berbew | 6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe
Size

163KB
MD5

badbf715cb69123ed366fffe6a3c2e00
SHA1

7c5b089f8494ad898877871af1c8f26136cd27df
SHA256

6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6
SHA512

b2645a7f42143eba046dedfac751e426f176bb3abf3aac4aba510ed4f9f5284203c94c0f83c37f1cb15be4684f7ed51fddcc8234e7bceb9ecc8d43b8d7d63d35
SSDEEP

1536:P/GxliDXno5RYSpoih/I3Xs0VrELP+8qm0iClProNVU4qNVUrk/9QbfBr+7GwKrj:3G0XnKY2f1Itoh5CltOrWKDBr+yJb

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klljnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b66-24.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
4840	Klimip32.exe
1540	Kfoafi32.exe
2536	Kimnbd32.exe
2764	Klljnp32.exe
4836	Kdcbom32.exe
4988	Kbfbkj32.exe
4272	Kedoge32.exe
2824	Kmkfhc32.exe
4572	Klngdpdd.exe
1620	Kpjcdn32.exe
1128	Kdgljmcd.exe
2476	Lffhfh32.exe
2016	Llcpoo32.exe
3292	Lbmhlihl.exe
2956	Ligqhc32.exe
5052	Ldleel32.exe
1496	Liimncmf.exe
1476	Llgjjnlj.exe
512	Lbabgh32.exe
4280	Lljfpnjg.exe
3020	Lbdolh32.exe
1232	Lingibiq.exe
2628	Lphoelqn.exe
1732	Mgagbf32.exe
3744	Mipcob32.exe
3552	Mdehlk32.exe
2268	Mmnldp32.exe
628	Mdhdajea.exe
1672	Mmpijp32.exe
3616	Mcmabg32.exe
4792	Migjoaaf.exe
2888	Mdmnlj32.exe
5072	Menjdbgj.exe
4320	Npcoakfp.exe
2080	Ncbknfed.exe
1808	Nepgjaeg.exe
1728	Nngokoej.exe
1156	Npfkgjdn.exe
1992	Ngpccdlj.exe
4352	Njnpppkn.exe
532	Nlmllkja.exe
1632	Ncfdie32.exe
2316	Njqmepik.exe
1984	Nloiakho.exe
3220	Ncianepl.exe
1780	Nfgmjqop.exe
3880	Nlaegk32.exe
5104	Npmagine.exe
2188	Nckndeni.exe
4076	Nfjjppmm.exe
2176	Oponmilc.exe
452	Ocnjidkf.exe
968	Oflgep32.exe
1392	Opakbi32.exe
456	Ocpgod32.exe
1180	Ofnckp32.exe
348	Olhlhjpd.exe
1316	Ocbddc32.exe
732	Ojllan32.exe
3512	Oqfdnhfk.exe
3064	Ocdqjceo.exe
2680	Olmeci32.exe
2456	Ocgmpccl.exe
4688	Ofeilobp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kpjcdn32.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Klljnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Inpocg32.dll	Kmkfhc32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Lphoelqn.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ojleohnl.dll	Kbfbkj32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Benlnbhb.dll	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Mdmnlj32.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6740	6652	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canidb32.dll"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benlnbhb.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchqfb32.dll"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klljnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4840	3964	6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe	84
PID 3964 wrote to memory of 4840	3964	6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe	84
PID 3964 wrote to memory of 4840	3964	6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe	84
PID 4840 wrote to memory of 1540	4840	Klimip32.exe	85
PID 4840 wrote to memory of 1540	4840	Klimip32.exe	85
PID 4840 wrote to memory of 1540	4840	Klimip32.exe	85
PID 1540 wrote to memory of 2536	1540	Kfoafi32.exe	86
PID 1540 wrote to memory of 2536	1540	Kfoafi32.exe	86
PID 1540 wrote to memory of 2536	1540	Kfoafi32.exe	86
PID 2536 wrote to memory of 2764	2536	Kimnbd32.exe	87
PID 2536 wrote to memory of 2764	2536	Kimnbd32.exe	87
PID 2536 wrote to memory of 2764	2536	Kimnbd32.exe	87
PID 2764 wrote to memory of 4836	2764	Klljnp32.exe	88
PID 2764 wrote to memory of 4836	2764	Klljnp32.exe	88
PID 2764 wrote to memory of 4836	2764	Klljnp32.exe	88
PID 4836 wrote to memory of 4988	4836	Kdcbom32.exe	89
PID 4836 wrote to memory of 4988	4836	Kdcbom32.exe	89
PID 4836 wrote to memory of 4988	4836	Kdcbom32.exe	89
PID 4988 wrote to memory of 4272	4988	Kbfbkj32.exe	90
PID 4988 wrote to memory of 4272	4988	Kbfbkj32.exe	90
PID 4988 wrote to memory of 4272	4988	Kbfbkj32.exe	90
PID 4272 wrote to memory of 2824	4272	Kedoge32.exe	91
PID 4272 wrote to memory of 2824	4272	Kedoge32.exe	91
PID 4272 wrote to memory of 2824	4272	Kedoge32.exe	91
PID 2824 wrote to memory of 4572	2824	Kmkfhc32.exe	92
PID 2824 wrote to memory of 4572	2824	Kmkfhc32.exe	92
PID 2824 wrote to memory of 4572	2824	Kmkfhc32.exe	92
PID 4572 wrote to memory of 1620	4572	Klngdpdd.exe	93
PID 4572 wrote to memory of 1620	4572	Klngdpdd.exe	93
PID 4572 wrote to memory of 1620	4572	Klngdpdd.exe	93
PID 1620 wrote to memory of 1128	1620	Kpjcdn32.exe	94
PID 1620 wrote to memory of 1128	1620	Kpjcdn32.exe	94
PID 1620 wrote to memory of 1128	1620	Kpjcdn32.exe	94
PID 1128 wrote to memory of 2476	1128	Kdgljmcd.exe	95
PID 1128 wrote to memory of 2476	1128	Kdgljmcd.exe	95
PID 1128 wrote to memory of 2476	1128	Kdgljmcd.exe	95
PID 2476 wrote to memory of 2016	2476	Lffhfh32.exe	96
PID 2476 wrote to memory of 2016	2476	Lffhfh32.exe	96
PID 2476 wrote to memory of 2016	2476	Lffhfh32.exe	96
PID 2016 wrote to memory of 3292	2016	Llcpoo32.exe	98
PID 2016 wrote to memory of 3292	2016	Llcpoo32.exe	98
PID 2016 wrote to memory of 3292	2016	Llcpoo32.exe	98
PID 3292 wrote to memory of 2956	3292	Lbmhlihl.exe	99
PID 3292 wrote to memory of 2956	3292	Lbmhlihl.exe	99
PID 3292 wrote to memory of 2956	3292	Lbmhlihl.exe	99
PID 2956 wrote to memory of 5052	2956	Ligqhc32.exe	100
PID 2956 wrote to memory of 5052	2956	Ligqhc32.exe	100
PID 2956 wrote to memory of 5052	2956	Ligqhc32.exe	100
PID 5052 wrote to memory of 1496	5052	Ldleel32.exe	101
PID 5052 wrote to memory of 1496	5052	Ldleel32.exe	101
PID 5052 wrote to memory of 1496	5052	Ldleel32.exe	101
PID 1496 wrote to memory of 1476	1496	Liimncmf.exe	102
PID 1496 wrote to memory of 1476	1496	Liimncmf.exe	102
PID 1496 wrote to memory of 1476	1496	Liimncmf.exe	102
PID 1476 wrote to memory of 512	1476	Llgjjnlj.exe	103
PID 1476 wrote to memory of 512	1476	Llgjjnlj.exe	103
PID 1476 wrote to memory of 512	1476	Llgjjnlj.exe	103
PID 512 wrote to memory of 4280	512	Lbabgh32.exe	104
PID 512 wrote to memory of 4280	512	Lbabgh32.exe	104
PID 512 wrote to memory of 4280	512	Lbabgh32.exe	104
PID 4280 wrote to memory of 3020	4280	Lljfpnjg.exe	105
PID 4280 wrote to memory of 3020	4280	Lljfpnjg.exe	105
PID 4280 wrote to memory of 3020	4280	Lljfpnjg.exe	105
PID 3020 wrote to memory of 1232	3020	Lbdolh32.exe	107

C:\Users\Admin\AppData\Local\Temp\6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe
"C:\Users\Admin\AppData\Local\Temp\6459c1183bab332aaeb279722932b9e363bca0253bc94a0a7ed52211662ba4a6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\SysWOW64\Klimip32.exe
  C:\Windows\system32\Klimip32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\Kfoafi32.exe
    C:\Windows\system32\Kfoafi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Kimnbd32.exe
      C:\Windows\system32\Kimnbd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        27⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        34⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        39⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        53⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        55⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        61⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        63⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        64⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        67⤵
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:620
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        77⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        78⤵
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        79⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:220
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        83⤵
        
        PID:672
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        88⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        91⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        95⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        97⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        98⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        102⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        103⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        112⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        116⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        117⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        124⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        126⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        127⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        135⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        137⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        138⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        139⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        144⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 396
        146⤵
        Program crash
        
        PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6652 -ip 6652
1⤵
PID:6720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
163KB

MD5
b76f43c7a61d4b635b060c577e368dbf

SHA1
1e0b70d66288a6c8419ed88e850f5d62a547d3d9

SHA256
12ae50f1c33ea4508483dde744dc00f5e917ea993dbef63b086bbac0a45b2759

SHA512
16732fc45509ac90826e2cad3467f25d97aaa9d4bdb7e4b03c1b55b67f1ae45e98fe4a685f820473c3565cc788682902bad4dd65c7f4c6adb34995bf9ab3d251

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
163KB

MD5
91898fdb086c82e5e2be2ce83633136b

SHA1
c3de776ee9fa87766308c8fd93682e9deec9c5d3

SHA256
4f9cdae9e800773a8f35bed8875e264aeb99fac1dcf80706648ba72c374d16d4

SHA512
01e840dfd5bf3c2460062a9bcd90906297e4045b9c8ce2210ef22a2ab25dd521df89f8950df59a065127761f25ae8a8e7b69d0c0e4d648ffba8ae7e351310c57

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
163KB

MD5
faf60c9e65160169299dd62d88b4a562

SHA1
66c5bf2330fac5f6e07cc2a0f5abd25ca3dd353c

SHA256
bdb39574042a2dcd2e45d30afb7c437fbdb5b9edbf1577ccfd1d52302e140115

SHA512
1aec7134067d6399572629315b9f61330c7df07d7e0fcffdbc2cd1ecd8fe6dde7eda246211117f99b60666df5b703318a4b2afe010f5df6431550e14fa1d0a99

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
163KB

MD5
e704e7d5e99bc837bb7cd0a8f317c9aa

SHA1
c79e495d3b0289d66bad3a3cc65d6bcfc8e281c3

SHA256
18740302ae1e5b34ccaf08c5c662301f08b66da88e35ee42ab05ee15f1d082c4

SHA512
d5b3ce6b6dafb91be43aefa9f9092aa5473641f05abfd8c391ca9ac6074670dc5b2bc08d6c0b3269f487753e1433342557c8832c46afe8a346e04af705ce345f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
163KB

MD5
30bcd8361305a781abbc1785042f9c82

SHA1
dbf22bd28dcf5b0bab8d6d1557028128e6d2201c

SHA256
94333464855a7bf3774ddb8d5af14d90c71c805e80464246ca76105f26a0d8f8

SHA512
f4bab541e6836134e441b19c2c6dc9a33b6295137038cbd156fae7a136a8ab3bddec72ca311313faabcc9d30a4310b1985708483d3c5105c9770397272985bef

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
163KB

MD5
cc31f58253c35419b98d027e77c88209

SHA1
a722e714618e20a90265dfcffa430e6b8fffdeb4

SHA256
3d053a70c5a7dde08cd9c32c0c1f15e54e2456d6a2a2c9d17a312dd1e5b6178a

SHA512
e7f57d8efb478dd2f567f142801274fa907d63075bdbff7924a0e67852c1795de7b5afa2036915dc5397a50022c5eb93484972e65326adf0b7ad80b5105e7da4

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
163KB

MD5
8c4335473de155ac23df63397a66da89

SHA1
198507d4fd586e940700da0a0e4503df6436cb2a

SHA256
233710a71218f9723b4ebd084ba67ae88747e99ec6d8135119715a1be7649072

SHA512
9dd7023d4f00b617b1717b76c5cc20f7ef5623514cef213f68e1e9d37aceee21ce104d98bf87dd139f1f3ef084cdaab164f87303503f67501456bb084158f5c4

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
163KB

MD5
aa63ac3bd3bebe92be34b1adf3635144

SHA1
8df3616be9e867d9668d49710caea04cca246e0e

SHA256
1cb073eca043a584c728a666e7626ceba0d5a17421e7cd45e71409dea735218e

SHA512
9085af60d48156987a38d925fe3846bc4dc83a5618689a19e960993f36d6d18266555178671d65c987c47d48c94a87713eb857b4e31ef5571be9481e45d7876c

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
163KB

MD5
ead7e938f9bf1057fb56c74e9f286362

SHA1
9874373a81f58a3c998a54cadef04fde4ba1986e

SHA256
e0e3d088f134fd2ffa052f23b30bc0d8a6c1ef30c63fa3a3efa4494f827a7737

SHA512
c09904cb3c93d331124efd69ed0b56bb201f46cc5f613a33cd86eac483fdc58c12a8e15d2cea10458b8d3cf5825fd793ba5b9f1cd7daa7a9d56c0dafb66d08ce

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
163KB

MD5
b04efbe74192c9537c4b10f89de29d30

SHA1
3de1a3812fcb330068bf8340940cefe10643a255

SHA256
9f2e18e7fab557942de2ea117435663983ef4598755f03815e7bb7937d814d4e

SHA512
3c5e3fb7c3cafc994ee39d7ff7ab2e7dca0fde96887daf34c4541a85308f7c0f867b698e45465951214b97885a370dd3b9f498819e54b3ce2ba784e7930530b5

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
163KB

MD5
286eeece66bb88e57d40c6cfc90bd05b

SHA1
d94f35dff9b7816856719b37c14a123c250b5426

SHA256
0e0ca35f3904b564b6eddcc0a1ddf8c8a50a0dd8a0f47f099d53ec7baf3eb8c9

SHA512
47d94da9a4c179e29f46ba9c79e44e903da02b2611b38e890067b4071bb417b702b8716b08a4f8f7e742a54c83e3cf4581ea6303e081dfd2cb136e9904ce2603

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
163KB

MD5
c361be8e2a472fd1e2a66b292d5eec0a

SHA1
b722229d23d113eef98dd09b1ab019b9e78a814e

SHA256
c1c1d2c2568da433ba227df3d85190e4dfc557d197d0dcce54fc758899470a19

SHA512
d01fe4f9242e0f02f0337daa322a30b3c897649d474a404d2fe19f3fa5cf03b385d5ff2a1a87e639ad7d1c27c418355cbc0bebb9cf1c0118b934bc44bb9f2987

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
163KB

MD5
97202cd9c9757346e3642ca6aa7eacf5

SHA1
086a766ad36add3bf62b8d21d8611bf65bd1f1b2

SHA256
cbe0d6354ebe61ce215ee88e0dee91d27f972e13c762ff38a266d5e5cd67b836

SHA512
af22b0c0255a7ec8abff577922bae667f9712eaccf037914d1bef1ef74a5b8790753807dacc08c9615e329b9e10c69efadc6964ce7bcd98a72108ec138281106

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
163KB

MD5
0b8361b3227a5f3f5d6007356b4ce9bb

SHA1
c4b4d7384f646557f4315a4a45111a8a8e0db2b3

SHA256
a8d4212ec4a689ee90a5b256f1e27ba9d5506240e705e53c1ca2b98577e1618e

SHA512
5b6e2effe869e2bd5174c04579b8752c31ea462fdda75257ef56a9ac4eea75b9e91470fd299718dc8298505f0544b47d7acdad1fd20f163c2b72c5deefc360ef

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
163KB

MD5
19aa7408caebab612492ebf8b0eb7641

SHA1
b136e14314b7616661d40318b4495c34742d3aaf

SHA256
d976c6eda13bb9bc260335451eee01cade8b29d1eacfc5f45abee020a755553b

SHA512
11133a1e7aa4216da4f1b7ae0d9bc224e7114ab02ce751b229e03537af02a8f9ba748685a087439172ee0aa52158524b77810a263ea1ebc3209beb47a5daa6ed

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
163KB

MD5
e8a352026cb745a8579a4e24cc27f967

SHA1
eb402558e36e852519e05c98223878b7cad9186b

SHA256
38d7ced5ad0017caf2dcf5eeaa558aeb1059ee482eedbb1a31e939ae12ff7118

SHA512
c246317c60af30aca794ff26b0b07a42ac6e94fe8b5230db31fc6032daf92b598f15c23963f1fb22c861eff9e35192ba93462666999a36f1fede68b0a3d032dc

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
163KB

MD5
ea79b69c9a1ab2e15694bcdd8e2236e3

SHA1
89167926bbc0c31140e5a103b9e1dd5867f963d7

SHA256
cb42d1435385727064e05830474e2866debc0ec7969060390a482bf036bbbb99

SHA512
e753e064619abd1dad879c3f6cd15c3eb77998f859968a055f7f4f9b97c47f9820f81cda4e970319ca026da43b4b68df5c526b653e9a398d870faca10a297845

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
163KB

MD5
90a1eeb8b7866d3ee711860fad8bf696

SHA1
7165caab4b4192465cf310886e7fc07b66fbe832

SHA256
5dc51d7a29fbdc45729edeb8554e211a32faf0b025d291c1d2dab48568e8cc3d

SHA512
3f741ee6a01015ead8d25c6a21804eba585c2ffd1bb1a8b5595ff3d61eb587452cfdd7f0bcc69424915cbb62839a472622a667172f283850fcce846c919d0096

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
163KB

MD5
eec049696a7deebf147c0f0cb52a4be8

SHA1
45a18e9d8c19706a85c409d609dd237f56641b48

SHA256
06b920367f64f04177ed11f87202240723ee6881bed5392ba03869f16d3a9fef

SHA512
039987ad3e100c8fc160bbcd18a9d7177aca99a13721fd9e91b720667007fbe2341582659f0fdbba1565a1c8165fbf3b5fd72eb9652cd1ecea84f22b7b5b92bd

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
163KB

MD5
78816cf55c26220f99330ccfab8bcd4d

SHA1
dd97dea5e615bcc40f28bfc06f436b22d440fce3

SHA256
bb25f041208125af1a2457999b09be5eded111ac2c27ffad4acccc5b708ff8ce

SHA512
ffbcf75bda0388a2c3b4e8bbc92fc198aaed670fab8039393c4af280fb350d83c8688fa39730d0d1141d437e35b3a514445a75d42a5d6c13cac09bedf9871515

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
163KB

MD5
631551ec64fa2492da5044af32658a9a

SHA1
d29f14da1c59d2158e46a93200ccd45c69fea639

SHA256
766dd495767cab6ff23f8e5f65ab69aaaec8af2024e3051f3fa251aa3dd01bb3

SHA512
a38e46821927c73e07445a4d9d1d13e7ae1c5f6bd969cc28cb6da8b195eda0d1992df14689511f09ad5f0fae48a321bf01ec877c4d991ee414e20cb1c030d828

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
163KB

MD5
fcd8f98a2aeafe49ff1535fe98189fa9

SHA1
be9dd4b838055a0d16382522ec173cdf4f74c996

SHA256
fdb3982427bcb71c9ebc6a5f0b7114835ba0f3e73b1623ab99bc92f59f59f6bd

SHA512
1234c2d0c95ac0f15b32e7a9e73a0409d92ea34ad2fc11436a92f33afcadb20de83ad581f8565f25d4474766ec99b9d9159db16e2aecb96a0dd4cdc5d23dddd0

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
163KB

MD5
6ca179501a748b96f3457145abf21108

SHA1
8e634a7ab445e87adb4cf52644bfa6738a37421a

SHA256
8672f5d4d5d2fc4f6f2d0c64ef8abb455448f79b31e8bc2f46b7e5f7d5ee6377

SHA512
35501c3d09be9f0668fe0f64834a8d2a923e3485e99e64414be388b666661e470cc98cf7a848722ee9788cc9b4cad2ee12eaadc698bd2ea5d8f0ed50f04e5a78

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
163KB

MD5
0e0e7de16c37097ee926f222e2039a9e

SHA1
148b86c2cfd5e1cadc05907d4e970d40982254d5

SHA256
23c2ce74db724f3ccbb09db4d4f52868c9d7c6e3425d0023a77482d7f7d9e03b

SHA512
dc3a5d0f3cabf99ffae9c835e6950566e5b3dba398a77e8987f73ce6cbbb428c74ee76330a7255e0046abd0239e56fe298754b3b1420ce7b82422773e0a94785

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
163KB

MD5
fe2b977d169833a88ff5f9ba932867c8

SHA1
07cdc31cdc4a60f0e9877fd6e925c84d70892b2c

SHA256
efc20dc3cacd2062a1cf248f1048c64854c95c0782fed05dbcafd26927603421

SHA512
8ee7cac3a66f31e02c940dbb2f1eaa9cf94e505cc508cb70747721976417c4351937b579b71ef2356e48c19c918c0c66cb930174f1e5bac3be2ecb2c2277f2ca

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
163KB

MD5
00a5014574251f7680ab7d85b0f79760

SHA1
27a741efa20ea429be0715049497ef903f43e955

SHA256
e8803372ff9a6beb4b9e1fe76411ff217c7cd5323ed38f1f64bb6feee1dd789f

SHA512
10290dccbb5e7f1fb1d8b5617fee42b13784a9523a3a0cf4e079f39a135e926e8a3dc31cd42a8c9d9c9049aea4b3dff37398b60ed41646a6cca9afde90c3b4eb

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
163KB

MD5
2570482324bbb6421240d1704073ab0c

SHA1
5e521717f95254be7cd76d6a31fc51dd5c49e06d

SHA256
bee2f193e88253e1057cf134e53746bd89200ddfe67cf96776cfa3b5e58de226

SHA512
d6b544cd7c5dc2f1adc57130091225dbef8b5a8c9a99650467a1283ce53bfc1499aa6a0a115606f2faa54647ffd13a528ae675453175d1783b5fca816ce4b114

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
163KB

MD5
e5aeee2cf24c0c2978ee4cee7f66480d

SHA1
3c8f3e8d9a0b65341b091d10ba31763c37161165

SHA256
671e12c3eb860a2b82ba5219d68ced7fde296b7a511397f501456af50cff91f7

SHA512
0df4b49b70fd0766a454719e303de8b3874b8ba34d9a0783f56b2d5535f76f8ad14774ca14481e60dd80fd30bbf5483dcdc0ea8002a5765bc69b5151e5a02308

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
163KB

MD5
391c6ab766a0af575398d4b7231c4360

SHA1
000466ab8c577c260c58b06e45dd0da7ff622688

SHA256
38f5c03e847a2d6a9b68fb99bc4d18e95239bedcb25ea5764094881bee4c65c7

SHA512
1cbe77361253c42c1e1ee2d22f6767f82d08d26d8db0d7f8fad4f84c815dd132a332deeb83e27dbd410704e651be2443bb1aa652a07356d447f8102e635f2a59

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
163KB

MD5
0a803f34d4c8babbf1c043ad4bb3ecc1

SHA1
7ee71ea58cd5202ee12d32a9ce97894ad5f25b6a

SHA256
9dae3e76ffd1a5fd21a807c6852933f29f0199d5431939d890c2bb47089340c0

SHA512
1833bea8ef9c5adc2f94093dfe8299926f03fe2d3c046877adf2e5f8ae12af955261fece19cb4d9be32a2b37684f7fa224164463f3c4882e27a2b6e202560756

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
163KB

MD5
3be6b6544dc2d21ac0efd6a2491f7864

SHA1
b54ae0c7631d4f1dc71318c37d16c8519a7276f4

SHA256
b7b515e441a2b35566847c8fb2a01c06bb4ed2d473c5ee0feefab286c28cac8e

SHA512
ff0bcd602820dc6603a4b2c424147c31e796a9187abf5a946bec166401805a121e5389900624775d5a4cc361fe8c45a24f01663b555eba0b80963449338a56d0

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
163KB

MD5
b0794cef36a14a8954b713ccf135fc5d

SHA1
dd33a1c2241f261bc1917a4dfe2401910198c476

SHA256
62d4e80a649a0ef5a991c699b8be8559346fd878a52f842d7aa26ac7ca02aabf

SHA512
f634f7c45001e09bb226ef0604e448a503224d33f34ca91147b61bc69827f4174810fb3662287e9c9d214a71d1da6ef2bbefd95f2f8f1d02fbae4cdc35f0b8cf

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
163KB

MD5
1542086587d313340b5f337b706a18e1

SHA1
6f82cad908232866429f2b2c6184c9b6c7bab56b

SHA256
c75935d1ac82c21dd4126c04b6d44ac5a4b4acc0783dd5ad046296e61f2d5067

SHA512
4eba0a9c161f9af29b202bc43b625f7c7f799e8cbb04aa96d5d80cb185ec45f06b4e701bc3b128cf1493ed8c58ecd2d8f4acdba8e2a2f948fa3a802f15645df2

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
163KB

MD5
2621f22e847bf12faadb323f8c1843fd

SHA1
d0b6e531b3adfdb93579125c0402029aba98bc83

SHA256
9a8a41c7ea742cefbb36dead0bd63a22dd45a2576bd0827ef80d57c3b395f200

SHA512
1b73b3a19183b22a6659b184654e9f9279e6fc504c1938d99716e840c0657ef87279bc360e3b630ed4838d9410bd5cb1e93d5c85fb95f2dd7a2468c76624ce33

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
163KB

MD5
b46eddddf254d192722a744661792201

SHA1
1c7d6897acb59eaa8f440a33de0828687d603eb3

SHA256
65c4e0ec6a6213b2dbbf19191a1e2bd6726f0595313c66f670943214c67c8284

SHA512
449178df3282b4638d55ad44a42cafd85fbc0bc4f34ef4dbfee5d336a0181a94e337f4af6f584b2b5bdc41dd662798f887b8d7611504c39e7ae68e609700a7b7

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
163KB

MD5
f368062b71c156d50e9b3b09a1dd39cd

SHA1
3e87e5a795405d3b11caeb7bc1b5162f703a240b

SHA256
73a8f75904b2baea859ae80f6f23c53ccb4b03997b7bd09520d75788fd0f8652

SHA512
e14285e6c65552342d033c51438157fa736b2e067aea9fdef1ab464b8b6612f5573fcaed48a737c7d1300ae8848105c787a18faa70c6ba93616390510cb7290d

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
163KB

MD5
cbc37dbebe7d976a2b266c4024497d54

SHA1
67969166e7bb32f0f8d9074fc034382b0d19c1b2

SHA256
fb4c3b12648162c88e8db6154f54db896f193d3e340a856758466c03c36b4a39

SHA512
6137957e2ec72345fbb17e661fbdc8e51c243bc2fa01eac2a7ca4b1b4c5ea3e4fe123c182bbfc9efe41a0d29912f3209aad4f41899ef404decab170559785c77

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
163KB

MD5
fb0dcb01b1b9a4e56566503c8f09fc52

SHA1
f6882c4e104283c9e3fef61cb37a3c8bf954e919

SHA256
1168a93af8fc9a518ad82c5efcc5cad9795080761a8f3e776bbc10e32baebe0b

SHA512
353bc1c10a3b29dd7a1ea4367df5a7ce7ec4590bdd8212260f7221b422d7711c83081e7e64a09c178b99fe5bebc71a820d8671b28c48a717d16122008efec54f

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
163KB

MD5
2a7a636bd8977cf3457a7a43152e6e8c

SHA1
dea4ffd5783b4710750563d25f50bfb506391273

SHA256
d1d63d9e132ef4751ef313bf8eda91cae0dbba97f348f0d99834a8c0a78f912f

SHA512
621b408ba86d4a1cfb4807f306c66966704e644320cabe2cae57200b1510e2a023b0e5e1cea0fc9a4c733793729c7ea9ed6efce1a443144d9656e1d9d50dae1f

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
163KB

MD5
cd1b69cd488f3144c8563402773e08df

SHA1
5de5d47066bf607ad857a0c9ce97b64b3d203d34

SHA256
1113ad2a11ece2aeceedf8af61a9b5ae16a2c580ebf393b51b2d31e8e04e89b0

SHA512
d506a288ff4368311a8ea5c20a5143632a26b82a52bdc452871c7dd7b0e5402e0ce2b59ad06b05a40aa2645a0b91ade3ee7a6f60958de9c05e9ea1ae9370f4d0

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
163KB

MD5
2df40426bba4b14796a7eb0d59906a2b

SHA1
4edb377a2d1c2ae817dbf6baf5a5ffe8204f9a8b

SHA256
adfe6461291408bf2c2e5032d1ec1c384d4bcca6746ef4203bd8431891c6fd9d

SHA512
06f70b9f865b839ca7a597dadb80b771431106d73fe07073177b70de9ff353e69e43de117e66d546652577f9bc18061cdb1b00e4fbf4acd26ff40cff41fa438f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
163KB

MD5
684dbc48559b2038d4e957aad68d9a33

SHA1
f03ae2dff252606bd5b9fc3ad62b6bfa0264a220

SHA256
47c0225e880dc9e09224330770e585f97773b3e683e201506b4cbd450499e34f

SHA512
d936bf577762b5497ae0118031d02080f0dc01ab3df3dbe8ac682f2b1202c1afaa9a4b025de9fa22a267766e46b010bb2665eaf98312b752ef652a1cb9616193

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
163KB

MD5
ea64996d663cee54b70e5ea82092ce63

SHA1
6fe6c42564f4efff8c4f12d12f348203526ea176

SHA256
2e3beb3481df2b7f27143eff057958ea29246e12d0a1e7d68ecebad9398861d0

SHA512
01bda8d6e1bbafc424e8a2a150e15aad396bdfae3a5ace24cedb4963412cbd125ee5eded38bd5f4a1d6d39330b0f78a4b6542f516ddd16a0beec065cdc293d7b

Download Submit
memory/220-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/348-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/456-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/512-151-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/532-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/672-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1008-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1128-87-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1180-399-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1316-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1392-387-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1476-148-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1496-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-16-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1620-79-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1632-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-1108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1732-197-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1808-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1984-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2016-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2076-529-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2080-278-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2176-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2188-362-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2268-220-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2456-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2476-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2588-471-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2628-183-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2764-37-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2764-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2792-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-591-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2888-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2896-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2908-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2924-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-119-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3020-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3064-429-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3220-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3292-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3328-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3512-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3552-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3616-239-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3744-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3880-350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3884-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3928-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3964-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3964-531-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3964-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4036-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-1246-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4320-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4352-308-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4520-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4688-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4792-246-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4836-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5052-127-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5104-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5176-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5236-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5292-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5344-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5392-1086-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5432-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5480-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5936-1062-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6048-1058-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6428-982-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads