berbew | 0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe
Size

92KB
MD5

c45c95468b88dd2cacfda663953f0ceb
SHA1

0d34dff70781492605ab7fa6b8dbd881e6c522a3
SHA256

0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e
SHA512

e129aff57dbbe654e2824945a03392a710f203889448cd838417ab7cdc57beb9516794773696df3bfe4780bbc8f4c06376eabb5fbaad65f2b1ffd499c50a407a
SSDEEP

1536:U70U1KjdVRx35sgiXqEDjyxHNvEuOWbLBmN3imnunGP+C:rU1qMtQ6uOWnBmVbe4+C

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpebpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3712	Kmdqgd32.exe
4448	Kdnidn32.exe
1300	Kbaipkbi.exe
3724	Kmfmmcbo.exe
3040	Klimip32.exe
3804	Kbceejpf.exe
4048	Kimnbd32.exe
3788	Klljnp32.exe
3316	Kdcbom32.exe
2728	Kfankifm.exe
4480	Kpjcdn32.exe
4476	Kbhoqj32.exe
3288	Kefkme32.exe
4352	Klqcioba.exe
680	Lbjlfi32.exe
2448	Liddbc32.exe
4200	Lpnlpnih.exe
2104	Lekehdgp.exe
1528	Lpqiemge.exe
4984	Lfkaag32.exe
2976	Llgjjnlj.exe
5108	Lbabgh32.exe
3612	Likjcbkc.exe
2512	Lpebpm32.exe
4748	Lgokmgjm.exe
1536	Lingibiq.exe
2100	Lphoelqn.exe
2240	Mbfkbhpa.exe
1056	Mlhbal32.exe
340	Ngmgne32.exe
1256	Nngokoej.exe
1708	Npfkgjdn.exe
3220	Ngpccdlj.exe
3920	Njnpppkn.exe
2340	Nlmllkja.exe
4348	Ngbpidjh.exe
4648	Nnlhfn32.exe
1944	Npjebj32.exe
4464	Ngdmod32.exe
4160	Njciko32.exe
4968	Ndhmhh32.exe
1376	Nggjdc32.exe
1084	Olcbmj32.exe
404	Odkjng32.exe
4584	Ogifjcdp.exe
3776	Oflgep32.exe
3948	Opakbi32.exe
784	Ocpgod32.exe
1136	Oneklm32.exe
1512	Olhlhjpd.exe
1888	Odocigqg.exe
2524	Ognpebpj.exe
952	Onhhamgg.exe
5104	Oqfdnhfk.exe
3680	Ocdqjceo.exe
4068	Ojoign32.exe
5076	Olmeci32.exe
2580	Oddmdf32.exe
3928	Ogbipa32.exe
1776	Pnlaml32.exe
3128	Pdfjifjo.exe
2072	Pgefeajb.exe
4912	Pjcbbmif.exe
4828	Pmannhhj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kpjcdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kmfmmcbo.exe
File opened for modification	C:\Windows\SysWOW64\Lbjlfi32.exe	Klqcioba.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lgokmgjm.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	7096	WerFault.exe	241

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjecajf.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhaomhld.dll"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3712	4836	0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe	84
PID 4836 wrote to memory of 3712	4836	0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe	84
PID 4836 wrote to memory of 3712	4836	0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe	84
PID 3712 wrote to memory of 4448	3712	Kmdqgd32.exe	85
PID 3712 wrote to memory of 4448	3712	Kmdqgd32.exe	85
PID 3712 wrote to memory of 4448	3712	Kmdqgd32.exe	85
PID 4448 wrote to memory of 1300	4448	Kdnidn32.exe	86
PID 4448 wrote to memory of 1300	4448	Kdnidn32.exe	86
PID 4448 wrote to memory of 1300	4448	Kdnidn32.exe	86
PID 1300 wrote to memory of 3724	1300	Kbaipkbi.exe	87
PID 1300 wrote to memory of 3724	1300	Kbaipkbi.exe	87
PID 1300 wrote to memory of 3724	1300	Kbaipkbi.exe	87
PID 3724 wrote to memory of 3040	3724	Kmfmmcbo.exe	88
PID 3724 wrote to memory of 3040	3724	Kmfmmcbo.exe	88
PID 3724 wrote to memory of 3040	3724	Kmfmmcbo.exe	88
PID 3040 wrote to memory of 3804	3040	Klimip32.exe	89
PID 3040 wrote to memory of 3804	3040	Klimip32.exe	89
PID 3040 wrote to memory of 3804	3040	Klimip32.exe	89
PID 3804 wrote to memory of 4048	3804	Kbceejpf.exe	90
PID 3804 wrote to memory of 4048	3804	Kbceejpf.exe	90
PID 3804 wrote to memory of 4048	3804	Kbceejpf.exe	90
PID 4048 wrote to memory of 3788	4048	Kimnbd32.exe	91
PID 4048 wrote to memory of 3788	4048	Kimnbd32.exe	91
PID 4048 wrote to memory of 3788	4048	Kimnbd32.exe	91
PID 3788 wrote to memory of 3316	3788	Klljnp32.exe	92
PID 3788 wrote to memory of 3316	3788	Klljnp32.exe	92
PID 3788 wrote to memory of 3316	3788	Klljnp32.exe	92
PID 3316 wrote to memory of 2728	3316	Kdcbom32.exe	93
PID 3316 wrote to memory of 2728	3316	Kdcbom32.exe	93
PID 3316 wrote to memory of 2728	3316	Kdcbom32.exe	93
PID 2728 wrote to memory of 4480	2728	Kfankifm.exe	94
PID 2728 wrote to memory of 4480	2728	Kfankifm.exe	94
PID 2728 wrote to memory of 4480	2728	Kfankifm.exe	94
PID 4480 wrote to memory of 4476	4480	Kpjcdn32.exe	96
PID 4480 wrote to memory of 4476	4480	Kpjcdn32.exe	96
PID 4480 wrote to memory of 4476	4480	Kpjcdn32.exe	96
PID 4476 wrote to memory of 3288	4476	Kbhoqj32.exe	97
PID 4476 wrote to memory of 3288	4476	Kbhoqj32.exe	97
PID 4476 wrote to memory of 3288	4476	Kbhoqj32.exe	97
PID 3288 wrote to memory of 4352	3288	Kefkme32.exe	98
PID 3288 wrote to memory of 4352	3288	Kefkme32.exe	98
PID 3288 wrote to memory of 4352	3288	Kefkme32.exe	98
PID 4352 wrote to memory of 680	4352	Klqcioba.exe	99
PID 4352 wrote to memory of 680	4352	Klqcioba.exe	99
PID 4352 wrote to memory of 680	4352	Klqcioba.exe	99
PID 680 wrote to memory of 2448	680	Lbjlfi32.exe	100
PID 680 wrote to memory of 2448	680	Lbjlfi32.exe	100
PID 680 wrote to memory of 2448	680	Lbjlfi32.exe	100
PID 2448 wrote to memory of 4200	2448	Liddbc32.exe	101
PID 2448 wrote to memory of 4200	2448	Liddbc32.exe	101
PID 2448 wrote to memory of 4200	2448	Liddbc32.exe	101
PID 4200 wrote to memory of 2104	4200	Lpnlpnih.exe	102
PID 4200 wrote to memory of 2104	4200	Lpnlpnih.exe	102
PID 4200 wrote to memory of 2104	4200	Lpnlpnih.exe	102
PID 2104 wrote to memory of 1528	2104	Lekehdgp.exe	103
PID 2104 wrote to memory of 1528	2104	Lekehdgp.exe	103
PID 2104 wrote to memory of 1528	2104	Lekehdgp.exe	103
PID 1528 wrote to memory of 4984	1528	Lpqiemge.exe	104
PID 1528 wrote to memory of 4984	1528	Lpqiemge.exe	104
PID 1528 wrote to memory of 4984	1528	Lpqiemge.exe	104
PID 4984 wrote to memory of 2976	4984	Lfkaag32.exe	105
PID 4984 wrote to memory of 2976	4984	Lfkaag32.exe	105
PID 4984 wrote to memory of 2976	4984	Lfkaag32.exe	105
PID 2976 wrote to memory of 5108	2976	Llgjjnlj.exe	106

C:\Users\Admin\AppData\Local\Temp\0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe
"C:\Users\Admin\AppData\Local\Temp\0f818c74319c8e1630d4f6b57f266f60c2a5f573c53206c59900e7d5a2fd143e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Kmdqgd32.exe
  C:\Windows\system32\Kmdqgd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Kdnidn32.exe
    C:\Windows\system32\Kdnidn32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\SysWOW64\Kbaipkbi.exe
      C:\Windows\system32\Kbaipkbi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        24⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        27⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        34⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        38⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        45⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        55⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        65⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        66⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4176
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        72⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3852
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        78⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        81⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        83⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        85⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        86⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        89⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        91⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        95⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        98⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        100⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        102⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        103⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        105⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        109⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        112⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        117⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        126⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        132⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        134⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        135⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6428
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        141⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        144⤵
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6788
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        147⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        152⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 408
        153⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7096 -ip 7096
1⤵
PID:7160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
92KB

MD5
87a8ddfedb60f62d96076ea4f7a4d8df

SHA1
69ff9f904f72cafb77a2a8b615ab53acfca20e57

SHA256
e9439d5b2e299f17a4d7af73d89edf351733ef47c94322f21dc525868bb85a13

SHA512
a134a0c63c517a05b4c9216373d45613fcea6b11973b8c7f772054a4ac4f74723e565eb25cdd3cbc8d81e3fe604ff87d717fa7aaaacab5fbdda7a39a2923c197

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
92KB

MD5
af8accae798dbc14a388484737b63528

SHA1
5ccf573d40c5ec4ee72d83e78d684db54b425957

SHA256
a7bd9f2e0c65b89bd31cc8a7641e606dee3a7a7b1d11f8e77e1c14c7957e7b06

SHA512
dbec800c2f6f3af265ac4ef70f512bd6c7bc87cb4dafa700bffa1bb153ebe4b9638b291e823fdae9ae204cfb532055ddb292ce9a7fa35033bdb6aa87589a0f30

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
92KB

MD5
d69c319bf8a836afa6a2066fc7464a2e

SHA1
7f3e8e74b67a55c70b421e8e137d734e72e95cd4

SHA256
af137647de211ed966c352768c5a0843a79ab78870b7054f22c137970f255895

SHA512
9abdf3c668dafad66401b97dda2271790a89f1ccd26964dedd1e8a6b484fb24b52acf65160558d62a208b3f7c0c89e8a81b8d170e2437010d5c9faba26d02216

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
92KB

MD5
f7a3e5797641c0a6acfd7b34e7250135

SHA1
f80c0a7f449a50d035d215371cbb8f383e6542a3

SHA256
c708ef30668b00abd6c16abaff564fb2b1b29a6f4564b9f41a0a065fe65a15b6

SHA512
3fd3b33c4f177bb5cba83dcf4fe3259b10ef9c6d149adf3b0506a90a81172319055a9205d7c47bf42d3482d8744c532f9c380d2f69bd20c329dba3d80bf8cccb

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
92KB

MD5
7bfa94851f83f9f328056041893ba162

SHA1
14c42832160fe2aec62778929f40b7022a4d6053

SHA256
e86a149d9e2ae66269fae8c6a26cbaf53969df66f62589de00d4ccd00a0d19f6

SHA512
e4a6127451887d7e816dcfe858b9b636ab061dc07be15b897354eca07be688309652199af6ff6c0cf4d0a4c592ca1527ecb5371afc3d6315151071ff67fda741

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
92KB

MD5
aa4996cff94e81aac20e4f83cb4028c5

SHA1
e6dbe44170513c72764a3aadfc578ad8f2c2c35b

SHA256
4dea82e81e6b2f0475c20e9f856544d1d398ccea0807b6e4121e9801aeecf967

SHA512
d4142610493e7ff08817e1659212d7923d3d0d0ef65e40dc2dc46d6b6229f3cb7a148d6ce5b834570318177ba705e2abcaca9b5a6f54290b0cd7154a2bc2ff27

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
92KB

MD5
764665796aa5f8dbec3734e68ebc4550

SHA1
696460e3b6831dcc58696ec5b540d3420b515134

SHA256
bcbd12e259a3679000d02fdf923c59137e6d73bca037dc427e2a513627e1698e

SHA512
34121b0f15cdc1277b25444d36a230a3cd93873c76ece710baa41349de26cb160c2286aae24d62f538ceaa54b8ffa3b9267069c6ef75ed273973221d06ff802c

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
92KB

MD5
dd9b27b7da2a49c339a81915bdfb93d0

SHA1
b09cd43dd017fe69f50103138d1a7e02f7bc67c9

SHA256
3e88f1da21b5b6008119716da9a89404b40f5d1a49bbd39905c587088b0dd6ed

SHA512
9be5add86ba4bfb858911d7f9b193e18af0388c81c202f54d510214577a7efedb03f798ed082e5c5d8ea583c87f0a8661a797b5ac93fc79b0da07b794d541411

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
92KB

MD5
d6a2e5607f6a786429efaef7baa8e207

SHA1
06db3f9088682952aed41a2d4b5363ad2fcf6bb7

SHA256
42b3c57b43ff5b949130c138d32752eb06012242d40a413604ebd0a2e4592591

SHA512
1555744b0173ffd9dfeb543996528a3d1b9dda4c2cd40669beb2dc32a66b045760820d0cefff3a1d0ff0e7bd8e9be83412397a71a624d831cb40f037abbbbadb

Download Submit
C:\Windows\SysWOW64\Djkahqga.dll

Filesize
7KB

MD5
dbc300d05d597a506c90ca13e0108bfc

SHA1
2f54b9ef007dec1e22e67a1fdc7baf00b75096a4

SHA256
2701320016e70c6024dcd5a9cf1381749b1c657f3cfc7af19aaa64214923fd05

SHA512
0a7bc4134bf4da18d76e7ecaba384696f3eee94a69ecb8cf0bba609b33e5c994a363b49b1699a4df07f6f64ea209301c26a0e32c43ec0e194dde8e5d955a9355

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
92KB

MD5
aebf2e947ac05e81cae7e6d60c6bc263

SHA1
147d40f6372eec813cd6172928e27dd21a9577fd

SHA256
61921fae81efef0a72f56b4cae6305ca9828f37f6670cc0d7673ca0c37befd8a

SHA512
735dc3f4776fd7e991ef1d5f7f37545d2e93b0acf8620873c6c32734f3eda8970b38cd2ccd4b75ae0ab5245c3b0decd7901a59c3b5dd5354dfd674476dd2c9db

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
92KB

MD5
633de1bb00db06452cff7cbe0082f149

SHA1
ff9bd481fe8ed19c9cf8d209fc28c4e9cfe4e1df

SHA256
8568bb682747a54d4cb7eee9c6e8f1987e32f11342ae0ee465904738e7bbcb5d

SHA512
3ae255641347faa6999974cfce04c526c0f8b3f34ee0fca45c3a26311ce0574f7e89ae44ee97515751a143e567dc31cc329f8b9ba6f16cfca5c68bd8377ba607

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
92KB

MD5
8f747fea6fff81877c0fc2e061cc83f6

SHA1
ff9b30ede0c187e6f9aa7e828c1a1e1acdb18c72

SHA256
f436c48195f34a285c0baefce63c0c55d0dbfd9c7ce5eef164f5dad16565479f

SHA512
d866795cf72fb1cf3854cd48d7537262ed12dbf892aa4241bcc639b553839e7d6d8711bd6239f0217fe0316e42e8973f42aeac05b57a17697f29e2962b6645c0

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
92KB

MD5
8f9e8a0c0abf4afe222945ebbf2815c1

SHA1
111c057bbce52f7e445a77d9e3cb8f3f72a1b4a1

SHA256
24bca606cf783031d1220c9bbbb1a6c7ee4d9aa77ea9b4826d44901279472b67

SHA512
a459536cb5899dd69003f5787da611b8b429b8ed9af2ade93163794b022ab585c5eb45bc7bbf19523d405add75812367645cc72e7bbe4fe7b6a891b89c7ba2f5

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
92KB

MD5
9f8ace7301af20a44ba9d028d46b956c

SHA1
5a2083355c6496450c736f5d6d7a576fcfdada55

SHA256
aecf97acdd6732ab1fca78daef0dcb56f9fb50e8daa67d3dddb25554c04c5343

SHA512
e03fd7530b3e09ca38d0bfc80c34e96465ba6d92e4cf3328b42372c241962bcc190621e4a303f1b4837a6f8b1d184faab7a0aaed47136fdbc869540b32575f30

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
92KB

MD5
23ef6017368bd5388d287ddff99f61c2

SHA1
9fc310cfd291e267bec061f48cefc7b5e23b53fd

SHA256
2dd8b81758dc3f2df3da82b0387b91a78181f81804c5b8d6c41aa1f3582858c7

SHA512
0ab5d81353d5e4d2f67861c1232c67f38b840f8fb7195097045599eff86df4c3eff51e0d13006f7dd112e726a8147850edacdb4fe66513fbe240cdae7893cf96

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
92KB

MD5
53b621b5935178e8205e93ebb886b4a9

SHA1
8c9464740f43ecaba8fd344f04237149b823a6a3

SHA256
47f4fc63cfe6a1519adcf6a54e2f87f0faffe5fa8f7e3d93b34fd726e169f6fc

SHA512
642ffd43b9f41a16d84b4d2fb4aa1edc6bac268ec6e2def815394bcac942d374edd8a2da096cbe0b317f90ddc03f8d43c30fa16cddd6b537b26a778b165cf4e9

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
92KB

MD5
206ec816f19915eeddb1cf74b4e76674

SHA1
20907957cb3d7be0b687ac298385dce5884c585b

SHA256
400ac0a8888c55cbd00f966428b298484f414680f9159279916613b640a11b18

SHA512
ca6e1fda498e4647b1a27939faf8dd7998fa7e8256a4d97c1703dbb0154074034437b49e5828c627875d8f6b74245a23abcb54eea1d6589f4ae261c9fd4a9197

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
92KB

MD5
4ff42229593158dca3472b6eef736acb

SHA1
2bed38bb68003715d5801be0ca94108f4f6c531c

SHA256
20f542d7a809159759a792fbec89b5e8331113c3a6f6127074282473a612667d

SHA512
76390594a3f63edabde5287743cab68effa021c2d2830aa037931b7ee3d3e9992f199eb961cb79c4c7eff3ab8fed4c3038fa1b16f0ea1bbc76672d4f0a3057a9

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
92KB

MD5
eba991b42311c8fe3b935b0bc820f0f9

SHA1
12c8df7003caca999f136fcc17895834ea2b5533

SHA256
80c5744abc88059136af062305dd865254610081983a6ff8bb26b8a40f5360a5

SHA512
2dd992bb84726e4c196e832b1485c1dfc57256136c15e3a5a6c9ec3cb83965f52c1c89455f7d40c2c2b2f62f76cfbbe1bf6661f946bd6ae689ae71a43a60e6b1

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
92KB

MD5
7b2a3d005f890b5a23ea000cd4e8b1ee

SHA1
9fbeee89fa830bb96bbfb0eb27182f04d31436e2

SHA256
4cd3f16e74b8ac9cd13c7b2c7c0ddb92f487d78075287d3fb380e79db8685c1e

SHA512
a1065b5bbe30003245defba3dcf560f2995fa4dfce40d810a691d013af09a06a386423624531238ef512fae69bc910e2652e6ff5a02328f3aea86377a4d17ec7

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
92KB

MD5
54449a728f1f04758be504427328794d

SHA1
38397740a65ae732d5cdf672285465b755fed2e8

SHA256
88008d93ff86a699f5933f1746e42633c7d94f79f676531a1bbc59b0c6c641a1

SHA512
6de2f63fab13ffb9a3e4ce4bd7dff6ad0629847d85011fbc00b0977a87cc792601378dfb3d7d5080c63891b9458edb0ca83b6419e5ce84bdcb79b98c79925163

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
92KB

MD5
a7346e56ade9015460acfb45204b2f5f

SHA1
307133eda2ae496b0e76a5af85ae6dd3c57aa3b5

SHA256
009401e1763f567dff7cc35d5d0c791b6ac82a95d1e43d56704580a5381b02cc

SHA512
d3b843bc6375de2f0e5dba14098ad948d61ccbfc520961df0eebc725fceb9eb69da9cfedb6f2a5058ce6d09e7f77fbb552616ed31ce440c32e613fd6c96ac9bf

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
92KB

MD5
4d1857c4217eaba951a90b99458f9fc5

SHA1
54f10e7f63359daf66c0d986ff463e5b57b2ac11

SHA256
dd56b7b2e07e440ad824cdffdddc4820748c51f9bbceee0496f15f908ebee2b4

SHA512
e35e79fa49e4253572f4cb0d714bfff83621244dc22e50a2449da423288d0e4520bcbe2e47a54f032c7248f298e91f744c8e6d6209a19d28d687cbad1d8e58c3

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
92KB

MD5
477297cb785a0368d62de9a4b4ea8b1c

SHA1
310d6b9871d1aac2ad4a91bae2688f5b8cb6b84d

SHA256
f776b913bb3eed6b2d752a29f6e88aaa304807cd63d81f2b42270dfd9e26d46a

SHA512
9dcb023f1b08888f43c43c0cc31522e155a07576966ae067cc798e4466fb55db4d7775872ac9250947bd39a45fe82a445b2a707823a798907ca010507b66a192

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
92KB

MD5
48911bbe980669c31d250f0224312048

SHA1
48ea18eea2a59705184243e9b65240b171973920

SHA256
94a61022ab2f885da4c6f66b7c4d289fd8c392a3edb49027146ca7eb68f08248

SHA512
08439448d4252c51de1997006cd7b0a0bf17a5a21f605ac7ac73fd9dc61ad291bc3d5e9838c1f103eba331ced096527a6f3e28c3e7f25adad9fc7108e1be7df8

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
92KB

MD5
4a0b11c12c08f6c1e717b43881846d85

SHA1
0661fff9f5b58a64a8b6e565141bf0f8c972f1f8

SHA256
ace76e2b975e2b69af61353112a4a17ac394ee3e35662faa9c31b13a13bff239

SHA512
577003f06390c458842a7cad052bc4f512baa0aa728a7ac46560547f335f60f5d78347dcd3922df05c84bdb5ba099b35b2167bb0b820ebfad4cd8af66f096196

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
92KB

MD5
230b9f9a39b1f4137f47fdfe3db8ec90

SHA1
7eaa1fb77c4694952571acadac22bb2004364d95

SHA256
31476828da59a40585a2fbc1fff23158a65e6e3e2d6517dcd818ee7402ed72d8

SHA512
3ae1326fbdc56bd19bd57cb921590937013759f22b0071635871e499a571b00be7b1526c67e670c3f995235de041016e40bad4df3168e5e617a07d23af9d29e1

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
92KB

MD5
c734019d620225bf0f02f94e85ac2cf7

SHA1
b0b8d28aeac6fcf768a4dde797c1b52961659dd2

SHA256
acb339c9ba28bb38f9c5aa7910013c555d7d99693022113199dc434fd808ccf1

SHA512
b70dfe8ace48c943754be41c9b154f626b85112bb1241a049ea5239dee8cc046f433994a7e15cbe6091259e7b4a0628dcc31acb863efa0f43361ae76671f4aa2

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
92KB

MD5
0a4071fa426069653cd650c6c665d77b

SHA1
d6697533fed7a1983be1ca0049b98506f7c88502

SHA256
6cc5d7c2e28e73e4b4b318443b11d6f337914636ed8d6c242cdb1eef2ac8b51f

SHA512
dcd4030ce63c508a98bbb154a2c74c9fb381df8bfc7dcc4b907fa55da06e3b40e5de20e105c98a635fe06cba9cbba849ec2ad84f0f643470d9303322767cc6e6

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
92KB

MD5
45738fbd23e103afec6c2358309911ea

SHA1
24f14cd2e3180a602bc562f9c95c9a3b25c01c8a

SHA256
53ca3b5da923f6ccf1bc010714c7b408bbf5f9726cefcf05e64435d6a4d928f3

SHA512
6a9c4b2ab49b0379f866ac6b3a2e750646061c78514bb3aeb2c5bd848cfcf280574738cdd5ede47ee148659a686076f7009ea206c898c21e4f2fde0a9828c0ce

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
92KB

MD5
de53d00090f9a133f71e6090c3607042

SHA1
797d078c42de4e26a37da474a3fb3b6f9a4d25e1

SHA256
cf6d871a379441230d6d7ba0767e91bc0be01cfb688dd195d04b4356209b7c3a

SHA512
ba8a92c9ab2f64b920186c4870b8ba51390cf90de326fbc7736088159b6afb22454bf831f2e6c147aea5adc0a34fa9100d2c824ff477df1de0ba873d1873127b

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
92KB

MD5
06d936dda9e225fc520df9f52f2c4e67

SHA1
1199b03964b464147c511aa27b1a580c273721be

SHA256
093037aab4c452d07ed6594e3a287d9a3f066a734ea22eed5d8f745fc24870e1

SHA512
45cd74888288f3576c990f22c5e1c115b962db97b6cb9a55a63939e7688e0f22847ef7b6fb6d4f65651fafd75dff68221bd85e947655bb607ac4fa5185dd351a

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
92KB

MD5
7a291887038ab9c45cf2ad7007c6eefe

SHA1
07cd007654dbd1e387ddd339cc4eff9eef91f54e

SHA256
8036d3d73a1667a39213297c8f35c252483dbac8a0b39cf2cd8557bb9ec9744f

SHA512
a65ee9fa9e1335e482efe35a3903f5f050705af2c0bcbe84eec145cdbac5be6dbc2e32654208e6a2642e0ec2e8660da6d843dcfd23ddf0bbc5974e36998cdd79

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
92KB

MD5
b2b92abc54631c044785a440361776a6

SHA1
726a3f32382ec24a0c8f9ff9eb5271936c67886a

SHA256
7ec31ce8a6913cbbd3784599e4a898b6e368bcc630342d3719f83879d43def8a

SHA512
a7fd7a40d0c9d08503aa7be517307cfa345707f9d07417ac5e2ce923b1e118d6359f6141af91019672e17409bf45460e05cb7003933dbddc2e4684d8c64b6303

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
92KB

MD5
88b692b7916feee8189842c79709c1de

SHA1
ead64b50b334c50cbf737b8f508c1804a1a303bb

SHA256
c63eab6b98fdb5883bea9f5d8de8abc8d7d4647ab14c159eba28c2181d4cc34f

SHA512
83ad015f26bcc2834f0aeba366d441b825faffab3ab43a3d5ef297ffc81d0095b519ba5f01fb3491ad79de013eaaf0627eb69229ed2f1562877ac99425f9bcfd

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
92KB

MD5
759f3db7ea4cba075cd8e158ebe750a0

SHA1
1470a76611b1bfe2402770450df3683744f4fcaf

SHA256
94dc007624a500aa0be5e6e6979a605bfe3bf93edbf15ee2cafe4b2a9da3a59e

SHA512
ffb556281b3fe0607023044ae04d4d1fb3929a2af9ca00eacc1488ce5d9e534f16b77f706acc72a2930e8ba502574646697565d80b13afd95164786a73d9ad72

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
92KB

MD5
c63a08102619f82eefe25fec5b2f6678

SHA1
ddff430c199036d37074df7a08e60205ef18e204

SHA256
051958d412cb33820c8583779ea04a29b81714b514b899e01f17abacd697e1c3

SHA512
331a519c00a063340a362faa85e90dcd2b7971c15647aac2349ca4bd45b9a3db07cad5215e4269bb520d5c9a0b5900a2f04d86a5eb38485083d5d32139ae81d9

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
92KB

MD5
6b8d72abb22121019759f7e0a7af42bb

SHA1
9211f89b07bec388af5dd9235e49700f3bc961a1

SHA256
957defd560f998a4cf0696a90ba1d218324798bf2839a36da357f189a490056e

SHA512
1d6c0f24ae390ba4a2ab9d52092079e737c19cb9d078acf281c8794b1e3a9e8c64956b91ddbe0f8fb0443ad6d0e1fe6adf770c194d767321944d6b00d9d4ced1

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
92KB

MD5
600e182e9634fcbaf48b52f8287118c1

SHA1
94ace58c82a5170d09abb25dbbb6a0c2f789c85d

SHA256
8a3b3fbd4d20c7c0b727f9a16434dd1906c666271dc32cfeb632f7d0c95d03af

SHA512
bcab06444117af7f551c3ea01eb1ee330e6addcb706cc5bfd29e2ebeb30e5b35098a176ca17df60139c13cb80343e62ccfcf597d430c742eb3b6bc030e34db37

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
92KB

MD5
104d2739a4ea2a508c7198de2f2ed8c1

SHA1
17fb6d4920e9218253bb36e485b51898143416dc

SHA256
a1d6bb85ef9aff9f9407aa6a668584abbcbf9a8c3fbe7a0746cbf0b92b318a75

SHA512
d7cd6828e1b827fbff27fe3e8e2653420763f60c90257ce190bf3401bb36d9702d2fa2e5651d83f678ca5ab87a81632452fe494e1ea5b242e994e873f40b48a7

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
92KB

MD5
6ff81e3e7268d2778566aecf1937d309

SHA1
21747326e3a87ae99da575afd5d74d6a9364a07c

SHA256
a021960a194bb47359267a36c9162f4a64bda20e022face121705db11536f9b4

SHA512
a4b3fbf01a84aba38f3ccb2ddb97edf3055bce204ccc15e004035cf3ce4201499cc00ccb633cae51aeece592cd24dd1259f4d3070dc8e40f22fc0cf17c855331

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
92KB

MD5
ff40ea1607334033f2b0ba2d179d4600

SHA1
65ae5d8b5f8e65a0a46c1987e9c75ee069a3fd8f

SHA256
cedabd8337d890767aaf3739763dfa714ca729a17f7d00facc0b8ff68376b5f2

SHA512
b88022aa6fed425ac2e4bd9eeb8011036bc99e9fe8542f33e486ee89fbaff358e947f30b19bff4711a6cb3fee5ebc1349cedd784858eebe522c6d116b94426a3

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
92KB

MD5
ce8ada8a75c4f35fdeabce0555fa07cf

SHA1
3049279353a87ffee2ef5698b4d0266d09597ef8

SHA256
1f42488e44757849a9f5913bce9511e153fead43fc6ff8b939145d059ed564e9

SHA512
36efafef574206800b58cd7bb2fe8661fc19124339e3c3116e6419313778b88b58fef11db052a8fa6b2e61cefc8f910289816ce762fb9557788a3b61b8a1ba73

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
92KB

MD5
d4942017f0f5d1444fb7e442b04d01f2

SHA1
ea140422eb0c8082b17289bf2f8f68be37f3c175

SHA256
e3aa2877c4aa6f43522c410a29307dc5158a4eefc8ea895622c42f4b9aa2645e

SHA512
b13afd5742802eb58be41fadfcb43fa1493f1787214b6ad7b819810d747f7df8ebdbe76cb01d5ce09c6f135c289778355348fe291af0c20db04438145f0743d4

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
92KB

MD5
df5e779fd6701c4cc99d17e6e002c8c6

SHA1
0ea136a58f9b20a4814bf6417b721726a73615f1

SHA256
9068554de2dac4804f1898becaf3f618f98f9f3a9eb1f974462c8c8196e3cd1e

SHA512
46da43c35dc2b975328b4857618570cf142c5913a9486b9d8e9152a1eff6730fb6800e551518b9938f6514f0edb6937f6569c25d7af913bd282ab5456593d7b7

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
92KB

MD5
fadef48d9c8b5ef9e719205dcdeb3d69

SHA1
6edff903c9b581dc77548abb95d4d2110456c398

SHA256
84fea4968f5dcb215bf4a7451327e129c104dd5b6aa3a64464e764c1fb61fd52

SHA512
8fb7e46b1ac7b236e1c15659b7001a20716ef67ddedbf367372d1992a3ef248fd6801b1cc4aed2bff9e0bfc34aac8100062f762bf1c8a5fb52bee623d612945a

Download Submit
memory/340-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/404-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/680-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/768-485-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/784-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1056-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1084-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1136-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1256-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1300-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1300-560-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1512-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1528-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-371-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2104-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2512-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2976-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-574-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3128-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3220-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3288-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3316-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3680-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-497-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3712-546-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3712-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-567-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3724-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3776-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3804-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3804-581-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3852-491-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3928-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-588-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4068-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4200-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4312-353-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4352-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4440-479-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-553-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4476-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4584-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4748-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4828-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-539-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4968-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4984-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5076-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5104-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5156-503-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5200-509-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5264-515-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5360-521-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5408-527-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5448-533-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5488-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5536-547-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5592-554-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5636-561-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5680-568-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5724-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5768-582-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5812-589-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads