berbew | 268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
Size

93KB
MD5

46b8a87949209d12a08837b414545be0
SHA1

fdf92f01f488a8cf11feca5add745904a5c9d47c
SHA256

268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71
SHA512

f98190ec659b7649b45fda4f228fb246212e6bf33361fb16b8e5ed55ee3e16e39c5f982e23ed1072bc4c362426d2d35ca141d80dacb6114568aa377a92e67496
SSDEEP

1536:b58hplaR894xQQBP99b+G/MRA4w1DaYfMZRWuLsV+1L:l8T9avLSA4wgYfc0DV+1L

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmebnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lclnemgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndohedg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfiale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kohkfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocbkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leljop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnpinc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfdaigg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkaiqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapnnafn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 59 IoCs

pid	Process
2272	Jcjdpj32.exe
2640	Jfiale32.exe
2536	Jnpinc32.exe
2472	Jghmfhmb.exe
2480	Kocbkk32.exe
2996	Kfmjgeaj.exe
572	Kmgbdo32.exe
2684	Kcakaipc.exe
2780	Kincipnk.exe
2664	Kohkfj32.exe
2324	Kfbcbd32.exe
1984	Kgcpjmcb.exe
2872	Kpjhkjde.exe
2964	Kaldcb32.exe
3028	Kkaiqk32.exe
1588	Kbkameaf.exe
2264	Lclnemgd.exe
3012	Ljffag32.exe
2364	Lmebnb32.exe
2268	Lapnnafn.exe
1356	Leljop32.exe
1568	Lgjfkk32.exe
2128	Lndohedg.exe
744	Lpekon32.exe
1500	Lfpclh32.exe
2068	Ljkomfjl.exe
2612	Lbfdaigg.exe
2636	Ljmlbfhi.exe
1524	Lcfqkl32.exe
1744	Lbiqfied.exe
2412	Libicbma.exe
2992	Mlaeonld.exe
1932	Mooaljkh.exe
1740	Meijhc32.exe
556	Mieeibkn.exe
2772	Mponel32.exe
1676	Migbnb32.exe
2168	Mhjbjopf.exe
1656	Mabgcd32.exe
2760	Mhloponc.exe
1876	Maedhd32.exe
3004	Mdcpdp32.exe
2776	Mholen32.exe
2900	Moidahcn.exe
2352	Ngdifkpi.exe
1508	Nibebfpl.exe
2288	Nplmop32.exe
1696	Nckjkl32.exe
2500	Niebhf32.exe
1976	Nlcnda32.exe
3052	Ndjfeo32.exe
2528	Ngibaj32.exe
2884	Nekbmgcn.exe
1496	Nmbknddp.exe
2452	Nlekia32.exe
2448	Nodgel32.exe
476	Ncpcfkbg.exe
1044	Nenobfak.exe
2836	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
2272	Jcjdpj32.exe
2272	Jcjdpj32.exe
2640	Jfiale32.exe
2640	Jfiale32.exe
2536	Jnpinc32.exe
2536	Jnpinc32.exe
2472	Jghmfhmb.exe
2472	Jghmfhmb.exe
2480	Kocbkk32.exe
2480	Kocbkk32.exe
2996	Kfmjgeaj.exe
2996	Kfmjgeaj.exe
572	Kmgbdo32.exe
572	Kmgbdo32.exe
2684	Kcakaipc.exe
2684	Kcakaipc.exe
2780	Kincipnk.exe
2780	Kincipnk.exe
2664	Kohkfj32.exe
2664	Kohkfj32.exe
2324	Kfbcbd32.exe
2324	Kfbcbd32.exe
1984	Kgcpjmcb.exe
1984	Kgcpjmcb.exe
2872	Kpjhkjde.exe
2872	Kpjhkjde.exe
2964	Kaldcb32.exe
2964	Kaldcb32.exe
3028	Kkaiqk32.exe
3028	Kkaiqk32.exe
1588	Kbkameaf.exe
1588	Kbkameaf.exe
2264	Lclnemgd.exe
2264	Lclnemgd.exe
3012	Ljffag32.exe
3012	Ljffag32.exe
2364	Lmebnb32.exe
2364	Lmebnb32.exe
2268	Lapnnafn.exe
2268	Lapnnafn.exe
1356	Leljop32.exe
1356	Leljop32.exe
1568	Lgjfkk32.exe
1568	Lgjfkk32.exe
2128	Lndohedg.exe
2128	Lndohedg.exe
744	Lpekon32.exe
744	Lpekon32.exe
1500	Lfpclh32.exe
1500	Lfpclh32.exe
2068	Ljkomfjl.exe
2068	Ljkomfjl.exe
2612	Lbfdaigg.exe
2612	Lbfdaigg.exe
2636	Ljmlbfhi.exe
2636	Ljmlbfhi.exe
1524	Lcfqkl32.exe
1524	Lcfqkl32.exe
1744	Lbiqfied.exe
1744	Lbiqfied.exe
2412	Libicbma.exe
2412	Libicbma.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bohnbn32.dll	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Gabqfggi.dll	Lndohedg.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Jnpinc32.exe	Jfiale32.exe
File created	C:\Windows\SysWOW64\Bipikqbi.dll	Jnpinc32.exe
File created	C:\Windows\SysWOW64\Negoebdd.dll	Ljmlbfhi.exe
File created	C:\Windows\SysWOW64\Kpjhkjde.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Lpekon32.exe	Lndohedg.exe
File created	C:\Windows\SysWOW64\Ogikcfnb.dll	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Lbfdaigg.exe	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Khpnecca.dll	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
File created	C:\Windows\SysWOW64\Kincipnk.exe	Kcakaipc.exe
File opened for modification	C:\Windows\SysWOW64\Kgcpjmcb.exe	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Mhdffl32.dll	Jfiale32.exe
File created	C:\Windows\SysWOW64\Giegfm32.dll	Kocbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Kkaiqk32.exe	Kaldcb32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Kcacch32.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Mooaljkh.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Ciopcmhp.dll	Jghmfhmb.exe
File opened for modification	C:\Windows\SysWOW64\Kcakaipc.exe	Kmgbdo32.exe
File created	C:\Windows\SysWOW64\Kohkfj32.exe	Kincipnk.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Kfmjgeaj.exe	Kocbkk32.exe
File created	C:\Windows\SysWOW64\Ogbknfbl.dll	Kohkfj32.exe
File created	C:\Windows\SysWOW64\Ljffag32.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Jfiale32.exe	Jcjdpj32.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kkaiqk32.exe
File opened for modification	C:\Windows\SysWOW64\Lbfdaigg.exe	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Ljkomfjl.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Fjngcolf.dll	Lbfdaigg.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Mabgcd32.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Kgcpjmcb.exe
File opened for modification	C:\Windows\SysWOW64\Lmebnb32.exe	Ljffag32.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Lmebnb32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ndjfeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ljmlbfhi.exe	Lbfdaigg.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Libicbma.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Lndohedg.exe	Lgjfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Jfiale32.exe	Jcjdpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kkaiqk32.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Leljop32.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mholen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
840	2836	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljffag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmebnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpekon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljkomfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabgcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpinc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kincipnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcakaipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcjdpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfiale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaldcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaiqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghmfhmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfbcbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkameaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjfkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmgbdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjhkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmjgeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljmlbfhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndohedg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhloponc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfdaigg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mponel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kohkfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leljop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfpclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpjmcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giegfm32.dll"	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopcmhp.dll"	Jghmfhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjngcolf.dll"	Lbfdaigg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jghmfhmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll"	Kaldcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll"	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacgbnfl.dll"	Ljkomfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndjfeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabqfggi.dll"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljffag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll"	Jnpinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgbdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkaiqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bohnbn32.dll"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll"	Ljmlbfhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljmlbfhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leljop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2272	2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe	28
PID 2960 wrote to memory of 2272	2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe	28
PID 2960 wrote to memory of 2272	2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe	28
PID 2960 wrote to memory of 2272	2960	268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe	28
PID 2272 wrote to memory of 2640	2272	Jcjdpj32.exe	29
PID 2272 wrote to memory of 2640	2272	Jcjdpj32.exe	29
PID 2272 wrote to memory of 2640	2272	Jcjdpj32.exe	29
PID 2272 wrote to memory of 2640	2272	Jcjdpj32.exe	29
PID 2640 wrote to memory of 2536	2640	Jfiale32.exe	30
PID 2640 wrote to memory of 2536	2640	Jfiale32.exe	30
PID 2640 wrote to memory of 2536	2640	Jfiale32.exe	30
PID 2640 wrote to memory of 2536	2640	Jfiale32.exe	30
PID 2536 wrote to memory of 2472	2536	Jnpinc32.exe	31
PID 2536 wrote to memory of 2472	2536	Jnpinc32.exe	31
PID 2536 wrote to memory of 2472	2536	Jnpinc32.exe	31
PID 2536 wrote to memory of 2472	2536	Jnpinc32.exe	31
PID 2472 wrote to memory of 2480	2472	Jghmfhmb.exe	32
PID 2472 wrote to memory of 2480	2472	Jghmfhmb.exe	32
PID 2472 wrote to memory of 2480	2472	Jghmfhmb.exe	32
PID 2472 wrote to memory of 2480	2472	Jghmfhmb.exe	32
PID 2480 wrote to memory of 2996	2480	Kocbkk32.exe	33
PID 2480 wrote to memory of 2996	2480	Kocbkk32.exe	33
PID 2480 wrote to memory of 2996	2480	Kocbkk32.exe	33
PID 2480 wrote to memory of 2996	2480	Kocbkk32.exe	33
PID 2996 wrote to memory of 572	2996	Kfmjgeaj.exe	34
PID 2996 wrote to memory of 572	2996	Kfmjgeaj.exe	34
PID 2996 wrote to memory of 572	2996	Kfmjgeaj.exe	34
PID 2996 wrote to memory of 572	2996	Kfmjgeaj.exe	34
PID 572 wrote to memory of 2684	572	Kmgbdo32.exe	35
PID 572 wrote to memory of 2684	572	Kmgbdo32.exe	35
PID 572 wrote to memory of 2684	572	Kmgbdo32.exe	35
PID 572 wrote to memory of 2684	572	Kmgbdo32.exe	35
PID 2684 wrote to memory of 2780	2684	Kcakaipc.exe	36
PID 2684 wrote to memory of 2780	2684	Kcakaipc.exe	36
PID 2684 wrote to memory of 2780	2684	Kcakaipc.exe	36
PID 2684 wrote to memory of 2780	2684	Kcakaipc.exe	36
PID 2780 wrote to memory of 2664	2780	Kincipnk.exe	37
PID 2780 wrote to memory of 2664	2780	Kincipnk.exe	37
PID 2780 wrote to memory of 2664	2780	Kincipnk.exe	37
PID 2780 wrote to memory of 2664	2780	Kincipnk.exe	37
PID 2664 wrote to memory of 2324	2664	Kohkfj32.exe	38
PID 2664 wrote to memory of 2324	2664	Kohkfj32.exe	38
PID 2664 wrote to memory of 2324	2664	Kohkfj32.exe	38
PID 2664 wrote to memory of 2324	2664	Kohkfj32.exe	38
PID 2324 wrote to memory of 1984	2324	Kfbcbd32.exe	39
PID 2324 wrote to memory of 1984	2324	Kfbcbd32.exe	39
PID 2324 wrote to memory of 1984	2324	Kfbcbd32.exe	39
PID 2324 wrote to memory of 1984	2324	Kfbcbd32.exe	39
PID 1984 wrote to memory of 2872	1984	Kgcpjmcb.exe	40
PID 1984 wrote to memory of 2872	1984	Kgcpjmcb.exe	40
PID 1984 wrote to memory of 2872	1984	Kgcpjmcb.exe	40
PID 1984 wrote to memory of 2872	1984	Kgcpjmcb.exe	40
PID 2872 wrote to memory of 2964	2872	Kpjhkjde.exe	41
PID 2872 wrote to memory of 2964	2872	Kpjhkjde.exe	41
PID 2872 wrote to memory of 2964	2872	Kpjhkjde.exe	41
PID 2872 wrote to memory of 2964	2872	Kpjhkjde.exe	41
PID 2964 wrote to memory of 3028	2964	Kaldcb32.exe	42
PID 2964 wrote to memory of 3028	2964	Kaldcb32.exe	42
PID 2964 wrote to memory of 3028	2964	Kaldcb32.exe	42
PID 2964 wrote to memory of 3028	2964	Kaldcb32.exe	42
PID 3028 wrote to memory of 1588	3028	Kkaiqk32.exe	43
PID 3028 wrote to memory of 1588	3028	Kkaiqk32.exe	43
PID 3028 wrote to memory of 1588	3028	Kkaiqk32.exe	43
PID 3028 wrote to memory of 1588	3028	Kkaiqk32.exe	43

C:\Users\Admin\AppData\Local\Temp\268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe
"C:\Users\Admin\AppData\Local\Temp\268d08486c77ed09da6ecdfd7f150b223bb2883e85ed16c09c1a03a9d7cd5a71N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\Jcjdpj32.exe
  C:\Windows\system32\Jcjdpj32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\Jfiale32.exe
    C:\Windows\system32\Jfiale32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\Jnpinc32.exe
      C:\Windows\system32\Jnpinc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Jghmfhmb.exe
        
        C:\Windows\system32\Jghmfhmb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\Kocbkk32.exe
        
        C:\Windows\system32\Kocbkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Kfmjgeaj.exe
        
        C:\Windows\system32\Kfmjgeaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Kmgbdo32.exe
        
        C:\Windows\system32\Kmgbdo32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Kincipnk.exe
        
        C:\Windows\system32\Kincipnk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kfbcbd32.exe
        
        C:\Windows\system32\Kfbcbd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Kaldcb32.exe
        
        C:\Windows\system32\Kaldcb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Kkaiqk32.exe
        
        C:\Windows\system32\Kkaiqk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Kbkameaf.exe
        
        C:\Windows\system32\Kbkameaf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Ljffag32.exe
        
        C:\Windows\system32\Ljffag32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Lmebnb32.exe
        
        C:\Windows\system32\Lmebnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Leljop32.exe
        
        C:\Windows\system32\Leljop32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Lbfdaigg.exe
        
        C:\Windows\system32\Lbfdaigg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ljmlbfhi.exe
        
        C:\Windows\system32\Ljmlbfhi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Lbiqfied.exe
        
        C:\Windows\system32\Lbiqfied.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Mooaljkh.exe
        
        C:\Windows\system32\Mooaljkh.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:476
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 140
        61⤵
        Program crash
        
        PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfiale32.exe

Filesize
93KB

MD5
998be4855c314d120f6be3beb25f4af4

SHA1
9adcf859d45fe82416dd88a870f860d4568190a9

SHA256
4baed9fb8e5e7211ab8b61cb76eab007560b2db4754f818ef87105452544cade

SHA512
d2a6a453bc729ff7a911c6210020c721db8afaf235306c623507d67472d329fd62d09a1bbaf3379d893ee3003ea04b4d1cc6cd65aea70763baf789cdd887f4fc

Download Submit
C:\Windows\SysWOW64\Kcakaipc.exe

Filesize
93KB

MD5
3d0be39fb109722addfbc7fe8291d1be

SHA1
5f888c2da9b4fb9db3be8ab7776f980d9f0be2c5

SHA256
a730a45006c3fa1771008dd5958a34ba6b9a52ba992b5ba7bb86671a32f936da

SHA512
09ef246e41af1c5472cafc4fbc45bcb1e43dea61ab2c81da8a98838723c7115d3f2a1abc86d5f2e94456dcdcfc3542f9f6048cce25150a3cd6ada4871414f89e

Download Submit
C:\Windows\SysWOW64\Lapnnafn.exe

Filesize
93KB

MD5
34952e58876224aee68cca34655c3e19

SHA1
ba588cb1d3aa0f252dae47f5dbffa536de427f14

SHA256
a6cbc2f959b6f0497d2ec7ccf9f2f93fb05c604eb63e0cd601643c7bf7f78946

SHA512
ec5c3349d62f652ad051b90921d48594be2f7984c5b96299be6ed31802830ce6e7b42c0b72eba9996f7b6834219e2a3c06778772e23a66d95acd17970312c7b6

Download Submit
C:\Windows\SysWOW64\Lbfdaigg.exe

Filesize
93KB

MD5
8a894fd7f224ea6ebfc03d95093be167

SHA1
900abbc814caa8da65ff98bc655bf0ba000080b9

SHA256
6626791c8be25211c87bc3e2985ecf8b79c766f8cf83c98376aa6aa0f33b605a

SHA512
e4756fe4445ee685b83d0b47d41e79846add05d1887531ff98a744791e69c5c3e8bbe2a9220c5c371aa57030debbc4097214644956d4ee0dc1d0d89a30b14553

Download Submit
C:\Windows\SysWOW64\Lbiqfied.exe

Filesize
93KB

MD5
ef01531ed128176d7d176b1cb751e3d0

SHA1
c96a196c919ba6fefb80c916dd2aec1ce467603b

SHA256
9dcd641e8253038c8ab181402e683a0029bf88a72e3f923cf537f76c3ebbbc68

SHA512
a9c3d7358c27607f7524a05732b1f8e585fd582ef98af5888400eca2ac6899e7bc073ab77b5534caa3dcfef8acb06fbbd894fdb98726022c0775986190b5f989

Download Submit
C:\Windows\SysWOW64\Lcfqkl32.exe

Filesize
93KB

MD5
ee8e1ab2e00ce074ce4703008cf9677a

SHA1
2209432bf2fca693d097a7591f0d0d9ef4c49def

SHA256
9066fc51fdb78c75bf3c1a07fa4f20e0fadc908f7c70171ad082b4145b6b4e09

SHA512
010084c4900e0cbd0748023221d721c9406590956bf97e2e4a1950c66604bedbadf1dda9478ef442f4835966baa69ce1e7f039e62fd8f193b6eef1cec0f51fac

Download Submit
C:\Windows\SysWOW64\Lclnemgd.exe

Filesize
93KB

MD5
91547ecd8039416458921b311ef5afa1

SHA1
12b7ab753f2997ddfe30cee44f951d9f03a508da

SHA256
ff0b25d2e96a646806e9094a8247814206e37bbfb9531a8908b2bc0b598e8720

SHA512
fe975d2c5c3dca46cea50313a50a8ffd3783f5ac7e4becfac3c8e9ad25fcd0960b8f11bd9c3c50e37e978578dd76180299a0eb2e0bec1576682b3d15ef51f960

Download Submit
C:\Windows\SysWOW64\Leljop32.exe

Filesize
93KB

MD5
df413cb98b4b4d08ffd710e22089a6aa

SHA1
e207db6666c83502a84f550e3c49b175cf4fbaaf

SHA256
c1c4b9e53d2e0bc6a47748a4b9961591058686d4db4f2ef2f0f82b2b10ae7140

SHA512
32a1f569e19dd2b5834a4ca1957e541b3079cf92ce64466df81d5d7f52cc38fa6ac070f6984c173837434b9929ced704277f5a703312ffd1b55c8a7ce5bd60ed

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
93KB

MD5
7dd0050a290656b6bdb595a98ebdc3c0

SHA1
1fc6c2b53edef7e109dd7cbbd3e157769cea00d8

SHA256
b455219046c2039542d4ac123a5d402068cda59560c1398bbd2fbf6a70478fd1

SHA512
fc6c7f0ad77bfc556a4960df203d2349651238491febceb1e3c940dc9b5405f47f393bad730e26b76d384973e9853ef77610f6628ee03e942c8cc028be099736

Download Submit
C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
93KB

MD5
8e4feda144a228cb24ba728ebcbbc40b

SHA1
603e7428722084fd0ec6e11fcc1d6404f1d59fc9

SHA256
c0a78a02d0871b94b69d64d5122ef8c2957672d9883484cf2af27e620bc7c65e

SHA512
a39f6531cc414d8ffe07f0b51d72fbe7a351ef275ed3ffb8f087b13aef70d7a48ec9c0e3405f1b4ab9e924dd9689ac30aca7ac3027edcd93c469cd5a00c466f3

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
93KB

MD5
bcdc1a446d1a4c1d2d875fb4ae0d2989

SHA1
8bd28ccd1938dc04100abd3ec1d5180c87335acf

SHA256
272d1732ee74e42948a7475b7c27bac4383bc11fc2d28c397363d3f36cbd2a4e

SHA512
e367a084f0e1c247a4575430d215f9ba60acb8206564abb7e74d31ca5f51f0bbf1e2faff12e570076963522da3caf0d464bb1f9074a4a72322e7b2634805d687

Download Submit
C:\Windows\SysWOW64\Ljffag32.exe

Filesize
93KB

MD5
3311189513e45c2fda5b48ac76f46f90

SHA1
81cd66f79f7ee4eeba6a8efb704759d02dd5d651

SHA256
a40e1e642ee163347b121dd5360f722f62b16858693cfbdc209da6e2865e7426

SHA512
e03efd7441c7bbd04a22f3231b4a68f7ddd861375046bdd1f7ed27d5e0eb8857783860c8c1cd0b6635bf44a5f82206330c7f3d477e64b83cef55c58d9b7de7a2

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
93KB

MD5
d75e7c91dc807ae15da81363bf751640

SHA1
696681aa89e210c8e4d6b62ad23acf0d46b3650f

SHA256
4e25fcc3b7fbf38862b6ba3902ba804bc0dc09de1ba94ad313ac64b1c194646b

SHA512
1c15943f805a658bca2591677a72300aed19249f468ecc48cf87b4ca67d0ebf00575b9b425939fd46653a745ad610ed0b3e1e4ebfb5f2cb6a19e17a111d3ed03

Download Submit
C:\Windows\SysWOW64\Ljmlbfhi.exe

Filesize
93KB

MD5
5fef14d3eafd8744f442db766f93d14d

SHA1
0418a388a73a4eb1199dc04f754eb9553a068fcb

SHA256
766a1da92d2b934fd515dfd9b77c3c53854cea09944a8a2a633192ce394670e7

SHA512
df1b65b2a41426cefcbbc58434a798cc10b461eae0576a80d6a35714f08d11cd92a1b1b56ae38f3f34ac06d782e03111c1bf5c9a677ec9c7346f3e8242ae9558

Download Submit
C:\Windows\SysWOW64\Lmebnb32.exe

Filesize
93KB

MD5
2e6eb2a0f6be51266516125e904b9952

SHA1
8d33aeaf0ac1c035d217639f1664bc0ed8d96f25

SHA256
5b5dc1a4c1108727e090b071be59c718048f1409b1478b3c4f0c79671cd238f5

SHA512
a0704d950bd5820d30f0c22ac20e24dcae8c257726746b2db78224cf60962f81f26b394bec43604b58a960e2df538ae4ac471a7a320250030821de734c6fb6fb

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
93KB

MD5
e98dcd9aba8b12224c628804a5b3c646

SHA1
d3ec4ebfa7c057f69d58f155fa3acccf522db92c

SHA256
656f133269cc74a81f511dd30725c3de5e6770675098ae908dd34c0bfec8032a

SHA512
e3dd9ca4e23b7ed48da7aa4cfc91c30f4c2c0ac6b69a1b7e25afeff7a51a162d177a2e1e0c9ebc751a7204b8219b16d1e22b7731c3c48273d223824c9049b920

Download Submit
C:\Windows\SysWOW64\Lpekon32.exe

Filesize
93KB

MD5
7be128815ed30925531b30e8208049fc

SHA1
d6e210df5d088415f7b15487abf9b30145d45b18

SHA256
be72696a8e98633f8b87e84d9be88f008bae7837b5b9d84caefde54ff6435b1a

SHA512
92eef467c96ff4bad80818218ae356a83a16dbcf9ddb6afa6048c626837beacc5e333853897fbe55ed6bc2ddc31115fbabb9df22580b9066848d94fee05a5db0

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
93KB

MD5
539db8f829f47c1d2ad0ddb68453dde6

SHA1
903190919f9c42ef022eb38438cb56a8b03b37f1

SHA256
66aeefafcc4e853edbfb12b83d8d7f5665dc5b8901a7a04c4c25cc5ba245a0bc

SHA512
b4daa0f47e964637d13eb55a9d69e1fb4419247deac742eb2057cc698b815dc100d7dd00fd457df94d8c61c367f0324fe088e9663e5f0ea02a76e5fcac071ffb

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
93KB

MD5
6401eeef75f2a0579d236fce44f953d0

SHA1
b504505b3c9ce5d9b1f56449b169b547710ab053

SHA256
d389934f632fb362d28c229d684a7c712b8430947a854f74bfa3f74711e6dc51

SHA512
4803502a6ecb17c422e8b8607b21bbc8201219dc003b60ded7cf9988501da5d2fb77feea699618a4246b16883e111b4f91253d9a4c4c98c6ced5b359b300ab72

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
93KB

MD5
b90e5bebef5345fe07b9386e109358be

SHA1
eeceafbae30f69b3027f7508f0f019fda9a030a1

SHA256
b3f2c139c79eb6471f3a91980b54d0ff66cbfb5ab734405b16cbd10b601138ff

SHA512
d3dbbdc367f63afaa29d3630da4fe6ead0999dd01ab2f73a0229cba9d4187595d41c35f4e828c46abacfa9e287746d587b35e5a732f59789e8da9079487687ab

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
93KB

MD5
2751701b80f3dc7113ca74dc4936c026

SHA1
d851837da9b84718d16a3cadb6372c0069f9336b

SHA256
9db1fc84ef319d6b1ef55e56f1a7cf4a3775a5d42ef928d9d84036e579f0820c

SHA512
ac8be01832832ccd98c2d12d9a142385bdf7bb82677a3703204e6794fda13bfeac46b7757f069846dedb7511b4caeab5be4a108c76ad7934908c5fb9423b708b

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
93KB

MD5
4e83e2000d54cb21f904f8094b331e3d

SHA1
eded8b41eeab0159f23f44a54a3fa6228aff2475

SHA256
ff2d6077a40344614d5c977a5ddfc3670c8a8895df955429eca32cf693474978

SHA512
b6247e57af368b13efd3b0f76b3bbd208f25345bd93be451f0170b4b5ab54776a782c8797e442d73db9d1be5956b634224f4179dc92f60b17a95374de5d1e251

Download Submit
C:\Windows\SysWOW64\Mhloponc.exe

Filesize
93KB

MD5
461204e749fb9fe3bd91bc24c50d2b00

SHA1
9eb82f0ab259ef1b1801ac54f4d0af1430bf9c78

SHA256
cd8cd51ec02de57ea39531162326b469085d285bc6c2d6659163a87186aa434d

SHA512
64252581d41028aec53f4b4aec5440746066ff1d624a9ec6dc736cb173a168b4867a4709ec769229ab30f3635b594b72638b71cf3c55232683e75e710601f75d

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
93KB

MD5
c42db7b59280f550c89ded4074d512ba

SHA1
4603f079a75a7784d0e8fa3f3c859778897d44e8

SHA256
ebae1dc09a28d80cebc23c9b39b2d311fd0aa46f723855630948f4b66dea3615

SHA512
e54362c145df1c5fadf674c0dedc721c78e36a926c5791c06cc0480bc61d33c920be86455669aba179f96ba3d624056500f4eedfe73887b4f238f2c292bd2c65

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
93KB

MD5
2cff254a8eaa1c04db51b1685b3f9a36

SHA1
4e382302706f3bdf2003c983483c98463bf41046

SHA256
7324bad991fa0192575340cbdeb2d5ed06eaa3c5c62ede3679c32b79839d58db

SHA512
a9fbc07b60d02aed7a5eddee7dde62cc09aca6a16fd44f67c2a5bbce51c5ee055cf7745d99e7c5753028497862d492c4266124fdbc8bbeab237a2be948b4c1e6

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
93KB

MD5
08d4d0b5620266169b99a95cf33d8029

SHA1
350eeb85c2b4dddecc7d2f11a37d6dab97bee3f1

SHA256
79b6cc2b43ccb042478771fd09d1bf64f092c9ab6ea58754d3a21400b7ad3448

SHA512
ee9cbf57c2f4348103996f6dcf7713c122f12bc6f2a2c113aefac0591decb39f837687877e9148392473885b6239b3c2e22e099d285578a0d7f4e84cd1129519

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
93KB

MD5
50b599b8c7dc51c5827993dbb6c9ac6a

SHA1
7b8e07a40da8c05369139aab8340e8979c4347d3

SHA256
68f9b3d47b2c44d91a3a68ac9b5941510f08892672afe2ccfd78148dd6e9b353

SHA512
f739926b8c85309a70f1a442e596887ebe3c4fc40705a003ca801aaa455c52849fd4058edb2b96cf7c3090549e0f1f8c513ac998bbd10a1893891cb6f56a5180

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
93KB

MD5
d15996a2661e0e06b3c162db814dc405

SHA1
9ebea5eff25a212027b7e99393b0f5f418be9636

SHA256
b09c05c0a64bda03800a5b29fdd9d34b0d532feea8906c95225a0e6e0f476b94

SHA512
4e39e929fee902e00835e742a973c889570aba54e5e96d85a78ae8e9aa6c831a0cc5d925eada6587042def9a017e27212f24f54684419b94fb3294042426baaf

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
93KB

MD5
ed19d1e7df6694bfa2f272114cf2fc67

SHA1
ff00a4135bf8ab0ce3fb81fed8b6ddec1de29460

SHA256
af374c1d8266d4794dace30a2e3554f0667be2e73cc167fe4e1fbd146c322410

SHA512
61d30aed703b2db35b1276971f4e414d732a5ac2bfb9a1a0c06baae7f357c64d0f9b869e287713b5bd19c7898b8feae0d09b69b374d0db24868ca736058e3b26

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
93KB

MD5
042cc59ed26af8bc7c1694462bd645dc

SHA1
d5429d75ec091e699582f1acf382bc148e830015

SHA256
5ab0775517d00e0c2a5b8fa0fa5c00bac4753b6012314919bb429da4a35fbe65

SHA512
e7dae926c2c53b2537dc314c5e4de0d01d0d53ceb500c8b3323fd425e5cbf4051900e6ef3d08ce532d26c1a411a40a5f85daf5e1741d7a47d06fe057375bc1ef

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
93KB

MD5
f4f2590529370172f9f26c42f8fd1799

SHA1
a2daf3cfbf84d3a5a3341eab67849c109af3f645

SHA256
1d5d527e5685736df434de76b04319cb94ac639a3280d0047782d26bcd986039

SHA512
bd6dccfc68d4afe85f71ef5ba249832b39cde1eea8f543b67857f855ab8aeb4d5b90ebc55483a4ee6e557b8acf2b6d2624bf3549c1122852575afeffdadd891b

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
93KB

MD5
c745eae76df2a7aa230117a754876656

SHA1
3134afc2b0c28be3ae76e9a121268d37c017bdc9

SHA256
d66e8c503fb41988109aedceaafe46e0f8b51769616d594dc9bc6cca2cf123db

SHA512
f2785b11de269d3aac23e34bd9c3cfaf9602323884072332b480fd103c5016bad584b919439000ae880202447397761eaf763572c3d8b920548411a542810dbb

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
93KB

MD5
d66adf29469dc5f13695953d3d0aebab

SHA1
2fc7ad04ec472efbcb57c28cdfe4a5ab4ae75073

SHA256
21b3e04a3084ded7647e4425883d18699bc791e2ff808dd96d4263f6f15bbe3a

SHA512
60094ea3f97b02793d59144fd1570f0490ddef1961c53358919c73900c27e751167d08315ead7ce084e495c5cef2f1c30d59980284ea728ee8a5287c7201c1e3

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
93KB

MD5
f7c61c20a03a1874aaaf68abf49521c2

SHA1
d9e79c3a98ac72d00b6d049ef6f266f9abe41923

SHA256
9116dd9af31df5fb236d103c0becaf87d544abab4f68fd31c787c037711aa6c6

SHA512
3321d87cd2d392e6620adb9cac6c36dc81f08c31fa6c9f91d2d4a6099226aa22feeced1e11b27680250ee2b12ece55891ac0b71dffe9f68f64f56bdb98340d81

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
93KB

MD5
433c13e14b94043a5bb775c634425794

SHA1
14c7376222b18cafc180c100026bb1ab5a91f0e6

SHA256
0ad5cfeb29b661e39070a11425d054ac9b610c9b0b0556663adec58145c1cc97

SHA512
138b64ee9a22c18d0874fbb8dab4671a812cb73c74f7767a64eb1b57edf013d86f2077542de9a4bc8418f993a1d1763a19546ace2b8e9509686972dfff0814f8

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
93KB

MD5
ca3ac5e8d6d4662f2d53e2107f24435c

SHA1
f552fbfcafc542f691de28ea6cd799dbaefdd044

SHA256
9daefd18e5c3bd1f37c63fb5f0e1a83d48f249753e1122d403f8d28cb00ad716

SHA512
519989316c08f42a4fa5e5bd85f25baf15b67424f393389aabd7a32e0cf4338afdf20b2013b91df0d74fcad0de51ab204aea1e1128b69b498987bb640e9703ee

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
93KB

MD5
bd8843e94317344cf826e3d8c5a91085

SHA1
8739f6499c32861e2ed52520a695b71c1936dfb3

SHA256
745f1bc010b01edd377b1c5cf7d231ee46560cb829d847093bafc65b0d3bad24

SHA512
844082cf9cc3ad17cc7931c1779dfff038c50521a84f5a71a292d7013b07e2e253eec8e4bc9aa3d577e502cc6128f8fc003ceffc66305c22f16c8984cc2ad822

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
93KB

MD5
41f1013b94d8e8944dcd3fcb0634b8c1

SHA1
c70a34173c1638a426789795a5ac901b289f0b42

SHA256
762ebbc4055c3f396db67be17cbd7f934be41fed3585d1e8cf8d04a5c677eab0

SHA512
ec133cae2858a30c3fada4ab51aa3cbaceec5534aef1636cdccc9c88123fb0c37db012e9541b43df1e4ed9d056b6557a3ed66c8643458c799e443419009cbf7c

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
93KB

MD5
26427d379b7638519db7824273f26c85

SHA1
b1ab27ebb178ae631e47da576c3dd432d03e377a

SHA256
e80200d073141cc0ecdd6d176e25c7d7316e06b81b8c3b6e25ce6a157f4d9ea1

SHA512
838409354bba88fbe423df15bbedc13f4e0baa32bbf42ced4cafc47fa91eacecec3e9df08e854478df7054d34e22f28a0a0828879c5205306868eac4157fbbdf

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
93KB

MD5
be800742cc31ae8a35d6762a89c74405

SHA1
7c198bd2fc631aeb9d3a220eff1840da39aa8a26

SHA256
6a16557e4b3594f73c9fb2ab0cae0888494f0a0261ea983c5267a8a413af8230

SHA512
2b293aebdeb26db0bc7d29e2e4df31cd274a1ce2d8ac091f6299f0ca6175d7ea433c0933950cc5ac99f7641aa99fd2b62257598b6f523a3aee91895f81dd754d

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
93KB

MD5
7ead54f6e58992c4828da79b8579a27f

SHA1
54fca168d853c736a9f90ebdf62b13e74beb1b5d

SHA256
9f54e5512e425638df5930b47431aa9cffbc656681b18d78f1ba0dafa238dd0f

SHA512
c86715ae946dc10911eef6671d39d8930f75267da4958f432fbbb2ca70fc022e90574c5517bb0be3ccf57dff3bcece2599dcb3e8e78ecffc1080ff4d525e4cdb

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
93KB

MD5
e019c6a39f799d2cc259d1c661de29c1

SHA1
6c87fab7290e813edb144f10605edf88b8a08660

SHA256
51ca4cd0551249b7cfd24e969b3f9bb55186b5dab60fb1fc01f89caebae2b4b1

SHA512
e119aa05c2fce6b4ca35e6cfb13e2d834379e4619e5d9f50b1d5535fdf5cee9c1ac47f36a2ea43d1ebfcfe45659e9b51e3b5fd38f3af31bf7907c39ddf8c34f3

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
93KB

MD5
5841853d0b19176ed52dc05680f881f4

SHA1
fa872ec85f7d15926de378af953acc3ff59fd6c0

SHA256
137e440b4c97ffba7c501b20c3e25a48ccf1a03385e6b0be925c629bbd5a8182

SHA512
fb0045d83f84a76290a4237e8e516dd8e8c6bced367a9618c084715bce8131e60405705eeb2843059b26ea1dcb0150690a68150a9a9e29a8f21fc1193fb0c535

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
93KB

MD5
4888381c8d4324601f19883e974875e7

SHA1
cc78057e673374771792ba14c8901ac65bd0b1a1

SHA256
dbb93d623377a6ef2754672e7a375eca01cd7fb1344184b8815fc2ef580f74fc

SHA512
34114820ba8ace1ed2dde4ea4f95e10d0dd32372629a79171c463095ae0de24325d9f73fc4b3c5bf735252e756862c10a9934505959d9472289335e37384a9cf

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
93KB

MD5
f8d2e26d01c9c1c3cd22b87f7a5abdcf

SHA1
3f2f8082416b5f67db7e1316df6d27f0bdd92a4e

SHA256
e820f47071046952fb8f63b35a8f15e141b310f29f9651fd2dae9752449192ef

SHA512
f8259ebc486d53af6cc2cafa8737300d5c8399de35470082251def172e45442ed3272ca60b995c383ef6d1ebf06cdffbfdfd67dbacf6eef8ce24d36bf899c58f

Download Submit
\Windows\SysWOW64\Jcjdpj32.exe

Filesize
93KB

MD5
856e4e23fd4390a3cab95b32b5bdae50

SHA1
181b8658b652862fc46546584d167410460397ef

SHA256
ca7f934f159a1a0c977c5482f59621f7e18267a384b15bc14a4852da36cec6ef

SHA512
a04d6a189cc719a3b28412b46957a9ba74635bbcc53090734d5706d62660d950539a72e02e72d4be7ad49ea3f87aacace800285d580d2bbee74fde2d29d66f87

Download Submit
\Windows\SysWOW64\Jghmfhmb.exe

Filesize
93KB

MD5
e0a4c14b1e1497920699fbe50f52dc06

SHA1
590b14fcca35f16571539c21f11031fdc41e0dcb

SHA256
211f9ec5c915d446d18bc08de97879fa7a9aa53f0379213f36a47cf2666b0e39

SHA512
791f2260a518a93516b9e009246f00cd8712ff6f1043f568dd8aee9f40239732f78b0571e3ae713c8f913c3970d17f5c8e76d4e0d281d696bd274426fcd48d81

Download Submit
\Windows\SysWOW64\Jnpinc32.exe

Filesize
93KB

MD5
d19bd66afc52e080cc8374ac6530d437

SHA1
60cf6d8cf7e1888bd390bb693eb4539732343006

SHA256
d36ea064e85026aa02bfc20615373e676775eac4c79efc2bbdbb33491eca1606

SHA512
8dc9d79cebe03f1b8f976fb08f3d1f5d163874d2984cf3f16a8cf293349c9233da99aa896162af4513c3885fd892fbecec13094bacd5b105eec6dedb7bbdd22e

Download Submit
\Windows\SysWOW64\Kaldcb32.exe

Filesize
93KB

MD5
c79e7f6c865b782db792747fb26ccdf7

SHA1
21aec1c86f80691f610d5c501f8b5e4741dfc750

SHA256
abac4a44291e7aaff0a966ccf4b934b79302992e5f550c0da2ec656ee6d4dd8e

SHA512
2a1b9a3f0241187ba9a9c13fc17b20c9bfceb2a88e07316fa74849cf1c3c83e29508e372d493ad07b0cc4c53b0512841671a7fc89c606888c68c0ca0be2a2134

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
93KB

MD5
45b5f5f2c1e6ec4c9b9f6a0be304d0a9

SHA1
8ff45eab7af975dc461cd5b3ebd9a50d0a752dd1

SHA256
07656465e6559a272cdd3745770819c108c547b235a981628e6b3dbd473ca980

SHA512
f6f278baf0c24dfdeaa9d24b5fc93bc4b9d6d719127ddde254dd8ec640238715ae37bf5b8d74f66a344484285c8bff1ba5e2013f6968bcc368fcbc4b392d1ee1

Download Submit
\Windows\SysWOW64\Kfbcbd32.exe

Filesize
93KB

MD5
634f581b77bc6746c32efc301e1f3b1f

SHA1
82cc6f3d19912a9913a744f767b3c11191d886e7

SHA256
455593c94d1a7bc3f3236f5c1579069468301b0ba6019004f365957b681c1b1d

SHA512
44320bf120c92633d6909e1351b6d345ce38a9b26e63f15801e434efc998650ccd96927f39bae9aa081270d43a6a00c7b7e95e69d1270262d5f4dcbf608dcead

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
93KB

MD5
3fe2a975570aa73073349f660d846f79

SHA1
de03f47e80f0293cdd9a312e271bd56fd0210345

SHA256
9de1279443c8edd936328c537747f6fc8d587d0f5d904f449ed29b008ee93aa7

SHA512
f00f2e14d3ea7d2da2ad8bf6d0d1305a0691f8b3bc3f44c9ecea6ef446000be8fa24e70ca3a5fa30b81e865d074b14a45c73245bc936e91accca65a5f120c1d5

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
93KB

MD5
54d2351b6e9f5ac57907e5bea2a172fb

SHA1
4a09c0b87b7f2f8f02713775159451b09d1c5d0d

SHA256
e967320ec7d2765488a7bcb6876def6df706789ed1d6a056d45448c7a0e4325d

SHA512
ca2f0a6755541f4d16b231c34ae02a84ce70634320d905200379a38fc0266e39c7be956e4beccc64f6b327d563527dfe2681b117ba9c16854665c1860858bc2a

Download Submit
\Windows\SysWOW64\Kincipnk.exe

Filesize
93KB

MD5
1d09c37227e013b39df13ea99e8d0f9a

SHA1
f55a7c6c90f20f0055071f24aab44b2747decbff

SHA256
471f43707d960724a5ca9531941a3e8320deecbe0ca6196b0018d7c528420105

SHA512
bddaa3ddf6c5cdbbf737c9bf171a939785c1a8b7d52072be34d063ed3e6df55a08ccc4a15a0fb6492a39f0c2dee29cdeb04898423feb334586515570118e4abf

Download Submit
\Windows\SysWOW64\Kkaiqk32.exe

Filesize
93KB

MD5
507de10875c2dd46ebda88e91dc0c321

SHA1
6cd25e2cfa91165dd2b441c5d8c2f0a5016edaa3

SHA256
96e5b191d6066b9b6775c0d55fa3ccd0e6756750446e7be876bb1a12019a98c7

SHA512
9d7dbb595ab24e07b13100fac33ad4de9176c72a203e48609cbcb86ebb3fe76e7151346ca67e5e48ee18b2419037aa452627527cf346c62138eaf09d7d445e13

Download Submit
\Windows\SysWOW64\Kmgbdo32.exe

Filesize
93KB

MD5
1aa998fdba22e2a452ca1247323f75df

SHA1
abfb31e6e75df4ae6b61b2399c7d8ccf180847c4

SHA256
0077c6bcae899d5bc9be378a51efe03853ed2438c4597e04dd75f7df8cfbf34b

SHA512
94f0db2541d51ac740dbc30ef41b5031f8a13bf0f4285f6f711cd54a6ffde7c787b09f05d79cb3695403a6b34583c89646276b13588aacfbd24448603e4f5d69

Download Submit
\Windows\SysWOW64\Kocbkk32.exe

Filesize
93KB

MD5
2a65e75d7ba93a0d6b794234c4166572

SHA1
de0f77d0fdb0f09e584227257a9d3764d600020b

SHA256
74626bbfe1889e53e1901943efceaeb06c709fc6d7c2c0adfcef218a9203ffea

SHA512
427b4cc996f4601fbc2a1e89cc1e80cb955e54a6f7b0183e0f59aab8643665c42211600c9b4167db6b15347b50c9c23d7cae19977ce19d8056fd2bfd85ad29ae

Download Submit
\Windows\SysWOW64\Kohkfj32.exe

Filesize
93KB

MD5
9744407b38de151db8c42ef71cd32c9a

SHA1
01fe2d6b77ba2088b2838c74ed2e00af871bff36

SHA256
83dd110890a5b6926123abed7236e8fb6e3235b787cd38b872f0324bc239e0f8

SHA512
8eaf542af5405267ba3f902e05c6e6fc8db6de4a0e9231bbba8631b6905f03b78ecef4eb6fc9749e025a24a771f50fa7a3c9d1b51a3839d4e495cd6c81c270b1

Download Submit
\Windows\SysWOW64\Kpjhkjde.exe

Filesize
93KB

MD5
33868267180107056ff3a418ad87ee30

SHA1
492a5d631cf04193704cc80f0523be93deeb4b90

SHA256
9daa0d61a7940129693d9e47fba8e730c3f833e38453736b57e6395c427351eb

SHA512
6899139534b7db46027f00da27402581bcfe3cc2b1e9c6be4f4c1bf4a4faf4e0f9e0ec3239df81d308e7c4c10f426f4bb1d4a895db025eadc1833820e9131f79

Download Submit
memory/556-418-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/556-417-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/556-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-299-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/744-295-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/744-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-310-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1500-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1500-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-733-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-354-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1524-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1568-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-220-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1656-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-711-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-461-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1676-438-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1676-440-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1676-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-740-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-737-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-714-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-741-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-168-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2068-321-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2068-320-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2068-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-284-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2128-288-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2168-739-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-256-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2268-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-542-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2288-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-712-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-709-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-375-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2472-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-62-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2480-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-718-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-332-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2612-331-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2612-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2636-344-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-35-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-366-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2664-142-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2664-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-116-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-428-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2772-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-501-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-502-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-704-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-182-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2872-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-731-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2960-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-195-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2964-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-728-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-386-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2992-385-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2996-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-89-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-491-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-208-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3028-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads