berbew | 25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
Size

45KB
MD5

b66cb5966883a1087e94fdfa277b9fe7
SHA1

12eea513b952f37a9a8947b29c473c20947381ae
SHA256

25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6
SHA512

3a60acbf0126a590b28cc3d7832a25353ff4ce6d74129b1e4b48c642990e19e0a2cca37d3004e59bb2d41cbccccf1f3246a1c5bedb788775b5b9729511d41209
SSDEEP

768:ffu4hhsSsgT3cHeCsjspL1NIFdbYq3TG7GGdRE4NacoaNF2/1H5y:fG4hh3sgYHnsjsp6eREncdNyA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mffimglk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 38 IoCs

pid	Process
2140	Lfdmggnm.exe
2552	Libicbma.exe
2540	Mooaljkh.exe
2580	Mffimglk.exe
1860	Mieeibkn.exe
1716	Mlcbenjb.exe
2400	Moanaiie.exe
2392	Mapjmehi.exe
1552	Migbnb32.exe
2012	Mlfojn32.exe
2728	Modkfi32.exe
2428	Mabgcd32.exe
1780	Mdacop32.exe
2156	Mlhkpm32.exe
2940	Mofglh32.exe
1512	Maedhd32.exe
656	Mdcpdp32.exe
2920	Mgalqkbk.exe
876	Mkmhaj32.exe
1784	Mmldme32.exe
2976	Magqncba.exe
912	Ndemjoae.exe
2476	Ngdifkpi.exe
3008	Nibebfpl.exe
600	Nmnace32.exe
2688	Nplmop32.exe
2532	Nckjkl32.exe
2504	Niebhf32.exe
1012	Nlcnda32.exe
992	Ncmfqkdj.exe
1236	Ncmfqkdj.exe
2172	Nekbmgcn.exe
2180	Nigome32.exe
1828	Npagjpcd.exe
1980	Nodgel32.exe
1492	Ncpcfkbg.exe
1832	Ngkogj32.exe
1948	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
2140	Lfdmggnm.exe
2140	Lfdmggnm.exe
2552	Libicbma.exe
2552	Libicbma.exe
2540	Mooaljkh.exe
2540	Mooaljkh.exe
2580	Mffimglk.exe
2580	Mffimglk.exe
1860	Mieeibkn.exe
1860	Mieeibkn.exe
1716	Mlcbenjb.exe
1716	Mlcbenjb.exe
2400	Moanaiie.exe
2400	Moanaiie.exe
2392	Mapjmehi.exe
2392	Mapjmehi.exe
1552	Migbnb32.exe
1552	Migbnb32.exe
2012	Mlfojn32.exe
2012	Mlfojn32.exe
2728	Modkfi32.exe
2728	Modkfi32.exe
2428	Mabgcd32.exe
2428	Mabgcd32.exe
1780	Mdacop32.exe
1780	Mdacop32.exe
2156	Mlhkpm32.exe
2156	Mlhkpm32.exe
2940	Mofglh32.exe
2940	Mofglh32.exe
1512	Maedhd32.exe
1512	Maedhd32.exe
656	Mdcpdp32.exe
656	Mdcpdp32.exe
2920	Mgalqkbk.exe
2920	Mgalqkbk.exe
876	Mkmhaj32.exe
876	Mkmhaj32.exe
1784	Mmldme32.exe
1784	Mmldme32.exe
2976	Magqncba.exe
2976	Magqncba.exe
912	Ndemjoae.exe
912	Ndemjoae.exe
2476	Ngdifkpi.exe
2476	Ngdifkpi.exe
3008	Nibebfpl.exe
3008	Nibebfpl.exe
600	Nmnace32.exe
600	Nmnace32.exe
2688	Nplmop32.exe
2688	Nplmop32.exe
2532	Nckjkl32.exe
2532	Nckjkl32.exe
2504	Niebhf32.exe
2504	Niebhf32.exe
1012	Nlcnda32.exe
1012	Nlcnda32.exe
992	Ncmfqkdj.exe
992	Ncmfqkdj.exe
1236	Ncmfqkdj.exe
1236	Ncmfqkdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Libicbma.exe
File created	C:\Windows\SysWOW64\Negpnjgm.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Mffimglk.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Mffimglk.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Pdlbongd.dll	Mabgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ombhbhel.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Iggbhk32.dll	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mofglh32.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Mabgcd32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Mlcbenjb.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Ecfmdf32.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Modkfi32.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Mabgcd32.exe	Modkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Niebhf32.exe

Program crash 1 IoCs

pid	pid_target	Process
2060	1948	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabgcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkmhaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll"	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2140	2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe	30
PID 2816 wrote to memory of 2140	2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe	30
PID 2816 wrote to memory of 2140	2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe	30
PID 2816 wrote to memory of 2140	2816	25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe	30
PID 2140 wrote to memory of 2552	2140	Lfdmggnm.exe	31
PID 2140 wrote to memory of 2552	2140	Lfdmggnm.exe	31
PID 2140 wrote to memory of 2552	2140	Lfdmggnm.exe	31
PID 2140 wrote to memory of 2552	2140	Lfdmggnm.exe	31
PID 2552 wrote to memory of 2540	2552	Libicbma.exe	32
PID 2552 wrote to memory of 2540	2552	Libicbma.exe	32
PID 2552 wrote to memory of 2540	2552	Libicbma.exe	32
PID 2552 wrote to memory of 2540	2552	Libicbma.exe	32
PID 2540 wrote to memory of 2580	2540	Mooaljkh.exe	33
PID 2540 wrote to memory of 2580	2540	Mooaljkh.exe	33
PID 2540 wrote to memory of 2580	2540	Mooaljkh.exe	33
PID 2540 wrote to memory of 2580	2540	Mooaljkh.exe	33
PID 2580 wrote to memory of 1860	2580	Mffimglk.exe	34
PID 2580 wrote to memory of 1860	2580	Mffimglk.exe	34
PID 2580 wrote to memory of 1860	2580	Mffimglk.exe	34
PID 2580 wrote to memory of 1860	2580	Mffimglk.exe	34
PID 1860 wrote to memory of 1716	1860	Mieeibkn.exe	35
PID 1860 wrote to memory of 1716	1860	Mieeibkn.exe	35
PID 1860 wrote to memory of 1716	1860	Mieeibkn.exe	35
PID 1860 wrote to memory of 1716	1860	Mieeibkn.exe	35
PID 1716 wrote to memory of 2400	1716	Mlcbenjb.exe	36
PID 1716 wrote to memory of 2400	1716	Mlcbenjb.exe	36
PID 1716 wrote to memory of 2400	1716	Mlcbenjb.exe	36
PID 1716 wrote to memory of 2400	1716	Mlcbenjb.exe	36
PID 2400 wrote to memory of 2392	2400	Moanaiie.exe	37
PID 2400 wrote to memory of 2392	2400	Moanaiie.exe	37
PID 2400 wrote to memory of 2392	2400	Moanaiie.exe	37
PID 2400 wrote to memory of 2392	2400	Moanaiie.exe	37
PID 2392 wrote to memory of 1552	2392	Mapjmehi.exe	38
PID 2392 wrote to memory of 1552	2392	Mapjmehi.exe	38
PID 2392 wrote to memory of 1552	2392	Mapjmehi.exe	38
PID 2392 wrote to memory of 1552	2392	Mapjmehi.exe	38
PID 1552 wrote to memory of 2012	1552	Migbnb32.exe	39
PID 1552 wrote to memory of 2012	1552	Migbnb32.exe	39
PID 1552 wrote to memory of 2012	1552	Migbnb32.exe	39
PID 1552 wrote to memory of 2012	1552	Migbnb32.exe	39
PID 2012 wrote to memory of 2728	2012	Mlfojn32.exe	40
PID 2012 wrote to memory of 2728	2012	Mlfojn32.exe	40
PID 2012 wrote to memory of 2728	2012	Mlfojn32.exe	40
PID 2012 wrote to memory of 2728	2012	Mlfojn32.exe	40
PID 2728 wrote to memory of 2428	2728	Modkfi32.exe	41
PID 2728 wrote to memory of 2428	2728	Modkfi32.exe	41
PID 2728 wrote to memory of 2428	2728	Modkfi32.exe	41
PID 2728 wrote to memory of 2428	2728	Modkfi32.exe	41
PID 2428 wrote to memory of 1780	2428	Mabgcd32.exe	42
PID 2428 wrote to memory of 1780	2428	Mabgcd32.exe	42
PID 2428 wrote to memory of 1780	2428	Mabgcd32.exe	42
PID 2428 wrote to memory of 1780	2428	Mabgcd32.exe	42
PID 1780 wrote to memory of 2156	1780	Mdacop32.exe	43
PID 1780 wrote to memory of 2156	1780	Mdacop32.exe	43
PID 1780 wrote to memory of 2156	1780	Mdacop32.exe	43
PID 1780 wrote to memory of 2156	1780	Mdacop32.exe	43
PID 2156 wrote to memory of 2940	2156	Mlhkpm32.exe	44
PID 2156 wrote to memory of 2940	2156	Mlhkpm32.exe	44
PID 2156 wrote to memory of 2940	2156	Mlhkpm32.exe	44
PID 2156 wrote to memory of 2940	2156	Mlhkpm32.exe	44
PID 2940 wrote to memory of 1512	2940	Mofglh32.exe	45
PID 2940 wrote to memory of 1512	2940	Mofglh32.exe	45
PID 2940 wrote to memory of 1512	2940	Mofglh32.exe	45
PID 2940 wrote to memory of 1512	2940	Mofglh32.exe	45

C:\Users\Admin\AppData\Local\Temp\25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe
"C:\Users\Admin\AppData\Local\Temp\25126265981d6528f032830d7f2ba2b3bdd1dc7d306b85b4436e2c794ab750e6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Lfdmggnm.exe
  C:\Windows\system32\Lfdmggnm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Libicbma.exe
    C:\Windows\system32\Libicbma.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\Mooaljkh.exe
      C:\Windows\system32\Mooaljkh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Mffimglk.exe
        
        C:\Windows\system32\Mffimglk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 140
        40⤵
        Program crash
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
45KB

MD5
70432f62d2d0c839d20675fdf8422ace

SHA1
7096419191a9133ce932fc6f7de89409b63c6893

SHA256
9347db1a344695814d8eb51a5df96b969adefc8fd1e814d98ff76f74ff4ba798

SHA512
4127c03a02cf70427e639c4e35778b8f2e32310035f26f5226fda3fbb7293ce2b6dcc76a3ee3438720fe0bd5b5a3e77a13f0c161d9d0b7f2e604aa1f6f2b5b17

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
45KB

MD5
8c959fbfdc7898b66944e7b5c5e4c577

SHA1
d3fb7d25755b8c2b895803bc3ec7789c7d6cc038

SHA256
8fed6d4758a74ac12d2972bec5292e8fcf8d4cea86e391f95191948982d2537e

SHA512
17e81ad09202efb40bae92cf245955201c77fc4aaabdb5b97c02028a80a3ed1d680051834908f24bcd123d327080dad39e5f33bb98d88a3d9ac7442eb680854a

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
45KB

MD5
d0bc05e1c47e01f146baab8c2e755d84

SHA1
a28a7475afd1c51d2ade8bce329f1c03e6ce5a52

SHA256
b1ae6693f05ddd304dfb2300d1849b60b9b90b7a0ba0594b3cadccdfaab3c7eb

SHA512
d555504dddb322ccfb057af938b6f98f21ead63e84ac35ee65cd92dc88cc0985cf223638528019241cc260719ce091b6c95b8e99158ebd88246b1d44582c3a9e

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
45KB

MD5
0de71240f487424a47b2d03281209262

SHA1
2dad82520bc0a071299a35f5b2f07cab3e3534d5

SHA256
b79b0fb0da1c94346e18651de388404add4bb6581dcceaf52df091b2e85294b4

SHA512
51ddbec06e35f3d99c1d0a28ae35b6f053ca426befb88bb5d8972e8427707f72c1c4c4cf22a671e9e8c3ed0ea842a3dc203359134adde47c81399cd98cf1402b

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
45KB

MD5
bad53ac0f555bd7133c125924602caa5

SHA1
3cb8242ec9cac4da90e824c860a52757704ed4df

SHA256
354bd8e96f343812977e3885d44ba1314d867eb35d9b8984db46f6d21f2c1ac0

SHA512
fb511f5e789c2e64aef83485e45a66d8d33ae2893abcbbccbe010a4aa9bf71b211815f1ed94fbc44e4267726f01b6f01fd50c7d48c524665c3a6bce7c7966848

Download Submit
C:\Windows\SysWOW64\Mapjmehi.exe

Filesize
45KB

MD5
1d453c3ac84bd1616146be1da80eb26d

SHA1
dc736652070d1a18f282cb37763bd8e825209df9

SHA256
9381148c955fe70fda2842d8898140004eb710ae162064810cf2e897faa24b66

SHA512
fab0db722b4f427a932e73e94a0f27d32c3153687a1e25be0dd62ccfd6b94e201cf3560d5c5d1f7506abed4b4c85feeb809521717f1c32d7d309de72cf2fbe1f

Download Submit
C:\Windows\SysWOW64\Mdacop32.exe

Filesize
45KB

MD5
31e06d1629e66a76ffb00b4b04c920aa

SHA1
ec37bd03cb160a8fba2ebb20637ccbef47164a95

SHA256
38a35a104d1ff33ce29c53a5a200ae69c2da452a031c4b6248adde5735d05847

SHA512
126c8309a83903affb4546deddd54253c1515a78d3cddc40778754c2faa2df1c5b9c0b28ed15a3f514d671c95c6dfa93394d6ba6fe2b3337ba0110d88c5d106b

Download Submit
C:\Windows\SysWOW64\Mdcpdp32.exe

Filesize
45KB

MD5
4837e1ecf767425734b161b69575df3d

SHA1
bdfa8a3ebf045af25fe04ca1048ee7bb00257bc4

SHA256
9e083f37c111a848bb199412f2aa089f304ac4a0ec879ea08e7effc565f88ecd

SHA512
00ab04b33753e7c502ee0f30f212538fdbff6df4ad260a417f10d0aac7297712852d27f2964aea994404ee8507c694efd939da424ff8e83467634ced29abcc71

Download Submit
C:\Windows\SysWOW64\Mffimglk.exe

Filesize
45KB

MD5
81b29e7ef73da6c092050fe411499da9

SHA1
d76578dc24f4d727403125d153d10cbeb2f11448

SHA256
9d220369df22ce261af5a791d9adc4ef232d48376735b1494b4e0a15ef2f5b16

SHA512
492a6c284430dbbb1cc6b4593bcd5cea7adf8e0f35f284ba645e81e63dff96c7dd79df62eea65ad6b9f41bf69945aabce020571ae8351cfe15adb5b892c4a77e

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
45KB

MD5
f805fd274e36d6915f4a6043d429375e

SHA1
6ff4120189fd2a69c8bf14269965f5670eadcbcd

SHA256
ef47cfabda650448a8b6774e73f1edefd7eec97adc4739cb7ed84fe07b685e2b

SHA512
73479930de0b4bcefe0cbd318bfe8016c7f531ab89e7992831520aae4263ff87df095780604908dc14317b598be421de9b4f961841951e80eb45a7bef84430f2

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
45KB

MD5
8703207fb9cb6c75af0bb89d8a76a90b

SHA1
1c1ec3dac5a767eed719d9029ad55d7b1ab36b31

SHA256
ba0c0a3502d31413e6d63bf84c59db592d57e75c1cff689d36fbd79029cae113

SHA512
69b2ca19261b638d7720fc41cf065ed11a32ef2172dfd52784e0623c2395949cfebeef6d67e9620d78fb2c79f6d4b13db203a17d6137cbac46add939de6a57cc

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
45KB

MD5
4e8480000eddf17115a25d92964ddf07

SHA1
ad73ae926be6eff167a94dce3aa210c371a5f786

SHA256
45a1a10c820f86409d92795a3f86b85c852076be7270521321c7fa4b63051cf6

SHA512
a00a58a2924b67e814bc71cec6a770c5c3c45fcf237f4466c2131ec37b5558ac3b80c0720af4165cbd122f9255c2dfcb04094cabbb6bf233ea6bfa2c903d9e94

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
45KB

MD5
7ccd1666cf91a9a9ccbf896b81a2689d

SHA1
10f1694a04750d7f5dd007c33334ef80e355960d

SHA256
6fe1e0be707214914d0a727b20a2d4aec8b3eb74d863736650fba42a33a2a4f5

SHA512
7208d19608dc0e9ba1110da423551b7146f585f9f24e01d5d8a57e7693676588332c1086a21c4f0af5466e42aa5102438920a4e95d88a0c0a38e1d6f285ca67c

Download Submit
C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
45KB

MD5
2f6ae5aeca390fda9d08dd547ec11003

SHA1
74e21c60b88bff1690d675bd17b258a5da9fbaf9

SHA256
d28a04518628728cc27345f952fe5f22fcde6040f98c6d57a06fa1f92db62e3d

SHA512
52589c5c0ce2869b0ed3838555459a5e44895b27e7bb80936f18673d38731a08f11dd70bcb1b49a770b4516d78b705671c4bcaf4b32957c11e7e98e5488ea226

Download Submit
C:\Windows\SysWOW64\Mlfojn32.exe

Filesize
45KB

MD5
4cbed1e950b3feeab123c96df5ebaf2b

SHA1
742d8fa73ac0f658c25c311627f9f3422c93dc1f

SHA256
ad3150ded1aa44e3d69a13578d225cc031e9ad5fd219e423a7943550c3da4063

SHA512
5bac83526f1ab596be95d354129870dd86f52771c9c9b108b1df6d196141becadfe6d8aec1d5018e8bec929a68526a4a441f9cf3534dfdc892be9025dbeee295

Download Submit
C:\Windows\SysWOW64\Mlhkpm32.exe

Filesize
45KB

MD5
2281548101c5ed2d09da8d387a952d78

SHA1
a70e951a35c923b8149e1cae164cab271e03ff73

SHA256
7316d0da8c29b130bce844f915194032b53b82a45f0eec1113802ff218d06ba4

SHA512
39183aa6916f9d19c3c6edb3e8686d4c05b1382334588615348dff8129acf0af14e753295f88104d739abe0f497f2c7547b65fc7f9aa01608b9f58c1e3e16249

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
45KB

MD5
248be7edcf546903abb01ed3c2ee603e

SHA1
4bc43d5aab7cbf67b96fdc24f2021070fcbdd91a

SHA256
9d9d8d4464e9cb517653f0c6a1fb1b13fdc7b628f340249e2632785743829094

SHA512
16869b4b9dcf2e6793266bbdda1483762c7eaf7c3361f86d8087827a541b41956718c0de9b91e3c79661f93f244a0f527e99245f879e351d823cd1c8f90d47af

Download Submit
C:\Windows\SysWOW64\Moanaiie.exe

Filesize
45KB

MD5
a57ea0823f69ae9476a65be9d62454a8

SHA1
03ae35f21f437165af9a79d8f3de8be56ae196ef

SHA256
8e551e0f52a4af61f4d6ac0e9cdf083be3f422948a906a4dac05f425c9f8c83a

SHA512
135e06717cbb62973bda384648f08a6d6d132543a9666694ac74fe6e7f74ac0177f54bc57fed95e720522227817bb598a681f0cb53214d43ce4f7ffe7962545e

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
45KB

MD5
117fa40a51088a5c0cbd6f0ad2051461

SHA1
9ed42f5941413ae38d8800341d56933edc5673ca

SHA256
b0f2c3a8b255f6bd9fb12142d55d4331be156b40b07fec9f0e0657558355f144

SHA512
3b556c3d855e5b7aa8861540e053533cfbbd502cb65a88d6fb405ec4f03bb5e09ab45f89c0b645808470a53894ff5514261e9538b7aa3fcddc09315a7f76c917

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
45KB

MD5
d70f5ddfd2afc5a2c5b424c23fd81838

SHA1
f0039a21990d2b6f4e5032e6385e207161ad9117

SHA256
518e0bf5de64925678cc99e062990d976346fc26fab9c7a310d8d88b39212f0e

SHA512
70a9eeabc70739e380b48563e75ac08fe53fd9a09c2473d05e926c30523df49b017757812153f57b2c4cfaf62337cca9a9e25e79c8a83bb39d5d931c51b67331

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
45KB

MD5
231d1149936c8c24a8a12e7f09d05e83

SHA1
e2444b47da2face499ab5f51b7c13ac17b7402b1

SHA256
cb2a0741edb70165551dac0b9c5e2f5416d810e6359b8a2fe5203777df705bf0

SHA512
a0ca089e6401e371be7a7cabd3eb46a38e9b96c91b5e0f11737a006b423427785a24d83cbb51b0254e5b728244e895167998719108172bcd390e5d9f36d4f86f

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
45KB

MD5
0ded60a42309a4966f4db3e6b377b5ec

SHA1
7441a7941f339e5711a03371ca766eddef4e399f

SHA256
a2313c0d4ebea1a17007fd3d61f27ae34edac84dae5552ad50d365e40bb87762

SHA512
c8b843afc589de76d0379c7ace64d14cbc7310579fbad8c9bf5ee577f2280db2db92af50b29be9920ee43f0405a501af088da24bb19fa4508bf2dcae2b190190

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
45KB

MD5
440228380e8b58d3b0a50a7f8785ee7d

SHA1
150362fafe726ccea7cb5a66973b21b91290451f

SHA256
603b4347256f13dd3f0ca8c09c194e53b91876cc8a37b0ac466ba00b4c44316e

SHA512
da88a2b427c2ce6f77d48d66f180d07396d5477b00e5a4a14fce78b572d92fa1b4bd18279e6e66f88220308a2ae527325a7cb7a2d1e86f7f1265bbfd92bd652e

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
45KB

MD5
0eda5febf64b2070fdae208d37bbb4cb

SHA1
9130abed01675e05db2b22a77d64c42cf98bcbaf

SHA256
80b89ea342adc8b7911eb9aafe7b68b1ca931def8fc4daa789cac90580bdb4a9

SHA512
cf71b7103635c90f32889dbe7dc3e8e609178ddd272568a0ad25829194303492110d4e7f25669c47dcb9ba384072d15d951e87bfda6f496d9e2a71253cb8ecc2

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
45KB

MD5
6c60dba8788b3bc24b4b4384bfbca626

SHA1
c4bc805a562141dc6935692d7bf02332194fe5bf

SHA256
0eb7b140bb323c6207eb1326469b33b6c7f499010b3d3120a58db8299370b6c9

SHA512
170f5d06cbb50e956bc5a8ffbdc16496bd08fd82d0bbbcd67e8bf9f8e3d55d5fe70a3f6fba43ec3b17ab5add0ce65100e8ba588eaac4daf6e69fea27e35e780a

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
45KB

MD5
035e6dc9cf61fcef95588629000977ae

SHA1
2e4f5d68651416b33942651cb6f2740809911d2c

SHA256
81ffd45fdbee3b761a970cd8dff5316070a40e41c720fa900a2406af24ec5f8c

SHA512
406c716db76f5851cf3ce2579c6754522f6685885ce8ecc2c6bc37882095737819a440153cd8ca3b7720c18f392c003a42084a5459a3ff32fa390608f7f96c69

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
45KB

MD5
89c7d78f8fa7464c40cfdea44c23c72f

SHA1
007f25589671e6757f65a8528d2ef05af7e7bf75

SHA256
551e487366a640b09572ad0c7b743718cec8063853a41fb05c0ccb4b4051ae1c

SHA512
9ece135b66367bd6ba7724d121b0073f89b68d8bdd7b24cdbf99e6d1517c81ebaa842196528666c12322225391fa28cc2e28e482617f34f35749487a670c2901

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
3793fe00aa8295e951cb844d8b799a8d

SHA1
7601ef09c0e38fb43849494d31557945fbe098e6

SHA256
506194d83cea66fa8243f8148c5a628e24f3bbf4678ba7d41307353c07b7b4f2

SHA512
54190c254c9270240d72af5683fb4039faecf064b3cd850f3daf53df8f9ab609bd9425baa4d2d466e587d2b4a643524d80d9dd8363783f5391d6edaca02074da

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
45KB

MD5
3eb2f3c67ad7af455151fc62775f7bc4

SHA1
0db821b5b8e3520c762cbde4e385ccd11664708c

SHA256
ea42cb5c13af1ea5f5c7695d07f55a6b5bf644be9dffe10d150e96f51e373c5b

SHA512
e39ee0ed4fb212da5085f63e48286a8608715d96c724f32d6a2ef59770ff83cf5ed6b66cd8f430ac72bd72cbfbc1755e61e7bba02d8148a6385b390543aaf3f4

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
45KB

MD5
ee96b1c4bef45d8504442d67a7a1e930

SHA1
18cc85f9c22daec954e980be4de6ed1244b14592

SHA256
1f2263d3439dd89b1103d13fc39a0cbddac4aa83d10d46e3a4fd0d8dcca07720

SHA512
681539cdcb325515319c44ec881fa63ec74f9d307e61b4170afa798f772c9bdacf0526556428dbb0e58fa777cca3adefd6982b6e3593245e72dd34cd98b1c0c8

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
4596440783cef09d3b118a80871e4d8f

SHA1
ca7855cc5f92617f5d609612c5d12dd762252840

SHA256
bcff20056fa550031fa444f0114852522d363f17bb0d40dc1ee1f9676f0eca95

SHA512
334bb27c93f40aa6794fab99cd6203076f73f3d803a972acb197619cc572cb4546129832e20f289c0f680a0cb8c69cabcf883c55f7ec2fd71cf5de6482d12bbd

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
45KB

MD5
b6ea9cc5408fbc515150ad0039e99380

SHA1
ba9015f18f92ab93f078fb1187a0e585807b002e

SHA256
205ba4fc956284df91812eeb166e7498dedeee7e18f7a1ef64eac2d61d76f731

SHA512
bf130ee0207f27365c9a2b35cdf4d109428eaed8be0b20bbfb073a13a5446c8496d0ef16d24d5737972e0ff20ae1c8326059f125fb41969768df717bebc56b1a

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
00dcfcb29b525c169dee9ef274d02c55

SHA1
170b5dabd1b6f25867c2a652753c37aa1aa53568

SHA256
ba6582931c6a61b2a686c5a6c8dfe2c37fde99e603c2bcc114b38012cc043e0c

SHA512
59d6881950ffeb0429c12ef44577bbfb561edc50eda1259e3e33654a0dab58900b76888d4eb5e3e4439a454c51967a2ea3133bf79fb72c3792af8ae6728e0b45

Download Submit
C:\Windows\SysWOW64\Nmnace32.exe

Filesize
45KB

MD5
e04f2e787b0aaa61bb26c77cbc35f604

SHA1
27875e08c8137c504328fdb466733a77b0ff2fba

SHA256
b22b7aa25ff41cceb5b036c1286a132bd6480616b1472cf103e0925d40a9085f

SHA512
06292905a329a5d5e0c5c1645fa09e3f11a3cb8d0a02a84f4e95f5f0e2a480bc6f0b954259dc3c1e527af16d9bf262288d2ed56028d2a489d96310710c793cfc

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
52c5193e2c180adb5c2f88891d5e33e7

SHA1
e1e64f83137da84e28c3689d2c523fc9f6a74044

SHA256
6ebba0b7b724c2391a798e88f4129bb46fe5064c27e3dd5f9ab75d51fc830cee

SHA512
ed85547e589cf2974b7f1072caf3d3190efb48f70dfbeca9c507e6e855b0ccb2e139221454da55e308850ee2dd57b7cf711a8d3d3b15fcfe6f50e74c39faee5e

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
45KB

MD5
1b7b0aa467f9e3363ef83dad2fb5bece

SHA1
8c93c8679291669e9b35164baef9351f2f839949

SHA256
ad835569b94d059135ac236424bb483ff0ab3db0d2f1b10480effd5aaf7f4a58

SHA512
633c9c73fb6b08da29e537b934312891a586ca16fc3ed70c4b711a28bd1f2e8cc4a280c97c8bc661a5cc5b3c7f9257bca91beba15d1d229bd76da83bf72b050c

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
45KB

MD5
8a55eea382e34822cd926d6cabff749d

SHA1
cf59b9109beec32f01a0ed72eaccbe65e67318a9

SHA256
b2e1647e2d4657cf4d9fc282d0b8ef4a8862bed78c8cea5124fdaf9a0ec6c5a2

SHA512
6e43eb4dc274f4cf420485d28b1a02cb4cc15e019c0dd4d61d84672fc55d3886f8fad51d2577ff754a5643dc9ec7792ed6a5b91d0cd19d8a571b983259b8db93

Download Submit
memory/600-303-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/600-308-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/600-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/656-228-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/656-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-247-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/876-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-278-0x0000000001F50000-0x0000000001F7F000-memory.dmp

Filesize
188KB

Download
memory/912-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-350-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1012-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-416-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1512-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-219-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1552-427-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-128-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1716-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-92-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1780-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-181-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1780-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-257-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1784-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-393-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1832-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-74-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1860-79-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1860-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-404-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1980-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-405-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2012-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-146-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2140-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-21-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2156-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-372-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2180-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-119-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2392-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-101-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2400-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-286-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2476-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-337-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2532-325-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2532-329-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2532-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-48-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2540-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-34-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2580-66-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2580-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-313-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2688-318-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2688-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-155-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2728-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-336-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2816-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2816-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2920-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-238-0x0000000001F50000-0x0000000001F7F000-memory.dmp

Filesize
188KB

Download
memory/2940-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-207-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2976-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-266-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3008-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-296-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3008-294-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3008-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads