berbew | 5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Size

477KB
MD5

ce7132f5de7574b797b34fbc825f7d60
SHA1

060d4db9a4b0b26861e1ce3fb9d777acc5c6fc2d
SHA256

5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746
SHA512

2b2b6a2a72af7b745fede99f6941e66dd37aff21a9a2eefc3e24631666f30a1193dac78fb71e40a804a275a31077356435fe8cf88bd31345d3049dee05248363
SSDEEP

6144:9CuVNkd2gQon/TNId/1fon/T9P7GSon/TNId/1fon/T2oI0YokOsfY7Uony:Q8MNIVyeNIVy2oIvPKO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Offmipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfoin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omnipjni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnipjni.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offmipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oococb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfoin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 37 IoCs

pid	Process
860	Onfoin32.exe
2156	Opglafab.exe
2808	Omnipjni.exe
2788	Offmipej.exe
2680	Oococb32.exe
2568	Pofkha32.exe
2664	Pohhna32.exe
1644	Pebpkk32.exe
1688	Pkaehb32.exe
2292	Pdjjag32.exe
2644	Qndkpmkm.exe
2880	Qgmpibam.exe
2120	Apgagg32.exe
2160	Aomnhd32.exe
2936	Akcomepg.exe
704	Aficjnpm.exe
2356	Bjkhdacm.exe
696	Bccmmf32.exe
2412	Bniajoic.exe
1808	Bqgmfkhg.exe
1800	Bfdenafn.exe
2500	Bnknoogp.exe
2948	Bgcbhd32.exe
1756	Bjbndpmd.exe
2056	Bcjcme32.exe
2976	Bkegah32.exe
2700	Ccmpce32.exe
2748	Cmedlk32.exe
2676	Cocphf32.exe
2868	Cpfmmf32.exe
2592	Cbdiia32.exe
3008	Cgaaah32.exe
1652	Caifjn32.exe
2080	Clojhf32.exe
552	Cnmfdb32.exe
2852	Ccjoli32.exe
2856	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
860	Onfoin32.exe
860	Onfoin32.exe
2156	Opglafab.exe
2156	Opglafab.exe
2808	Omnipjni.exe
2808	Omnipjni.exe
2788	Offmipej.exe
2788	Offmipej.exe
2680	Oococb32.exe
2680	Oococb32.exe
2568	Pofkha32.exe
2568	Pofkha32.exe
2664	Pohhna32.exe
2664	Pohhna32.exe
1644	Pebpkk32.exe
1644	Pebpkk32.exe
1688	Pkaehb32.exe
1688	Pkaehb32.exe
2292	Pdjjag32.exe
2292	Pdjjag32.exe
2644	Qndkpmkm.exe
2644	Qndkpmkm.exe
2880	Qgmpibam.exe
2880	Qgmpibam.exe
2120	Apgagg32.exe
2120	Apgagg32.exe
2160	Aomnhd32.exe
2160	Aomnhd32.exe
2936	Akcomepg.exe
2936	Akcomepg.exe
704	Aficjnpm.exe
704	Aficjnpm.exe
2356	Bjkhdacm.exe
2356	Bjkhdacm.exe
696	Bccmmf32.exe
696	Bccmmf32.exe
2412	Bniajoic.exe
2412	Bniajoic.exe
1808	Bqgmfkhg.exe
1808	Bqgmfkhg.exe
1800	Bfdenafn.exe
1800	Bfdenafn.exe
2500	Bnknoogp.exe
2500	Bnknoogp.exe
2948	Bgcbhd32.exe
2948	Bgcbhd32.exe
1756	Bjbndpmd.exe
1756	Bjbndpmd.exe
1484	Bfioia32.exe
1484	Bfioia32.exe
2976	Bkegah32.exe
2976	Bkegah32.exe
2700	Ccmpce32.exe
2700	Ccmpce32.exe
2748	Cmedlk32.exe
2748	Cmedlk32.exe
2676	Cocphf32.exe
2676	Cocphf32.exe
2868	Cpfmmf32.exe
2868	Cpfmmf32.exe
2592	Cbdiia32.exe
2592	Cbdiia32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdakoaln.dll	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Oococb32.exe	Offmipej.exe
File created	C:\Windows\SysWOW64\Omnipjni.exe	Opglafab.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Akcomepg.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Hfiocpon.dll	Onfoin32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Mlbakl32.dll	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Qqmfpqmc.dll	Pohhna32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Oococb32.exe
File opened for modification	C:\Windows\SysWOW64\Qgmpibam.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Onfoin32.exe	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
File opened for modification	C:\Windows\SysWOW64\Omnipjni.exe	Opglafab.exe
File created	C:\Windows\SysWOW64\Kmdlca32.dll	Omnipjni.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Pebpkk32.exe	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Binbknik.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Pkaehb32.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Qgmpibam.exe	Qndkpmkm.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Nmlkfoig.dll	Opglafab.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bccmmf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2872	2856	WerFault.exe	68

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnipjni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfoin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offmipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oococb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll"	Offmipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiqcmnn.dll"	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omnipjni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlkfoig.dll"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 860	2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe	31
PID 2328 wrote to memory of 860	2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe	31
PID 2328 wrote to memory of 860	2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe	31
PID 2328 wrote to memory of 860	2328	5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe	31
PID 860 wrote to memory of 2156	860	Onfoin32.exe	32
PID 860 wrote to memory of 2156	860	Onfoin32.exe	32
PID 860 wrote to memory of 2156	860	Onfoin32.exe	32
PID 860 wrote to memory of 2156	860	Onfoin32.exe	32
PID 2156 wrote to memory of 2808	2156	Opglafab.exe	33
PID 2156 wrote to memory of 2808	2156	Opglafab.exe	33
PID 2156 wrote to memory of 2808	2156	Opglafab.exe	33
PID 2156 wrote to memory of 2808	2156	Opglafab.exe	33
PID 2808 wrote to memory of 2788	2808	Omnipjni.exe	34
PID 2808 wrote to memory of 2788	2808	Omnipjni.exe	34
PID 2808 wrote to memory of 2788	2808	Omnipjni.exe	34
PID 2808 wrote to memory of 2788	2808	Omnipjni.exe	34
PID 2788 wrote to memory of 2680	2788	Offmipej.exe	35
PID 2788 wrote to memory of 2680	2788	Offmipej.exe	35
PID 2788 wrote to memory of 2680	2788	Offmipej.exe	35
PID 2788 wrote to memory of 2680	2788	Offmipej.exe	35
PID 2680 wrote to memory of 2568	2680	Oococb32.exe	36
PID 2680 wrote to memory of 2568	2680	Oococb32.exe	36
PID 2680 wrote to memory of 2568	2680	Oococb32.exe	36
PID 2680 wrote to memory of 2568	2680	Oococb32.exe	36
PID 2568 wrote to memory of 2664	2568	Pofkha32.exe	37
PID 2568 wrote to memory of 2664	2568	Pofkha32.exe	37
PID 2568 wrote to memory of 2664	2568	Pofkha32.exe	37
PID 2568 wrote to memory of 2664	2568	Pofkha32.exe	37
PID 2664 wrote to memory of 1644	2664	Pohhna32.exe	38
PID 2664 wrote to memory of 1644	2664	Pohhna32.exe	38
PID 2664 wrote to memory of 1644	2664	Pohhna32.exe	38
PID 2664 wrote to memory of 1644	2664	Pohhna32.exe	38
PID 1644 wrote to memory of 1688	1644	Pebpkk32.exe	39
PID 1644 wrote to memory of 1688	1644	Pebpkk32.exe	39
PID 1644 wrote to memory of 1688	1644	Pebpkk32.exe	39
PID 1644 wrote to memory of 1688	1644	Pebpkk32.exe	39
PID 1688 wrote to memory of 2292	1688	Pkaehb32.exe	40
PID 1688 wrote to memory of 2292	1688	Pkaehb32.exe	40
PID 1688 wrote to memory of 2292	1688	Pkaehb32.exe	40
PID 1688 wrote to memory of 2292	1688	Pkaehb32.exe	40
PID 2292 wrote to memory of 2644	2292	Pdjjag32.exe	41
PID 2292 wrote to memory of 2644	2292	Pdjjag32.exe	41
PID 2292 wrote to memory of 2644	2292	Pdjjag32.exe	41
PID 2292 wrote to memory of 2644	2292	Pdjjag32.exe	41
PID 2644 wrote to memory of 2880	2644	Qndkpmkm.exe	42
PID 2644 wrote to memory of 2880	2644	Qndkpmkm.exe	42
PID 2644 wrote to memory of 2880	2644	Qndkpmkm.exe	42
PID 2644 wrote to memory of 2880	2644	Qndkpmkm.exe	42
PID 2880 wrote to memory of 2120	2880	Qgmpibam.exe	43
PID 2880 wrote to memory of 2120	2880	Qgmpibam.exe	43
PID 2880 wrote to memory of 2120	2880	Qgmpibam.exe	43
PID 2880 wrote to memory of 2120	2880	Qgmpibam.exe	43
PID 2120 wrote to memory of 2160	2120	Apgagg32.exe	44
PID 2120 wrote to memory of 2160	2120	Apgagg32.exe	44
PID 2120 wrote to memory of 2160	2120	Apgagg32.exe	44
PID 2120 wrote to memory of 2160	2120	Apgagg32.exe	44
PID 2160 wrote to memory of 2936	2160	Aomnhd32.exe	45
PID 2160 wrote to memory of 2936	2160	Aomnhd32.exe	45
PID 2160 wrote to memory of 2936	2160	Aomnhd32.exe	45
PID 2160 wrote to memory of 2936	2160	Aomnhd32.exe	45
PID 2936 wrote to memory of 704	2936	Akcomepg.exe	46
PID 2936 wrote to memory of 704	2936	Akcomepg.exe	46
PID 2936 wrote to memory of 704	2936	Akcomepg.exe	46
PID 2936 wrote to memory of 704	2936	Akcomepg.exe	46

C:\Users\Admin\AppData\Local\Temp\5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe
"C:\Users\Admin\AppData\Local\Temp\5b68f15cbd6e03e078122f3a8d7ffb066100ae0a807d4c271f0ed29a84ea1746N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\Onfoin32.exe
  C:\Windows\system32\Onfoin32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\Opglafab.exe
    C:\Windows\system32\Opglafab.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Omnipjni.exe
      C:\Windows\system32\Omnipjni.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Offmipej.exe
        
        C:\Windows\system32\Offmipej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Oococb32.exe
        
        C:\Windows\system32\Oococb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 144
        40⤵
        Program crash
        
        PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
477KB

MD5
788f7da2eb095955558f48622f2acacf

SHA1
f55ecf6579aafc346ab89a4d7a800d393c8235eb

SHA256
aa2899fde55153522661c9babfefa8db44fefc2d21ae2efce4a73305423150d1

SHA512
fc5b915cf95d7843282435bcfca3efa9aa8389da4850f542bf73ca52ab05b0dce3cb2198384c022b2bc076525b2cc622ca4922b0efc1511dbb2f01f8d507e36d

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
477KB

MD5
b75eaa8cad63bcc8524759ca879d2028

SHA1
cc7387d196ae3500825a2ce2550f17e633626af4

SHA256
0f41ef1a8bad41add1e907a77808b23ccd65ef3ee642293addbbc022158e5ebf

SHA512
1aaf87f67d814d85f3ca2a8fe0ae6367c7e790981443e1968ca9bf3326edb426f66c2b88a4195e6688caf87f1ad4934a5bb3e7c9b8c65f0ae89811fd86b5f577

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
477KB

MD5
71a36e95c1d98fe063c1fa9c2bcc9317

SHA1
adbad0ca9c4ebf24f12ed85b2e9c8324562f48d9

SHA256
2ebc52e889af1a24576e8abad3949b5ad7f2c3b63502aa43ede234c920d78356

SHA512
09360110c54f06e7e52d7d5998d71efb05e9b44220203dde2cdbb1e0c879e5aa0e5931c19a4a59e2fb64c32ac41cd3f51d3c836dd6631d0417f8824809dab7fe

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
477KB

MD5
02067bd63aabc4a8558994bafe9049ed

SHA1
39ca0d0caa9ad95c2d7f9071b768e835c54605ff

SHA256
b6185aadd53e60047cccb933050cc05546bca04b8b37258bfaacdb108a00e14c

SHA512
33784b227b4be6c0891f6ad4c116fef411056557b422b70cad4a69fb3410bf3e78b79cb83e34f2280ff89e35f664984645694a7355d640fc5d4447dfa96fb440

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
477KB

MD5
c48dbf95c36116ea2e886f59df2c735d

SHA1
945552eca2448ac38bf909b585682aa080c6091a

SHA256
cfea7fd2837bade5f10ea1758ae5c822dbc3d18cea6f08e8a536d20e15bab529

SHA512
984c5b78c62fc7f7395aeea350040ea43d3ef7cdca65ace5286efacde2b7b4cef736dff4dc54bd6ee327dcf0691e24dfa47b19b44fdc96cead35f14c92697cac

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
477KB

MD5
d37b7aba2ba1dc991a103fe8426b89f3

SHA1
bc548f065c9c66046328564147e34625462b7571

SHA256
16382219fb396b1971da94ec68d2ad4cea4038b8effb39efbc4f1e027b1d9573

SHA512
57234d7048e4d7d328ca4db936a13f4fee95bd3b9b258fd41d24416c70517d6d0dcaee1e8a1b96b424a66c599f4b426f8110dfa09eb025732929e7edab82e0b9

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
477KB

MD5
af8c6560a3303f1eb0694b30dc43e512

SHA1
2d9a042fa39036bba84a3d90d0155c57db1cc7df

SHA256
3b37d81eaaebc08c88d1a8f1c0637ba92c39929acec820d0f034f8b29acbfedb

SHA512
f746406625db9bd338d882febc0d0b8ed9d99fa6e51c83f7b3ade571627322a79db1bfc42a4519f2cd8800e7b9e3901dcba2d4f709f776aa6ab1f9f80fcc1049

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
477KB

MD5
f5d38e41f7db5c282fd5ad94bd49b62d

SHA1
b37892389e4ecf180d99c47237d13ff4f716f90c

SHA256
c3835e49efa388ec93a8cd7ddef3ad69e1098da1805f6089903da0d1f839dc51

SHA512
bb2279d6827b8ae49f53dc0c1e2cc5c2922df404559e4ae17b62f8e0eba96acbe023bf26e1ac7dfee63efdf6304e26ba8d71e899ba3a9caa6b215ee71390dbb6

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
477KB

MD5
e334f2efbfb00b2b9516a3c18de9f699

SHA1
c9b02df5b3e34b83f13ea158d8a0359bbd0ebed2

SHA256
1a74d7b1e23e8759c3547e8218327c7d44b65b20fa0cb058333ca8e01033f0ba

SHA512
d2cce79b567a63947c29a642436cc70311d89eb1645cf145b226eedebb5d76749868521f8d04381fb85cd53438f24d26d361fc8f1f15f141f41b3c8962ec5953

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
477KB

MD5
c34d68d00a034d342e735606ee080a55

SHA1
c2686638da6677bb4692d2d2c8104a60b84c07eb

SHA256
41df6274d1ff1411695fc39ea18202cc7b35c6b315ccf8cfa64da97c27953788

SHA512
a4cd6cf900f6c9839da4b12d5f2439bd494c91a2fd1798f76e275410fcac0e58ebe24b6ac6412ef253427a6f19c9959584013d6675cfb5b63954283dc985302d

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
477KB

MD5
9bdd4bda1c100518d01ad4a542ad4a36

SHA1
0c44e5d1cd1b8cc25ea9c4e00662dd2ebc156730

SHA256
e9d700aa5c3a8d432f6939d4a865d0ae2181b42029168156d2a6dd367da59166

SHA512
17fd0943cec3e32107b654ed5c604a7df0354f97a30c53cfad90e76c9e45190bb4b266b4ab67bfdc72eb11f5d2c17c86c48c041ceab90a7e6d9be49d70e250d3

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
477KB

MD5
186d0d9768c22537c938a6ba69c38207

SHA1
bd9116f6a673cec1b869de0ff6afb60889fbdfc0

SHA256
2c8fa161071c3faf71dc2ee88a2a9ab74a09091baf03a2bd7c35a551b4d2ee5e

SHA512
f30b42c579c2a5802276028ab19778c101f9060d9bd6d397d745424b3327f4d609b45ed9ca26291e1b9f1baee3765b3363ba3f9d88035a4948ed27e53460c1f5

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
477KB

MD5
b6a71db9f7910bd049b5880319ff838f

SHA1
aeba3cfe265d0168e37a62f6a5fc0f78e6a69a1b

SHA256
57bea91d621fc4e73a338e7a5fa17c3bb150ca7e7b83851a2a954e5b0b363ad9

SHA512
8cbc063509e9cbffc7735dd509624b7283be9fcb5996527d685fedd9163044c8c29fea788eaf449679fb68c41fcfb5eef65965135a40c680e93b6eac87103c16

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
477KB

MD5
9cffc9f6feef65fbf02aa50c4a4d3217

SHA1
6561a7b8eac5ff1999d0ab84991ba853117b6db0

SHA256
f311f44da9d3611580f3ef10755a2f656807e32bfafae5bf0500160bc3f985e0

SHA512
bae307c2b12e7c7fc5d0312e2cd561d6bc96fe1448b1c5ce30b50dabfe189f46d071a25223e6e920ed1ce1a894a0e8e634735ee11a339ef85a869d3954f2ca83

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
477KB

MD5
1b41b3d249710e7d7e8eb0a42f511a81

SHA1
fc9890db89f5d10ae442a00c9e1a1a946bfc69fe

SHA256
e9fe7f9ade579503bc0cb235f34e05b09966e18e16f65db30c9113c2300ff8d6

SHA512
c98eb860e1f2522b1951be3246123ba09c3a2ae00da5209ea74d7da41c7e765fa49c43feb0f841209afac484bb418493db6a4a44715a73154f375cef9f18f8cd

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
477KB

MD5
da08c0c3028658cf9200cf82f8617b84

SHA1
bc7db85e9e7326b775f22c4c0e2c25be52f04867

SHA256
03002e68fb1b5c6f83694057b59b71140a3cddedbc380a9f25ea452e8faa7d03

SHA512
55a080e42cdfd1ccc6f7dd75ba5837ef87509ea8be1fc2c99d1a649d16e2d9620879358e3989ab047e79768f079bff054862c9f4140e5773ce24d3ecd6cc738f

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
477KB

MD5
d79c1e335f35f6940db358c8e3c03da8

SHA1
e38ba53a3754b15497a25ba60edd95ba4ea4b9ba

SHA256
c3217c5ccde249fd8d34e1e069ccbc5dbf450ef68af5cf156b348506b833735f

SHA512
5186ca8a1e94ee64298a2165e9e5a78cec5a18412fb8de31aaf76138382fe99f5eaca52039e20c6ed22bc50e9611de24f8633158d1b86c11752c83d851e40634

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
477KB

MD5
9867553761ec9cb1107284b517f02294

SHA1
c5ba562bc45e2766dab55cc254b8f497ae443b18

SHA256
13cd67ad8bf962afea9dd6611d2da0979fb8502212d2440bfeb536403c8ad375

SHA512
0f4093943e9123d172ae5cf9a886d85a5955ffd9bbf0242c66410726d772509ebf495051b818b6f413844a23532eb97f957b3b887f093394386c2eda2d1607ae

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
477KB

MD5
37358b8f59b4c7b3382bfe4196fb7532

SHA1
0756aad0e355eba3d09427a6ae11f6d148c2232b

SHA256
3ea4f02098bb8197120f00ebd49f9dc6f1edaa72c42b02ec4c09e5a18e7eedef

SHA512
0188c4a1e0c1f93f046837439bf3650741332dd0836de6043c54bbb6a56c52648c49f774c6abd0a6ac53d4cb3771ab1b3dcaa4b106193b4852d015741ea8e4d1

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
477KB

MD5
a25544fd4a8a6063d37779cdea91e705

SHA1
723b1382786b11dab2d8cfa58fdb737cf02d8f5e

SHA256
16b9458033219d4c7bbb03c7f78f4592b6e55712ad69f81cbb4ebe0bd00d3503

SHA512
2a2fa28b54531cc3ef3e9f5a5f1fc8b545231ed5d3f947b56d7d732dad60d85165a43963d3ca580b4566c4ee8ab390cb82705d42bf1dd034a3379d36bd863708

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
477KB

MD5
f8cf475750db7bd042e656b85f71c08f

SHA1
f0d3a7a04f20a0e21ad71ebf085b3142e58964a6

SHA256
5c7a4704589ad90d4d88ae3835c3639c97889e2a84e33ff9ce2086ca1e3079cb

SHA512
48121c526f85019e6ed55b91d6fdc67fb80b4cbef5128ce929f90727fb9129a6c6902c7e5cfd74647e0a65da2d8daf16c26209de8687a7009f067141bbf59125

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
477KB

MD5
d36722931c30934b1c56f66ca4c9d0cf

SHA1
6de8d2e77333b6322725a44096a4b0c7a75ab8c9

SHA256
f70f74b2c8d33393c75ad82ea1857e17921f20d053d91942d33e7e7b318a4ec3

SHA512
b639e62648a7adc5dc113664479b2f73779af5a00a39f791b33e946ffaed43f526aefb43bff0396f0083a01e9c476ccf956dbf4c79c25e86dc3c5024ff0aba3d

Download Submit
C:\Windows\SysWOW64\Opglafab.exe

Filesize
477KB

MD5
18726d3e09e0db488671c0239fed2ff3

SHA1
df2b02c9c13ceb6f79a14a100864c9d9d2c30b40

SHA256
b6b30297bfbdcc07f5ed31e76c4d045cc72bf5b51de72ac8efe4c51a7a50da74

SHA512
038034b98b6e9e6f6dab6ea7476cbb4eb92f1acdd1e138fee945557a76359338568a89afccc26b344c90a6d4b49422cb8cdf611b62b20b14d4d2b852eb16cc88

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
477KB

MD5
d7861aeed0f03d3740d778ca42fe5763

SHA1
3b3dcc71e7b33d33701c034b0167326307e20858

SHA256
f093119ea3a30688e42f9d309efd24aecbdebca416f8f91b5bd38ba6c4baadf7

SHA512
2d66f562824f3850377d9eab20309f513064e69d3553b3937a0cd3b58491329ebc1ec57b1b867d66989623f4defcb70f904ff622c2e916ab68fbdbffbcb792f1

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
477KB

MD5
96be34da26422a66c7315e70b1f95892

SHA1
f9705fcbb57d8c2be5fd4e771d718096ece6c793

SHA256
85c00e7597bb7ea729c157d42e8b3b5e84b903a693ba67233e4da53842d48287

SHA512
6adaab79358c03c79e04f2cf549cf0731e0441781c4630d6daab46d2c0a2e8bac2c7fab97578af67391f2467325595005511b51c3511b2d9f472b3fd77276faa

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
477KB

MD5
7e66976cd37ff6afee8539630ea3ec96

SHA1
70626c90fbd561158b3af9dec2c3351e37bbb61e

SHA256
bff7936318e744cb11447c73d22dcd7774590afa586d97eb63df6e59afc114d8

SHA512
4cb1f9ef7a760c93ff9064faeb2d48d186415e2a1cca7d398e1af4332c16af1796ff4914928301704be529b5320384bd7084867340ffe9a474776f2bacaa27c8

Download Submit
\Windows\SysWOW64\Akcomepg.exe

Filesize
477KB

MD5
8afd88ff2ebfe305bd705e8f48b350e7

SHA1
0248375050f36a3d2843adbad80645c414804f16

SHA256
46a1e0109b94b6b6b8c9bd12a732c76c844b3feb629033f62086c73dab20c81d

SHA512
cd40dc103568538da2a07a23541ac02737970bfe1b09849376781031d38f26304d24a8a8c229a22031c42ea78d52e3cd2366329d3484ba95950ee27a971cd173

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
477KB

MD5
c701645affb5aca7eccade71aeafe3d3

SHA1
bb56fe0f41db085bf31a0f221f04f038327fbc30

SHA256
5fc360e2ae88f0471d4de5bc7cefbe896025b9314a5546e238a7919cf32dc8cd

SHA512
17e1a24e7c36018a6ec1ba2383247defdd13682219db8c1fd962649fa78d544b8a5df8b86c13e313945871a3f44a7d5d88e5e7b7e7fea3e6890252d60d63ac5f

Download Submit
\Windows\SysWOW64\Offmipej.exe

Filesize
477KB

MD5
b73de36071e39d2eea944adeaea8f88b

SHA1
c9f5b4e24ca12e5c7fb5c11397ba7c1fa135737d

SHA256
77891e10c4afd9402ce906f2526fc4e92545be97accb1c3e23b7680a7cb475a8

SHA512
750b87d74a303355f7ac9da94447b4ac20d8d90c5d2c76b6720ade2eec3ebfc5383befaa17608d871462f6f2c96a1e590ce1296f62d03819755d931124a9bf3a

Download Submit
\Windows\SysWOW64\Omnipjni.exe

Filesize
477KB

MD5
61e73cf760043af2c50a3f64819b5556

SHA1
f605aae04998981e306b26bba53ff29cf1416930

SHA256
66fce00bcc49014f2496826aedb326d1222cc864eda0753eed1cd1db3d80d517

SHA512
1189fc3959f89b138fb625533717271474d9a32bb714c8771f4d24ef84d65a0e2f610ff419aedf3dfa0a572974399288b2069c7e999dbe1af37332bf7797cb41

Download Submit
\Windows\SysWOW64\Onfoin32.exe

Filesize
477KB

MD5
f0df80c243cfc57e96493bf6a0b37c0f

SHA1
338197fc241e947ffffc33d728ab1859e26827bf

SHA256
dd6feadca778568a894a6303008e005063974cc3f754fb263b721db09a66a2e4

SHA512
2a884f4a2bcd326a523aa6116b16a46788fecb5558ae4e6714808ff2cd2601202026234933945cf84f87ccb2ca09c72b5013d6fcc202ee4aceb7e30b63af2174

Download Submit
\Windows\SysWOW64\Oococb32.exe

Filesize
477KB

MD5
8d065ae0d0b3d070a1c28e1e26a284b6

SHA1
1d83b4f2515c08c79db4b20fe1e476f58a99cc2a

SHA256
bb338ab4e544ffce27290faa1b86dd1cf82abef87967bd74a681e9daf140547e

SHA512
7c701a1ff21d6c6c909dcca6bc3f33bae72e6f3a2fd4045a9942ed0e4a148468ad72c7ab8d1aea939ca6e89d4df0243de64d537ce9ad4cb280419eed8c088132

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
477KB

MD5
e5749bb0448d0c4735d7924d74cfa6c4

SHA1
c0302691744ea49314573d28b3c5babc89591f40

SHA256
24de1d560ea50b4e7d89adb55a6e91cc53e685673e46285224b06e67b6cc1b1b

SHA512
1c721f3be020ec18654e3bbd6a4acc073bd6bf6ac9d9154150df868377a65b9620a489b9623fd911cc1b676e11b88d0691e57b7cb5eab888b9a0508430546bf0

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
477KB

MD5
a4e1e0cd3232097ea597ce966b6e01be

SHA1
fa15b7fe0f379db4c6938d3f74358719c0b34a3c

SHA256
d7556d7fbc34a0725e43de9bd857cb07a2a79cb02dda982eeaaf37db8f924aec

SHA512
a13f827ca401eec36a33ee56d5b80cf5baa7e90ed17a1a486e0d7808a292c14dbe940ca58a4f31fbdb7545755edefa59225e060093409c000f4c579f447f298a

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
477KB

MD5
fbf8cae987f9a7d6f0d13bf3701de10a

SHA1
e1e15de04486e9672c2c8c17ce63d28ecefe64eb

SHA256
2dd4c7d901c67266c3ea3d6349dd1fe8080e494efc6436613032d55f0b24b1aa

SHA512
a17861cd50c6d07c0af18a41c6c0312658d2b6cc50aae9a5563ed4cc401b2d5ca59b09d1ba9a0062a09775c8ab6eab46e123646c9a9682dce6bc3995b49257e0

Download Submit
\Windows\SysWOW64\Pohhna32.exe

Filesize
477KB

MD5
c497b66c59357fd366a44ea93db902ed

SHA1
b91dc9c2242486765b8474d62e1f7bbcf6fb875c

SHA256
5922bd674c20b41587cf6950e6871ec002b82e8966012bcab53c247c43d3e869

SHA512
8eceb948c4b154b727209a4a6e8e43c3ac92219ce3b462da11878701e3f82ed41ef0db50463ee36922211b432e744a51d0136d39e3a6f84061f238cb688d902f

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
477KB

MD5
45c927b51cc5f7a3073b53fa4190b70b

SHA1
abc8d0d5bd4d69515bb0cd6a3c6d02be5ec45a8a

SHA256
e94562062bf4e495ffac8cebda85a3029580c3d0334c1732072d3cbf57165f2e

SHA512
76a8bdbd615897dc153b05d0a5d10b9e91934bfca7b2eb4a3711cce45e9fdc29349898ffd0d719326be7d1957e9c7b2d4059a0e8f20fa994291995900ba19f25

Download Submit
memory/552-424-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/552-428-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/552-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-242-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/704-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-25-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/860-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-315-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1484-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-318-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1644-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-117-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-415-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-405-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1652-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-300-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1756-304-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1800-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-261-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1808-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-306-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2056-307-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2080-416-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2080-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-39-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2156-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-40-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2160-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-144-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2292-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-328-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2328-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2328-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-233-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2356-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-280-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2500-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-91-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2568-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-379-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2592-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-82-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2680-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-338-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2748-349-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2748-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-50-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2808-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-439-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-440-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-371-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2868-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-370-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2880-171-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2880-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-293-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2948-292-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2976-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-394-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3008-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-393-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads