59bf2f8b8564426833475136fe62c43

SHA1
89070ac6ec0d37c21a2b78afe0a8b702be985336

SHA256
72e16dce499d48bb6244764acd9eab31a21faa7ffdffcf3c3b5b5d595fe9b575

SHA512
5d56830ba824a2731630183dc0d54ab41fe0f8badee56832a168f5d4d38ca0c420eb11f8848f2203826cefdeae1ad146b03cb4532b36a0e6259469e5cf6bbc26

Download Submit
C:\Windows\SysWOW64\Kaldcb32.exe

Filesize
256KB

MD5
2847b17bbd02ea752b7642989dec825b

SHA1
d8ba70c53d675e468750980eeb5977f31601b0cc

SHA256
5aa8acb71e961200485948ef04aaa0fcaeef49accf686b37ae320cac7a8c8db4

SHA512
38d1c40dd7f9fde18185343fc6557afd42a52d2f0c92fd1ae148765a3e36d567f9a871984b9693f4294c8af6fc7ec2137329692fdf6eeac44b6e9b8e3bb8fdfb

Download Submit
C:\Windows\SysWOW64\Knklagmb.exe

Filesize
256KB

MD5
88341cf7026f48e75343030811fdc0d0

SHA1
47eda7b351a7f9c28fdf4b053ba75092d735d325

SHA256
ec4b7b1dd4ea0818bc240902d63ee58751593bd997c48d0f0185c2cd6703c43f

SHA512
92887c56d62af45e0a6468f0136409dc9819caae289eef714e723e6edd0d247601f4baaa56d4c505aca1f5040a0463f44f051fd0bc72ff4634a36409434324ec

Download Submit
C:\Windows\SysWOW64\Kqqboncb.exe

Filesize
256KB

MD5
4bff815b3aab9698414d492e663e65f9

SHA1
b7902b41fa94957e63911c1cfe799afbf581ab34

SHA256
b738ad3b8c1a8b13f0359a30957b67140a01d007fd693090065906de4b490718

SHA512
1096657536f8311d68990f06155de3dfb2f0d028e3ccdca9a8f45119a6b181a9a836ae36c0c4d22eaa4319049f6d9fc0abbee6e307ec27d0a989c1d901a09357

Download Submit
C:\Windows\SysWOW64\Lbiqfied.exe

Filesize
256KB

MD5
24a2ea7269f9ce38511cc4d0b4dbd78e

SHA1
0eaa81e8947b8b7877518e9a6466ddd0bf977249

SHA256
cff4e3040010abe03e6c08ceae18979ee08149db3dcb57c53e759336a6c33940

SHA512
fcda5e4a676fbc6dcdacc16e17e88736f2f1ca7c6e9de26ece4e91f73111f869add0ac97580a331a0c81eda281d94555e7bb9a35f4fb882c8aa3c4c2ffe706f8

Download Submit
C:\Windows\SysWOW64\Lcfqkl32.exe

Filesize
256KB

MD5
0508395b78447ccc8fe22a909439ad1f

SHA1
5be716019d107760ee6f247a3639f3c67b85f327

SHA256
19f627eff1092bd35ad8ffa84d62d768eaf4d2085faa98fef2eb6655fa749422

SHA512
e6460a56ab3a71de2156a3ef7f3fbd2704167c1e73ac75d2d99f6396c07af360267354b59fcfcd2b53d019342470d3c435514187b1f239c5d947aaf11a07a0f3

Download Submit
C:\Windows\SysWOW64\Leljop32.exe

Filesize
256KB

MD5
560673cb802bdb4cf971724eb7c51147

SHA1
9b42148b8d88f2b7d463640a1ffdd1b93bf3ad1f

SHA256
7549cc94af2a99e851ed76b386092d6728a021906097a4720c811547927baaa3

SHA512
44a58492ef49c0ca1fcd1d4c39912516e13610989ae84f8feedf90a0cd5d7e95575aad4d1f5a71f70455778a146b2b07a799bfaa4fcb69c860f946a13107d30f

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
256KB

MD5
d25dd221b34b405cb8e26e542e1effda

SHA1
64af549749bd0360d2eaa1e8383914de230aee76

SHA256
4447a3f19dd8024072542464b8bae389e0b043a1a40da3d419f032cea21272d7

SHA512
b21b6984202ee26a09b9d08640c2abdf1b2dd3cbb89e5637af618914639959b7efd2affb7dfca366904d51f70fd049c3593656d6d5a22a524cd48d0ac3f93b4f

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
256KB

MD5
d10912439e95a26e09e0dab99d7cf876

SHA1
f06b0ca52b594589418c7ac686871634002939a0

SHA256
ed3f60a1f859346346db00cae1f03a19429c5820f82e55c8ec386593c101a2aa

SHA512
08f3d1d868e52ae5a6143780f4690097c89409a54e1121fbb54afc5cfc26f6ce5859bd4adea346e0eea5e5b29d95176437b674705d492182535f4c3edb79eaa6

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
256KB

MD5
4e2420e89ff5e9826f0c10fc33fcdcfe

SHA1
f07fda45486401ae2769a18eb2d20a4a38e4ebf9

SHA256
e801a15937bf4451b64ee8f6fa994120d21def6d2dd0564bf1326b44cc648522

SHA512
235922fbccc2a59c7dc6938d52b29fafdb0448b6702f657302afd7996747c77bd6b87d29eac631db2badd0ef405a5b9fa6fce7700fe9dbe2957b2a7994aef462

Download Submit
C:\Windows\SysWOW64\Lmikibio.exe

Filesize
256KB

MD5
3001d23b22ef8697d97d60b5fef03738

SHA1
7cc76356f862f34a193bb9b8b4699b49363da6f5

SHA256
40efa4d8dded101ab80c46439d9f3c0a80305b047b1c64a4e198d708d4922606

SHA512
b48dd089e36e923c95927e64bbe4ea777c17185a7ae60d00090c246345ed0506d803f9842e8755972134dc6d10dcb8452e2c098b8d5ce430c29713bb76b74976

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
256KB

MD5
12b1a7dd91069fd739696311e5b62b1b

SHA1
1e8a1decf69c2d5cfe0e365e50903b3cda4a6d91

SHA256
979509628df345b42cc95ea629a9e19cb5346f2ec10d760807711791b80fd815

SHA512
136d097a6a04238b7cfdd1698c7d946495bb758d9b347d6d0429b61b080e2c4125f51f846b986e590ea393cf10db88ab327d4d2c3bb61df37a6855c4e5312359

Download Submit
C:\Windows\SysWOW64\Lphhenhc.exe

Filesize
256KB

MD5
b9bbb2c5c6cb5be5a36e446a73a480d2

SHA1
9fa71684dde9277d64a20e44b828c9dd2682b5a4

SHA256
ffa864915b97598db376dcd42177e83c863848ddb54bce3444d90ce2a1ad9607

SHA512
9e4f3c6d0b85f338f5937020427ffa312604941452ee8bdb9f47c83979f9f18403896947f75f9531e2d5d826776dfc11e99328aa3b7e1872a98861aba2bbc541

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
256KB

MD5
5a03cfab944abcf580aa47a61d94584d

SHA1
7ba83ee2f77e34b524d78e6ae11be7ef8f97fbe5

SHA256
b7b36cd6361aa0ae1d61630892a8b715cf25b7fd9cf5c277ea0065fbe8c0f862

SHA512
4f642871016aa97f96a2bb93a43d9dce3dd65c5fa3ee25280614fe0550a320a6930678ccaa99edbb9ece16496cfd6e19f515ea747a3c818b11c77f5c7d14b473

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
256KB

MD5
fe584f86228dee109c1027672f077d99

SHA1
b981ef018b71925d762bda108157fdefdf424ff3

SHA256
d3e65671f192c9c16b0ee1ae7fa1a37bb30011e232a23bd3e56a6596a49278b9

SHA512
699d98970ed410b093c1fcda626b7481b2054da5ac22af9d82fb3ea944cbf04676ad9e247cab098c99649099f6f1f7b519f004dccc35063d27c446fa715ede02

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
256KB

MD5
ec3bf284830b32c37f6e5aa96aab6380

SHA1
0703e706e28f2c47e11557e79d539a31fbeef19f

SHA256
c29c2698534fe2f530e6bc33ad3297b58d65b6f7d0278f30ce829aabda62fa28

SHA512
c3521e885ebbef0b0a5e19fb56e29f289d554109632200d9dc0853f981a4cb106937849f4f13c21eeae0959af9969cba2e9b8e67509b92360b36aabb204e8a88

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
256KB

MD5
1c481206a33ba84cacaad0ba3b24d000

SHA1
9853d5ed54e5372e7163066913c8365adebd9185

SHA256
7cc4f79f26410a0d8264a2e9df1f9815ea2e044d183fa1f18424d1b8925d590a

SHA512
23548495c593c1b5041fbbb28918d5ed620c54b3f95a8cae81b2759abf9c2da17b0e81dcbcaea222aaca5f14d127ac1d1834b8f63077d09805a09a8b206f030c

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
256KB

MD5
9b35479429d18a46b891e96055285c1f

SHA1
03ebf3c87afcabfefd18f69fcdba5f7e717ffe4e

SHA256
daf65e6624a8c279a77ef8354c95a93ccccdf5643504f2cd5317e647f1b297f9

SHA512
9c1403d7d5af8a67c621fac34e56108c6edbf02a04ef5318b61cba19b8afa4fda98d7fc5a16d318117458a25738b2d38ab56b02c106dd60a4e1b47ade470119b

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
256KB

MD5
6fc9211c1658165ada124c036853fa1e

SHA1
f5ac0b5de15225462dfb699ac3d2f4b7c94d42a6

SHA256
7d20b586cedf86db6a07f2e07b60cc84ed51ecea7fc18aa6cea90dd4b0f49a35

SHA512
17b64d1e88fda365eb5f8efa46c0d6ec78f2d0ab7c3c9784810f1f15abae0f46c747407899409662edf8cd67801df38aaaddc65701b967e17c5d0ce375908f77

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
256KB

MD5
5a31f9cc47d7371ba90840b82eb8a3ab

SHA1
230a0ce4566c58bfa613366e5ff2355440423ad6

SHA256
b5eff1fb50317fe3fff0e506c69c2b9846dd0e0df98e18c492d34f218ec35d73

SHA512
286ffd0c40209ce9f87a660ca199e5af9bf7bf85f288b4200c74ad91ec06f9e30d46ebe4a7653ab882d38a6d96105ac7e8419735b74a105edf2bbfe2088d70f9

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
256KB

MD5
b33c780153d613518247a0e0a2fdcc81

SHA1
d46a25a6457e83689da2786794dc06f139ee721e

SHA256
98f381fe5290b6864faee51a2dc6959737a1d332840c849c0ee485163dfb03ba

SHA512
2892b55e5853f91500da9e468432254f8569cbb7fa454f7de9884a8cc2718ddf0d7415d810638b9854870c3889802a53ce2cb3ef5ffe309df98f6f44f3392b41

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
256KB

MD5
ae2efaa0e96d99c404ab49e86377bfff

SHA1
0581a7841a003a71d3ff4e4e6de5f22fad848dc2

SHA256
c30201653d1d59257a278fd3cc5f16e1d7d6539222d3ecc177f7f9e5ee18d560

SHA512
0e051de312db0121a3bab3e053b5432901ed04ad007d4bd92cff18e70798ddb755c58d680d6f8ba9792fc6d758f02c9ac9fda1c2e019ede7f5ae1627923eb4a9

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
256KB

MD5
9daed9d28b5d4b111f2c48eb3278ed5b

SHA1
2c011a41de02e48cb4712951d3e837ef46f1cea1

SHA256
e635f6e5a3cd1fa061af1843a760f4396b5ceb3e00d287b1196288c2a863d81f

SHA512
0c71eeb13d586c3555391a11290bd015f0aaf63094b0e7a9fa7e907004dc2828db5c29572d01c82785b8e219a25f576db21d893893ed61101f5d74d85ca37331

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
256KB

MD5
e23e9ad2f09a35d5e5d7895ad08c5111

SHA1
4bac2094a7039eed3c1a858c870fdb100927aba7

SHA256
27e0e11ef2b60a9ada7ffd26ef902eecdf8b110569f1b3114ba0f52760fbfb52

SHA512
4e34ee264413b20b57dd4aac17aecbfd3b272739863ceecd6f2c0fbe6a461975c33910f273e55dbef01db77046bebde28df5d7aad48f78c07fa86289992540ce

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
256KB

MD5
d5afff38ca6880d8f34bd6b44ea7f6df

SHA1
055ea432a795d8660b33c8015d9743cd0b8ce4a0

SHA256
ef60f3df5afd2d5118ec17e9b2194cfbc2c9094f4d970920d3a9a740c0d71779

SHA512
c0d9024dd090c4491967e048ca5ced5cf4084adeaff242c05bd5a0bc72f3ca3fddec3cd3cd3cb40a9fb61aa1e537258061920097edc2a8da77826713d39df8c9

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
256KB

MD5
8e455391fd1025bb86ba4ac82d5353a7

SHA1
ec0b918116fbac40f296d2939f191c881a625eb4

SHA256
af0a952133d0658e19a731ad8c796ea92af3a8c7e4b607ae64b3982e86f43973

SHA512
b8f75fc445418858df97ff4c9301fe473728f006a68d7e6012d8812376830b1c6e3edae520d5c57ce8f2554139ffcfec50e4b2f835c7ee43026250710ff9701b

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
256KB

MD5
d498806ba4d4524128a22f1ffefd77e7

SHA1
664c5f9fea9e893abc6d9dc2b8afb87ad50ec142

SHA256
3b464de524dbc80db7c52315b16dfef00b962ca074ff600352bc1b55dec4aa38

SHA512
158ff25449daf5d7fe4c518f723858c2c4ea849c9069eca7595431bfb5ff09c774fe398d9d6b23e4097ca67d985f9d959b8437ec306551c4105bcffbff6ddd7a

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
256KB

MD5
c4d0ce6225d0be91e7986954a6724db6

SHA1
e553258644ffeaef616562b223606557ef1ebacd

SHA256
36c11d25918570dc2a03dad9282adfec636fa7de45d16eb6c96429aa2de44d7b

SHA512
2e166b214cb3d3dba6f81bede5e1a6b6db5c3a48fb6a32e28b9090215a5969339d85747229f7aebadef5926430d77a303ea77a7d68e0c2200c9b0dac914dda31

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
256KB

MD5
825a2bdfb476ea73adcdaaafa8f8000e

SHA1
c96fe8742820fe1f82057901a42224e435fa3f7e

SHA256
3ba15c955e0a9ae8759b98b6e5b7044ecf6f6e3404b30c21075ac232be1fc65f

SHA512
5ac04597fe5884f91c80e37a400e3cbb72efb0b352d98c663363a996b778d82f588370f017f7a7172d2b009ed056d2e25a0371b6cdb20f063bd9afd2f6a8b3ec

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
256KB

MD5
7ed232dc8fd9b160d8a48aafc0b52bb3

SHA1
1846081c44ef9790039215bb44cfc88084488f90

SHA256
f6bd235efa5dd616639b01f84b497e66fc2721330c382eae8affc62f4cbbe34a

SHA512
972036f6b8eaa772758a20f8eac24e914d797628dd8a800557f437331403f12dfe635c8025fc22c8a33b4c7749a11c4a06fdd2aa3b6a1f9ce7b1cebab66e5160

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
256KB

MD5
51f5395414b2b32f5b044fc4b6c5f062

SHA1
f872740ea3c284d9bf7755313294c00300acec4e

SHA256
513e07fc9e5874a317c43d27fd93f075802b4c2444eb88b7ad4432177089bb5b

SHA512
25a1c8d33fdb31006431ababb59efc72b3bcbd85a3e0448df3669cace8720e3aa27c4200172420f0925925db96aa630338a4e7a6a3bfa47dfe8cb33a893f6ad1

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
256KB

MD5
c7c056094a854917353be5ec6b3e1d25

SHA1
4d4e562a88c9797c75d311f8c2809ec51d5b9277

SHA256
6ec36f285003f2245691e85eb218a08e72e3c1cf56c89ef16d7992aa7fb15fb5

SHA512
fe3cef62c67e18938b6fb98521d424e2fb5c970972245aabf1ec5b14ce1b10a7fba0722db2bafa5f3cbb0df0f321da8a1e40e83a0130b2f32163ff21503ce02a

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
256KB

MD5
e7fdb7700c814b1b09e03d0e0aa9bfbc

SHA1
74ce95bb44d3e63a67c4331491556cdeddba8025

SHA256
f85426d1ba4f98e59bed9861f5720687280b30e6a8076b37401929293c7dcdcf

SHA512
8812cb9bb1fc6dd83463e8e70b77fb03041b5ab75762a3897e5a54fd2ed297b2b7de38f764e6cfd1392dc36c31b2f20c6b1d79bdcca2a877aba548d13874150f

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
256KB

MD5
51a57f2bbc24539a65a9fe5c2539a830

SHA1
ffcd71353fa909383962a45883e8a6267ecaaf71

SHA256
26dd92944a911581eede37bb034edf6dad369e3a54d93a5ad3925f7ae9ee989f

SHA512
f3024230a54060250a210d078b5c80a1274d5f29f32a6e3974a071e5d39cf3d1d90fa065581a2805ae94529a63fa27362c0beac6c548296a663231cf6ac42af5

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
256KB

MD5
17abc71ea20897f4bf2afc970dbb3f3b

SHA1
259b88967060852041d5cdb397e59f2f3fc007f2

SHA256
385e0bc56830b0b9bef92464b50ef2b7da8e34fab93e0ace110a2aad8f265a26

SHA512
a4e3413c7de667b923de38c915b4be26ccdebc4e1e6ea9e7ab570ee0956d746ec8780ee7248fe6e80b775482a1adb331b3457b60665eb7ac9aa0facbbd490807

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
256KB

MD5
5ff77e97811b1ee38080109f39b20880

SHA1
451b89f0c659544e9d47da6bafcdf42e28ea8797

SHA256
3e9a4b6021b8c6f5b5d80a437efa36b0cb0c7c90cc81e1152c089a61f69c533a

SHA512
b794f6e7089d648346bfc8eec6831036fbe0add7c2ef1fdfb0599a1cffc475930e2a62920a725a5ef171f59d383cd96f1178a77b8964fb176b5362f988d595ab

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
256KB

MD5
9834de3af1dce1cdfa3fa66e0446e94a

SHA1
f7e5c08fccbfbf687f3e02730fd41cd14f02b4e9

SHA256
2ea8f5de0a6f83345ed8187e1d79389fdd01d68e8c6e4ea356a39e4c7a6889ab

SHA512
993f867e22864c0c58f173f1f81f8d90d7fa82fd4b699ae0ad0405997c7480edc0d9c82a00fe169e503d124ffd98c96779e5fbc5f827dcd2ffdddc6be426a4f4

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
256KB

MD5
a1b724a0fe9bb8a3ffe81ab4fca198b1

SHA1
1d5b94a7226c8faf1b03c88e1afd18bc3bda0320

SHA256
9462113a21d3b2eb716787b25fdb748de7b6d12d1eebfaf0e86e23ae1853ece7

SHA512
6dfce80c5c34d0c09b29e452b18b26d0d8ce0c40a1eec980b514da61761ca9854df69b2eb6473ce9a3cb9414a7c61deba927c0570e52be10780db37cb6aea7f9

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
256KB

MD5
39d42ba97f46197437b392b55c8df692

SHA1
c2363bb3b0a3a298f349e6b85d3f1a5b70e1f028

SHA256
d9c7732689d8fc472ead4b6f48eea1edc3aad81eb068e65e6321b2d46143cbb6

SHA512
f47278a0437fe03cab1b3dbc7ef1be7e986ba418ba2a7fcb0b3c684064a3a470b35ed4a8efec5341338d818f89d51aa75d32942c976d2085b30a38eae51d6a33

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
256KB

MD5
8f3517aee64acb938b2488f1bf21aefd

SHA1
aac72ffb77caf778e5232dc1b21f32b06e9afc29

SHA256
511b183dc3a6c0b4fa4f9a008fec4dca6e058694e923ffac2018bd764b4f778a

SHA512
12e76b1ec64e15fba32b7607fb91e0e79d26ab534f8a7e3027587611deda31943513e5ef38445a67d579b40c6fa72528de6c4ad09f5678e4b9c4e7358f6d3fdf

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
256KB

MD5
9aab7dece0e406bd317d2dae5d59d2e3

SHA1
ab142a8cbc5e7b66f65f0c17e63fc04dfb12fb9d

SHA256
2f4d920a18cb7c0b2810e68536bfd025c685334397399c06c5e7f55ab20a9b5d

SHA512
1a24ced562ef8087ca7b4148b56d18ffb8f070a1171e11c0044737c734d5434065e41e9c81469f11b5b8107c108e41ad9c2c977df990c6c5d29c94b51b67ba3a

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
256KB

MD5
c2f95ce52eef061491559354bcf4ec1d

SHA1
e9ba91ab7bf1e7a34c03f2a8dae08602ea88b533

SHA256
7b68ffae290cca45ee33b96c94a984a0d1f138c52437a08ae7b827b2574f060f

SHA512
937a424d5f422f6ee3d31c2a21138fb26fd3868d2231b917c8ec6b858f8d5a1d1643b06e66d9bc8e7507eca1a765527f7aa566a94fb095f2405166115de696f8

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
256KB

MD5
1d764e99a9d1e69dec74cd862930be64

SHA1
53571130a3302abd54258818764106846c017abd

SHA256
0adf65d61ffb237b967a441bb371164f45e397a52777f327b8c8ed35d90a5fea

SHA512
cc327ec710c09ee6905185674d3b8c89558112a0ce71ade650598d761d95ecc7e09b0a48af92a9d442da6b12dc67f5bfe6bc37d9604087f7c60b7a5526c1ca1f

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
256KB

MD5
cc55d873d7091073cb715b3081947184

SHA1
a44d358d17611be179c4e1559cf03c5f1c212a0f

SHA256
137a3838149e2e5c6bba103214505d65a82868b609e319008bd792c47e7c9909

SHA512
1db8ab13d36d6afc54e45b89b558b55db9eb7be2b65f671c5451055cacf46a405f212832987b8bb83bdcb65d8174b1f870b98f5acc76f26d7780f35768f96c79

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
256KB

MD5
fbd4f817276b33bcdb66908f86d6fc27

SHA1
de75d212543b423cf370c24d48f44cdfa6dea2dc

SHA256
a4776b214e5124722724b4e74e37d043810f995d1217e1b2d36f9b59ec104f9c

SHA512
3ff56141d939680503d01ebb7ea6a6b5495e7f3514654e0852af3c68b54f5f3910d1eb7bf6495c4404159b7efef10bfa494b54bea0f919535c05d1b72887f16b

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
256KB

MD5
32733dcc0677410f6dfee842a64c1bb0

SHA1
5608d635d206d767ccb046477e3115bb4c249388

SHA256
f4e741230c4f40d359156afbf97d43cfcb0f3bffe4f0ea28fe31ccc012735154

SHA512
503240ecf5333fe9d70e0de3d6b18fb88c6632db8e87c4e46d4db0285106d45ab1b538423155d797390fef42ab2c8ad5555e7417db20106063cc9cf7a337517d

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
256KB

MD5
78b3707fcbe8ed33239475107e9e99f4

SHA1
afb7f1ff915eeeb9ddb8edffb1a7b13eabe50bf3

SHA256
a6a610f32edf418bcc292798ee1f5c0dd152aa701e0170a034b4f54deab1a5b2

SHA512
bae09535285597167b1bfaf7120ea23196fab41aeecd5ac3e026d6e6708c343957a674d47868cd80d27558f4013dc001a528741102004c4ab42d150295d41b4a

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
256KB

MD5
9ff49269a29eba7f13179235db436fab

SHA1
b3135e71f483570b5f83f8dc201dadaf62d5fd57

SHA256
cbdce4b87e298aa514b6da35b54d65cb89efe60f22b97770ed7a8b826be9d077

SHA512
b09db225a87c3a4f5fcb2c5069aa8f2af24cd2472c669d984532d286671787cf39701a9e2efeabcfd193cc3e6b3a93db73505d98bff4dca30f7cd7c056313ddb

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
256KB

MD5
a30c49c57d91809ab1bbba9c88fa3008

SHA1
855d7ffaf5f60680ce38a5355442c4149cdbe43e

SHA256
fee517aee22b53659f811d722d683dc2035d666f8beb5124b7d702f04ab07294

SHA512
a846428e15b6986d7694898e452713d06ce53e2fd59858078432e040180eb2fb469cb181fd876b17997164c43ce3c664dc957796f979cac9067c16cee3ad79f1

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
256KB

MD5
1cc406d6fc87368e97efbf5fde2b1eb3

SHA1
e0ead6604cbe49b64a99057ad3b81128a2a45e52

SHA256
905b4df8565494b3e95fe6cc2483eaeb6385013905b96e824d00ab7ecdd33ec6

SHA512
053118d3d5c4351d025749cec45968a62f4a3d1a2eb1bae854cbfa6661ae3d5e49f7ff9e0d525db868fa6eae99c2c9534f7b53073686cdc7d9aac98eafc48458

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
256KB

MD5
a8f70ce30dad1782677fb5bdc7388587

SHA1
032905c3b13c163ae87ef50b7b11a60d0ae944b0

SHA256
ee2fa1c1a8e44261d3971fac66fc16b377da46bfa2832fee9f43f50adc39ccd6

SHA512
671eb22eaed5fdbfe2fb1286a3bd260e3d651e5f3007968fd15a646c710cb6c20a8447707f84a0f01fb3c7f28005c8533f0c41d50907aefdf8ffbc9a1829b1be

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
256KB

MD5
37b508b073d3659ad93a9e85cb65f1b1

SHA1
8bd4cec3d0df2fbd5106e0b1db4cb409ab618761

SHA256
22868af3d4f1821a1cd978dabe0139c1f535422881fd32a26906294405f70e19

SHA512
d589fbe342114912639f382f4daf16445dac071cc7cafa455f31a7430dd77e191af3fb8b9f6a079df3992a8e42d5a1208c7a9f288ace9efbdafd720e67670739

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
256KB

MD5
d8d0f85e915af983964498c519425fd7

SHA1
d4cdf4f7f635793a1cca206c101c31ebc67b78d7

SHA256
c447feb8bcd361f2aef3b39f7104da61e06bb14ee12f65f866a923618baf68c5

SHA512
2d9c65842c2c0b1ab4c96ae6aa2d5510b3d1e0a9d9e7f6cf2bd866b1e79f2d028f030f3145566c32b7886a402907ec2658187041234db83f59d3f299156d8a0b

Download Submit
\Windows\SysWOW64\Jcjdpj32.exe

Filesize
256KB

MD5
04492e0bb48c7a8da12e8841b5575184

SHA1
948e78b8ebd825e56d6793a6875540afb20399f2

SHA256
f087f2425881b7d1339f9535e641b739a5700011bbb54cca0ccd5e6593fc2a4a

SHA512
3abd73badb19fa776d20e291519e14e00973c37cf1aa89f0bc1aec2e3953441d550e8093aedf6692e564f07f7cf0916399141c5481f048abf76306df91c44f55

Download Submit
\Windows\SysWOW64\Kebgia32.exe

Filesize
256KB

MD5
1e3d536f89dacfe5dd27ad0d28ee30ef

SHA1
3bdec7742db25903b7ead40a91214783b68ca0ce

SHA256
db2e22a4c0607faf5d6b13583f00eaae6f13a029351b3adbb9944517c611550d

SHA512
85f7bfe5aade94728c2964f11fa5f0a232d34451354047437d05542b6217f1bf9e05bbd27302568639719cb52439f7e1b850cf1852de4ad0361e169d7304b010

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
256KB

MD5
66df73cd39634a529527ddd9d6cbec37

SHA1
6419cbfeb7d81a34c06ab2ab2444667a30c5f1e5

SHA256
7250a228ffd07c6d36a0ea98ba790fbad8c889be1657e5ce6d30f6ad2fb0f63e

SHA512
4fda76aa3165cb5da9592c8112c10c8a2ea3e44d3a814cbd150ca523a462f1683f14161bfdeb4ffd31df71bbb5e282347f51963b3135010195b950f0de80e9a3

Download Submit
\Windows\SysWOW64\Kjfjbdle.exe

Filesize
256KB

MD5
c7f221da80301c8ae687c5d4b6f14961

SHA1
e4a753dcb70570258e4b4e935cd1e9070991c2b1

SHA256
a32b9264b279e5dfbad0e0f3273cd841022370d7de0a319dd2f1cf0fe759e39e

SHA512
3524b708a5516dbaefb112597cdf70ae32d1347d7ac560eac961e48b8176b8a3363a1d5bd9cf5082f259c92d6db85239728c874abd69cd83d576036f7a1c12a2

Download Submit
\Windows\SysWOW64\Kjifhc32.exe

Filesize
256KB

MD5
f751542d237a8a13ae418a72c8b57b32

SHA1
fd61c46c7e8b9616af06e22d3eafb70a493037ec

SHA256
76b71378f122901c798d12d8d9999b8a205894d554e783afa3f9c3d6caa5a32e

SHA512
d7aeae53a959fce9f137bfd7902444098ddde43c6a8a079c2a38e19ccb89bc674ee9c89446f6e079c45e0effc099cdd4e62b09d0dcac746d47cd8eabf6da6964

Download Submit
\Windows\SysWOW64\Kkaiqk32.exe

Filesize
256KB

MD5
926289d1ab675cf42df8cfcd4f56137c

SHA1
36b8e3050fa2ab19e580f59ca9bbc1642244b2a3

SHA256
9a3105c6056cb4ac7f6c1882ceeb4f8664c25e31f061f5538f0bbdb07b2ca37d

SHA512
7e990e5702327c70dd1bcdf5c3bdb372a7b37db6c450b994a41ee6568718e1d16df338852a3eb40c1a252ae91080b4395e514ffc575c0dfc81d1b78b5b552987

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
256KB

MD5
c0746507ce903e253e511bfdb0e21298

SHA1
57cd50c8c7575163128898decdd4e79fb91687a9

SHA256
19b335ce823e9353deee1b7e0dbaef802e03d36140e9011ea4685ef31ac74453

SHA512
ffbea0af0fd3deea4c0418715518b88e2b185b04dc9ef3c7fac07eb44b81ff3d4376203ed5543a95c558153befda86eb7ed351fcfabf0bf59a2b996781602180

Download Submit
\Windows\SysWOW64\Leimip32.exe

Filesize
256KB

MD5
1af49b08e2721f6d2ac1bc534373de9a

SHA1
96fc8b0fa9f7dfe1c5ea7c1b55e3d000eb19d44e

SHA256
d4a8abced6346fd56df3cc4867985a446ef6905873a62de29212314233303317

SHA512
fd2445f8244325da9dff7ed7a21118b1175314b1ac3630dee8207f84d3a8bf277bbc263c47498daad03d4484e1a9051255b64480bda885289cc0151e37d4a34f

Download Submit
\Windows\SysWOW64\Lgjfkk32.exe

Filesize
256KB

MD5
8635155ee898870ecde3aec1328228d4

SHA1
cbc26454ca42e17aaf5ebd563c225d49a488d391

SHA256
b379f3936169f629b728dfdc9b7282e28a7c638f8e0ab718ad2fa6452facae2e

SHA512
a941bbec22ed731c77c289e54f2ba2da3ff63b85f3089faeb33e191a1774eaae066026d032d8f83c705f1b2bd579664e7112ee47dea247007a264ea8205ba58c

Download Submit
\Windows\SysWOW64\Lnbbbffj.exe

Filesize
256KB

MD5
0f16ebf797ac9810220beeed3b56b612

SHA1
4353f015566377aaf9feb2b6269b551c7db1c018

SHA256
08195526c6e7a05b81731adb1dd43753ee72803821c3556163a399d89c3914ec

SHA512
b1316d58314fc92ab7839926d16d635e3e9f18d8baaa60ed7ca6099b09ca2faa647b7b8d529764e45be20b6ffe857608ad0479c4ca3daff031d346aaaa6c64ba

Download Submit
memory/704-127-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/704-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/704-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-319-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/796-208-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/796-255-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/796-253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1340-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-242-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1728-192-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1728-185-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1728-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-297-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1788-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-330-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1824-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-308-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1832-345-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1860-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-55-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1860-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-13-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1860-18-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1936-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-331-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1992-225-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1992-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-224-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2036-223-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2036-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-278-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2152-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-236-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2156-277-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2156-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-312-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2240-341-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2240-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-301-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2352-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-262-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2352-267-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2376-282-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-323-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2376-289-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2428-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-254-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2428-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-198-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2560-146-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2560-147-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2560-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-191-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2564-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-94-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2564-101-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2564-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-158-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2600-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-34-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2608-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-85-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2656-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-363-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2660-69-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2660-117-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2660-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-63-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2664-83-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2664-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-132-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2772-388-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2772-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-352-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2772-356-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2848-377-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2848-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-52-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2904-100-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads