berbew | 281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Size

64KB
MD5

e07a0f3054aba3d816ae56bd371e42ec
SHA1

3a682d623ac9e1950c522bbe8325db17907be688
SHA256

281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8
SHA512

a4542df9351213bea38bd5b9b21269eb4f4403d29db49f702dbe1f1d83495a4a6f5a88afbc8b68eeef2e43d98f588d422c545ab56cc0eea0a5b5badd2dafc042
SSDEEP

1536:zSdQUqpkUkavSYQEuJmXmlwRU2LDrDWBi:eBaaY9tD2Bi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ondljl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 53 IoCs

pid	Process
3884	Ogjdmbil.exe
4984	Ojhpimhp.exe
2640	Ondljl32.exe
1652	Opeiadfg.exe
1560	Ohlqcagj.exe
2344	Pjkmomfn.exe
688	Pmiikh32.exe
2424	Ppgegd32.exe
4336	Phonha32.exe
972	Pmlfqh32.exe
2564	Pdenmbkk.exe
744	Pjpfjl32.exe
976	Paiogf32.exe
2520	Phcgcqab.exe
3040	Pnmopk32.exe
4268	Pdjgha32.exe
1212	Pmblagmf.exe
2872	Qjfmkk32.exe
4636	Qaqegecm.exe
3328	Qhjmdp32.exe
3420	Qdaniq32.exe
100	Ahofoogd.exe
2744	Amlogfel.exe
2432	Adfgdpmi.exe
1164	Aokkahlo.exe
2136	Aajhndkb.exe
2156	Akblfj32.exe
1392	Amqhbe32.exe
3680	Apodoq32.exe
3164	Akdilipp.exe
2168	Aaoaic32.exe
2852	Apaadpng.exe
4180	Bhhiemoj.exe
624	Bpdnjple.exe
1556	Boenhgdd.exe
4408	Bgpcliao.exe
1528	Bphgeo32.exe
1432	Boihcf32.exe
1388	Bpkdjofm.exe
1040	Bnoddcef.exe
2188	Chdialdl.exe
2196	Cammjakm.exe
1176	Cncnob32.exe
3148	Chiblk32.exe
5064	Cpdgqmnb.exe
1568	Cgnomg32.exe
1084	Cnhgjaml.exe
5008	Chnlgjlb.exe
2100	Cnjdpaki.exe
4232	Dddllkbf.exe
436	Dojqjdbl.exe
3120	Ddgibkpc.exe
4576	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkfoeejd.dll	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Chdialdl.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Bbikhdcm.dll	Ppgegd32.exe
File opened for modification	C:\Windows\SysWOW64\Phcgcqab.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Lfdqcn32.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qhjmdp32.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Pmlfqh32.exe	Phonha32.exe
File opened for modification	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dojqjdbl.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Iafphi32.dll	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Pmlfqh32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cncnob32.exe
File created	C:\Windows\SysWOW64\Apgnjp32.dll	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Apodoq32.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Phcgcqab.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Eihcbonm.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bgpcliao.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ojhpimhp.exe
File created	C:\Windows\SysWOW64\Mkfefigf.dll	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Ogjdmbil.exe	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Cammjakm.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Qkhnbpne.dll	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cammjakm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1848	4576	WerFault.exe	134

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phcgcqab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgaeof32.dll"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlepppi.dll"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllfqd32.dll"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgni32.dll"	Aajhndkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3884	5004	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe	81
PID 5004 wrote to memory of 3884	5004	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe	81
PID 5004 wrote to memory of 3884	5004	281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe	81
PID 3884 wrote to memory of 4984	3884	Ogjdmbil.exe	82
PID 3884 wrote to memory of 4984	3884	Ogjdmbil.exe	82
PID 3884 wrote to memory of 4984	3884	Ogjdmbil.exe	82
PID 4984 wrote to memory of 2640	4984	Ojhpimhp.exe	83
PID 4984 wrote to memory of 2640	4984	Ojhpimhp.exe	83
PID 4984 wrote to memory of 2640	4984	Ojhpimhp.exe	83
PID 2640 wrote to memory of 1652	2640	Ondljl32.exe	84
PID 2640 wrote to memory of 1652	2640	Ondljl32.exe	84
PID 2640 wrote to memory of 1652	2640	Ondljl32.exe	84
PID 1652 wrote to memory of 1560	1652	Opeiadfg.exe	85
PID 1652 wrote to memory of 1560	1652	Opeiadfg.exe	85
PID 1652 wrote to memory of 1560	1652	Opeiadfg.exe	85
PID 1560 wrote to memory of 2344	1560	Ohlqcagj.exe	86
PID 1560 wrote to memory of 2344	1560	Ohlqcagj.exe	86
PID 1560 wrote to memory of 2344	1560	Ohlqcagj.exe	86
PID 2344 wrote to memory of 688	2344	Pjkmomfn.exe	87
PID 2344 wrote to memory of 688	2344	Pjkmomfn.exe	87
PID 2344 wrote to memory of 688	2344	Pjkmomfn.exe	87
PID 688 wrote to memory of 2424	688	Pmiikh32.exe	88
PID 688 wrote to memory of 2424	688	Pmiikh32.exe	88
PID 688 wrote to memory of 2424	688	Pmiikh32.exe	88
PID 2424 wrote to memory of 4336	2424	Ppgegd32.exe	89
PID 2424 wrote to memory of 4336	2424	Ppgegd32.exe	89
PID 2424 wrote to memory of 4336	2424	Ppgegd32.exe	89
PID 4336 wrote to memory of 972	4336	Phonha32.exe	90
PID 4336 wrote to memory of 972	4336	Phonha32.exe	90
PID 4336 wrote to memory of 972	4336	Phonha32.exe	90
PID 972 wrote to memory of 2564	972	Pmlfqh32.exe	91
PID 972 wrote to memory of 2564	972	Pmlfqh32.exe	91
PID 972 wrote to memory of 2564	972	Pmlfqh32.exe	91
PID 2564 wrote to memory of 744	2564	Pdenmbkk.exe	92
PID 2564 wrote to memory of 744	2564	Pdenmbkk.exe	92
PID 2564 wrote to memory of 744	2564	Pdenmbkk.exe	92
PID 744 wrote to memory of 976	744	Pjpfjl32.exe	93
PID 744 wrote to memory of 976	744	Pjpfjl32.exe	93
PID 744 wrote to memory of 976	744	Pjpfjl32.exe	93
PID 976 wrote to memory of 2520	976	Paiogf32.exe	94
PID 976 wrote to memory of 2520	976	Paiogf32.exe	94
PID 976 wrote to memory of 2520	976	Paiogf32.exe	94
PID 2520 wrote to memory of 3040	2520	Phcgcqab.exe	95
PID 2520 wrote to memory of 3040	2520	Phcgcqab.exe	95
PID 2520 wrote to memory of 3040	2520	Phcgcqab.exe	95
PID 3040 wrote to memory of 4268	3040	Pnmopk32.exe	96
PID 3040 wrote to memory of 4268	3040	Pnmopk32.exe	96
PID 3040 wrote to memory of 4268	3040	Pnmopk32.exe	96
PID 4268 wrote to memory of 1212	4268	Pdjgha32.exe	97
PID 4268 wrote to memory of 1212	4268	Pdjgha32.exe	97
PID 4268 wrote to memory of 1212	4268	Pdjgha32.exe	97
PID 1212 wrote to memory of 2872	1212	Pmblagmf.exe	98
PID 1212 wrote to memory of 2872	1212	Pmblagmf.exe	98
PID 1212 wrote to memory of 2872	1212	Pmblagmf.exe	98
PID 2872 wrote to memory of 4636	2872	Qjfmkk32.exe	99
PID 2872 wrote to memory of 4636	2872	Qjfmkk32.exe	99
PID 2872 wrote to memory of 4636	2872	Qjfmkk32.exe	99
PID 4636 wrote to memory of 3328	4636	Qaqegecm.exe	100
PID 4636 wrote to memory of 3328	4636	Qaqegecm.exe	100
PID 4636 wrote to memory of 3328	4636	Qaqegecm.exe	100
PID 3328 wrote to memory of 3420	3328	Qhjmdp32.exe	101
PID 3328 wrote to memory of 3420	3328	Qhjmdp32.exe	101
PID 3328 wrote to memory of 3420	3328	Qhjmdp32.exe	101
PID 3420 wrote to memory of 100	3420	Qdaniq32.exe	102

C:\Users\Admin\AppData\Local\Temp\281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe
"C:\Users\Admin\AppData\Local\Temp\281e29b4886abae88382821099798ccae9e07076b084d897114fef1fc5cdead8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\Ogjdmbil.exe
  C:\Windows\system32\Ogjdmbil.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\Ojhpimhp.exe
    C:\Windows\system32\Ojhpimhp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\Ondljl32.exe
      C:\Windows\system32\Ondljl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 400
        55⤵
        Program crash
        
        PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4576 -ip 4576
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajhndkb.exe

Filesize
64KB

MD5
6f5f4e70cd47cd61354181320e338e9e

SHA1
d8cc9de747e668e592e61ca1da10084402b50563

SHA256
d7c162baae62b16437dc5ff8f35bd242581c2922ed4a235fb90b7a7b0ba81ba5

SHA512
d24e19c04e567133b18b09358c3a652ecbaf00a2d26d85881f9affb514db7eaaf376de3ed408b54f877394366d321f21257c77e3133c2f3b51d4e8c7973e9389

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
64KB

MD5
196e4fefc2dd87a8ee5cbe0398430052

SHA1
ef32957ce47613fe5e00d7257fff08ce4d13d359

SHA256
82573aa8c8b428882cb245e08fe9db54fdd02d77b4de29c11d9ec3084be556b1

SHA512
1c05c9e7122d659bdf5fa6f168ca9fab3ddc7a35438dfbbce1b62772a71b0ea1f942661c5f10cd850bc4e894841621ede9563425753dc835f59e604ee646a9e0

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
64KB

MD5
0c2f331541766c19adec358d259e3f9c

SHA1
d644742fb9c6abf377aff2357e1337e22952005f

SHA256
d45b9fbc3de1b42f7bfbd696d0386b26043d9b4d89762a59829fc3f88240dfd6

SHA512
07a7eb31e91d1b29eb5a9082766fb4762d759857b445014d18d2f0a8b91a9c01d3a6b498d4a60541cd22cc1ab6355115baa9156d1ce799254f65c521ff7e6119

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
64KB

MD5
d3ea041804421d1c7dc2f0a2ff436b1d

SHA1
36a79340f5e3d73da3f947cf0abfa321b6c32f9e

SHA256
7538673960f5b7f62049fd0a838b89582a713e36280724be7cd9cee112940d35

SHA512
725edc4aee19f3820927479b0308c38d7879b370aedcd2dc7b8dfc653a89ac2f13e2a2c16bb48626fd71fb7f79f7517f204d68972076c025a6306e2befbce991

Download Submit
C:\Windows\SysWOW64\Akblfj32.exe

Filesize
64KB

MD5
01ca42d0ac259915308410e145798695

SHA1
20d799e49476b94404b1a3da528a72e9a4973157

SHA256
173d0426c8d30b70af1e4a883d09a645783457eddbbda5adc32f524ac75d228f

SHA512
0ae0c6659918b6cb7a5671e58ec0afbbbb28e30e8458114395ed8f218f013049fe11e6e5485e6392e9250bac5b14b918cb0cabdc498220f2b9f18fb2d439dba1

Download Submit
C:\Windows\SysWOW64\Akdilipp.exe

Filesize
64KB

MD5
008b9409bc52bc61f1a4cb2c6a42617e

SHA1
727a5540b1230613d7b4d7181e68b99f9ba4fdf3

SHA256
d14b82f45371b54678aa22cd86ff9a8e8dc0cdbab556b2e3cf114373a86fe22b

SHA512
7e94f2d5cfabac92336e39e7ec0c601d94313ae6db8d45bb44949f27eae34b33fa0151111e33bf252dd0edc79bde91f16222b9562ede02461c2f58d4d4d1815f

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
64KB

MD5
54e34aec9287af4eca92ff16d049e045

SHA1
02ea49d8aabe8498ec5909a3ee4cf763b2556326

SHA256
f2c20cb3f4ca8674d13437e093bea92efbe6fde473ede8fc72bfb3f45b492166

SHA512
4cd387809e413ddc91fac3f4d18e43e9c59b94cb8dcc4c8a20c3ce47829980af64e3916941670a4a3c09ba28f08e36c8d3b142341bc4c9307c682d27f5157833

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
64KB

MD5
7fb26a1044c75ee45b3ffd3c471864af

SHA1
df61a52148aa9578be4203d91832ef8d4a8af8ac

SHA256
0ea024beb86256828568d7f27d69b4463d566d564bc52eec814fcb3ae9ce3a5d

SHA512
a584f040241c4baf4e6f7cdae61a4397648afe344094d5b045b1313492eb0d59ccd154153cf743a595688c81a06534a0da7eef111457c0f52fbbd9ba136fbd92

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
64KB

MD5
bf8ba8fd5630b7b7321b6d36915a54ae

SHA1
c9683113dd4e93711ffb5b013c1056d804f9ce69

SHA256
3c5f3909df4e7cc23f9c3c8e7e2d1a6e591e1f6be7ac3e872c2edc59739864da

SHA512
0002551dc024bd1491a188e4514945d818f6681fa117b2d752d7f48da65c82778b9e4de2c4e54c793c6fdd42cc9e513b6a9dcbfea1d093a465c39d11be058f54

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
64KB

MD5
b00010d08bc5a4a7cff722deff62c32d

SHA1
08a05698e71dcb1545cd990472b50bfdfed9d7cc

SHA256
37988e6a82cc777575074e5617011b4fecc80160d2a98f38cc05acc8d6348643

SHA512
a144253025a44b5e852888a0ab58de8fa7a5f6400bfba1d48ad587adc0375840b157140115e86cc027b2629780808434c73da3ca4afc4a00aaa4ef06028a3b32

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
64KB

MD5
17b0530300bada3b4c2861978e43c74d

SHA1
ce3534499bc75761098aa68c73d593f783243d53

SHA256
04bf0ead4faae29161e69dbc32ab99f784935c062029584bd2658340396fe2c8

SHA512
448d19f5ca788e052df572f68c4614da2b7c2cf4971e724f4eb386ba26d631a9eda8c7e7d422199771b764203316a5575ebd72e269737bcb1e515ca55a5a8c9b

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
64KB

MD5
4c030fada206c356fdd7c920c0c27d88

SHA1
588638515ece981cc71d301a103ad69b780c76b7

SHA256
ebcb07c15f5d56b327431dbec76e2f653b67a09d2ffc19f5c822e9b844d40a4d

SHA512
efae469b771a3cf1d4f90e47584405de13d0dd1a3a965d5dc76c07cdddf8e493054aba815645751942094312dc6d19a51f7ad5f70bb6e8bbe8db1b92f2a590fb

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
64KB

MD5
63646161216fc1a7f20d6305c448ea86

SHA1
90f9020a66bb629b1d45f26ac3822a6b1d786ae5

SHA256
cb95aa27bba9667c1bcab418ca8c318d0af7f9f500ff7b6eef743df71157231f

SHA512
9b9d9cd1839bad9ab4f59437b0b267280b1ab3a02f60c8b9a6925348612cd1caa5aec65609bdafd654c5b960aa4a958714132696f521ea13cb40d8c17d0f6f9f

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
64KB

MD5
46f99a769eaac0b896b21a7865fc207c

SHA1
18905817c51f03ff619727581a1e7fc285c2658c

SHA256
3ed9b6491eb93bb3e923a640f8e7b48c1f40389de6e03a736582a8b0224f3311

SHA512
a2155afc22ff64caf892456cc0e21e292693f8fe9c1071b218f1be97381a11ad0474e2dcaf34d189b0466d76159e69a71afb25a592c7c0fbf0c2b460fdf067ea

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
64KB

MD5
b7c80fe8c4aed43e5cc6ced74ab783bc

SHA1
fa9b1cdcacb48bc17044144022b213d247990978

SHA256
8e6b35db2f9e8b9de3f8bf9e320a9654107dc12d0f08af1f3cc9971e206afe1e

SHA512
eed8fbcb7d5d0dba7750b2a9f40f5b00d17742968897be834ddec97f47e489dc3c221e2478caf332c35e5a23020e93086d6138166394a94dab721c05d83f0cd8

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
64KB

MD5
888790894e9402346f1772ed67ca4999

SHA1
8dd27593b5d417554ea58316fec8d8b4fb53fcf8

SHA256
89a51e6ab499e5fe97fcd1e07a3ceea5169b60bbe8e6bdfaedede867a5443ecf

SHA512
e3a0db18f1c84e5615cc132f58cb716b923b5c8fa3c059a4b87015ad0d41f6c14cbfffdc0ca9cc38359fb0b73dab934a6f9efb9b3afc4cbcede8c3d102403875

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
64KB

MD5
480d2f7f0c130b36ad4f0550ccd2dc26

SHA1
0a0a1c3c72b946d8a06d036827b41e1c82fc04d7

SHA256
c9873f0b602ab54a40bef7fe8699119b520cf3d6472cd6be49952eff730886ba

SHA512
c9044a51a661b7cd6e0afeafd505cbf13f7bca32b5ad269bbe80fdc49f1f80589c1020f856f3a8c2b87dc4c25fbc83daece2d55c4d0b81267d6eb5199121807d

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
64KB

MD5
5e4b742ab8ffa0066fcfacbda33398d3

SHA1
5650bb940339c7027fec4d22c00389f3baf3e7ab

SHA256
611342a2cc8bff05ce5d68091c22bce463df5b8c830abf1b7aad07d49f515941

SHA512
8114c0fa7af8f6b52f8f953a86014e8c3015fdb791475d2b881ce53f6666705699e2a650cfd629a322fd870755be7844e382fcdc0badc86c7a39ba0a211d3b0f

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
64KB

MD5
1378ef4ec172d42c9ecbe79365c47a85

SHA1
3a4b74839779351984bc5e01791d3296daa012cf

SHA256
67a105a9b20c1c73a0deb6504bef1674874d32b62199254594e9c72dfacd1e7b

SHA512
858d4ca7fab9557f0c557cf1a10bc1887fee22f8c8cf1230a531e8c4bb77c8a397a4fa5aefa8a85d144d3ffab519857f36b429f33b19a3f1b93216dc5a403b85

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
64KB

MD5
13981264559a40c0aa7676b0a4186edc

SHA1
be7d58973e9f31b37a66e0520e3f0ef0b1955314

SHA256
04437d3db81bbeaf129df66e892bab77fc19a384392729a28e44dbed4e989516

SHA512
a06a1c0d36fe4d1e4985915a8076dbe8b98aa55ebcbd7afe26cd33df137b85de23a5262b7e5d43ddebc5da1b3a29776c7b7a5a23a563ce7381a6700a5da42823

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
64KB

MD5
d84750fa029f105db0cf242e3d4067b6

SHA1
32de5a1b3d46bc23b568b2a6be77a9c5297eb351

SHA256
ec0e42caa209a058d9983e58334d4af526d662f2362df3356b8ee2a8ff16516c

SHA512
c3f31d9e0f2501cfdc9bc9d360f5ae7bed4cfaec1fc583327a363c2cdb06634292cab16d562898d000d5afd252b1df6b967eba3954cbf4c9d436158572c6775a

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
64KB

MD5
a3881e30d9ca50549e034203356d7a1a

SHA1
7b5d331992c21e0940bdf3e707f9feb64cf2105c

SHA256
e100ab4e090056d7ff5ff7fae4c42fb6df2b4e20dcbd3bbc8535c07f936507d2

SHA512
1417f53cddbc4c778e2ca12aec6998bc93cc7f75628856dd7371a05a0905a1a9773faa2991a6f2de5a028c6ccee87f92f32dc920283e509d0bb6916e34c7ce33

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
64KB

MD5
f82e82066511e085b830790ac5e0cb15

SHA1
da57a4559498ff258b8198455841f461c1e3403e

SHA256
9afa5949ed1277ebf490357431632432ea5a7ac0b0b706ef14e690582216da6d

SHA512
b788f4ac8819a54d11bb12a174e9c68ceb62210c438e30b6aa1daf9d9ee979af838c4606cf0fd47ab5085cba9fa44bb42ae8087e1c3dc8b81d3287b021f0e9b3

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
64KB

MD5
bda01a163a300c6be5b6cf801e5d7ad9

SHA1
cfe895111b2105f7871cfdd833f24fec832189d7

SHA256
c8ff6d069996e16591d5f5945ff2953cf726cfc707dbeda0514f2f97409fd188

SHA512
62782c68ef4d76ab8dd6d2b196faf00fc88bd800c315afd049454fcebbde292b8f1f88cadfec9bf77da98097f8907c1179cc0d17cb03e63f753b7cff5de9ffdc

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
64KB

MD5
a0e154f2f5a591e8afcdb11499d71674

SHA1
1aa644cd508e9717d385e5154c87d8a77d9790c0

SHA256
0964965f132e86a77d7c08405e4d7b4f32bf424e43f6f4800ce13f99b8258a43

SHA512
c358b6c8fa29f706f901be8210f558b9839679b50df29045cff0a0793224d322d90f7b75395d12e94c8e35775ad9788218b13176373a77702faa769971e2d12f

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
64KB

MD5
9881c485ae8b990776f95136ea3dbb5e

SHA1
07ac193f7262122aa6800a121226705d0feddf97

SHA256
30b1754873c5cb7fe149321c4943aac51ab080af3a981948a9022a57e7d588fe

SHA512
006078fbde371350b120a851d88fbc17e3c2ce47e76ca9f507bede450bc84366bd52afb124b03172d33d368100ae75f443304a42fae1c27b28f7d6f5d8dde906

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
64KB

MD5
74cd9f7b7c0269ee2a0a75df3bc81307

SHA1
a7709a4acd71a06bfc80259011f54ddfac321a7f

SHA256
0577a4be9c7c937ed321eedfdfcafbe07d54daff792d0f2267f54edca030c673

SHA512
91bb567da921252a59f20f969d5ee5bd1ab0d851d00068f7f031b342da1adbaa19ef16ba2620f39ab166ca0af2a7a1b4761ad60d1fd846539f92d54e07c3a92f

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
64KB

MD5
84eb70fe44ae75912f1ed09be43c911b

SHA1
d2559537ae7293ca3d2b740031d056ff68713f99

SHA256
184f659388b61d70bc4e7b6f01f061259bfe3ff5c8f8c269ec701830541a6b42

SHA512
16cd1955a05fb771aa8e45193ec51ad82e186078e871a3e7cd4584202adc326e6ec69716b2024a8b1385172140e7da490f31b04f9caedaeca65c9fdcf96dc84c

Download Submit
C:\Windows\SysWOW64\Pjpfjl32.exe

Filesize
64KB

MD5
3cba3a52adc4a376bd4aa1fb18b14f3f

SHA1
edbb5116b0915377e1465af8fd9f98ded218987f

SHA256
eb0cb7eecb9254f4bbd574428544d27f2b15445c686bc29a4bf654b357b45b1b

SHA512
dd1ae7790781a57548dc534f91888106c3b685823d45d5752f1b8fdbfbaff6a1886a680b17f0a624a542408a066faab303238e0479c1e4f4898b2d5ace9aa0c2

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
64KB

MD5
1605640f077d62f94bb625918c6ceef9

SHA1
197398aa4cc9e772657461f4522af80ad8b57cf1

SHA256
8bda5d58e1e85aa068cc644f733940d80fa7888fd78af5b98b98be3053ea60da

SHA512
5eedf2197662ce1ab5110d6e0b780253cc81a6961e2c42a38fe79ea9e350ac8be7c390f19f03835025fb9ca9e39114138dea7d16d336d76a4ba64037764ce40f

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
64KB

MD5
daedfeb2255ab49377be16d557fdd99d

SHA1
1548ccb1ffa1ec2861680f42b54d9b27b7a4b65f

SHA256
01d06076235a75d79411b1ac955c5856c4b3c5cdfae644fc011f269a002cec45

SHA512
6f6b25b8759c24f363f35fbe6847490eca847b68acef9b213f7cf7b0c5325664b988023d866c2f6d010afd5a373e8ead9807b7eabd842768ac1b054ee3e49b82

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
64KB

MD5
0943e7466e98b9095d1a038cba17501b

SHA1
579bf49370ff6eb23e83754112f8fcfdcf34e5e1

SHA256
82231010dd023f89eb3c11eeaff19f4864aeafa290fabc5f8fe0bcb61398de86

SHA512
1c100abb58c22d2da94fa6a3000efcdb7b0bdde289dc64a19e9fd5cd7980aca8e4a6d7e4d2ec19b45cce72004d2027964dd71b98d72b09f352a72e5f6afd716d

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
64KB

MD5
2daf755494e3c79e1a5c7ddc8f2f8bbe

SHA1
14457c1a7d78188365a0806936515fb775ef48e1

SHA256
3dcc2715d05fb1783fdb6baf47a97b89ed5a36579349071dbca819cad1798080

SHA512
bc9156c50fba51ede6a0405a3442e2c180af2ef78f1e36ffcc1589768e33600a7a0c4257c661c61de066576310d2ef39cc371a90b4aa36ab27baa69a51ff9213

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
64KB

MD5
61668c5e6c4aeceb9f358dfe4757e969

SHA1
813d90872fe986ba11774fa2a9ffb8f888c25423

SHA256
e10edd7bb46d1f85ed7c7e61cc645249e6beaf4c1a5359cd3d03a7bbe5d7d93f

SHA512
1044065913cfd3eea55d521f37756117c8db45c6c0e001f3c0b1c8614379740c641acc0f52646488277ed98029453bf2ae7ae0a55d878eafc33fa6bc096d3a5e

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
64KB

MD5
db78ff2bfdf549a585a94126c02ec678

SHA1
34420b80130d84aaf95fee82a0fb362aa6e191f9

SHA256
714152911750e60d02a069be3fecfe9c27d63f1dea50d0551f5d6001590678db

SHA512
0a39a7394493c89fb64b1cf4b5dffe44edeacd70d28a8fc45a9962e190dd6d768ec375ffeae565c50c8fbfff505f18d4b979a2c8f0c52785128b1d0590864c59

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
64KB

MD5
6467977411cc36f8f2f318b77199826f

SHA1
a33f0e69b901984a21aad65cec8d2e7005883642

SHA256
a23d80852d11fe13d20214424c7452ad4400bc042d022cbde7358974759d7627

SHA512
04fd83254bdf1f8f80060db09aa67c2afc89795fa976b349bff743cbcf7c4c82d5302e9b0bdc04e8359124612adf1a4471d11d30d724636aaa46bb78ffdd8f09

Download Submit
C:\Windows\SysWOW64\Qhjmdp32.exe

Filesize
64KB

MD5
0a608838938e9ce6288a74b153447030

SHA1
fbe33427defc7751926a5a59bd31624f88bf5c70

SHA256
b514ee316255bc0b87c1f90279bd04d47762459fc0847f73d15c069281acec72

SHA512
118ff6d7e612e881a4aa1b1aa4f64ebbabc63b454c6a6963b30f51a1128b76725ee6c40ebe10431ae3bf83e29b174f19af0af50e932a38d6a633ac7a02885522

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
64KB

MD5
dcfdeb774e9b21e96207a4367dd407e4

SHA1
dad1361335c406f2e966a67676648337a7a6a442

SHA256
55aa4cb83083b4bddf8e58dc0c94b2adceda1c004647501ceffec3a09e3b7464

SHA512
0a68b803e4db7f52c46a14f616d7456f0ba1bc17165ec00763d915f49cff3d94b38396b2455711a2d7fbabebd29c5f379bb7c1f2673c58098879a2430bea6e5a

Download Submit
memory/100-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/100-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3328-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5008-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads