berbew | ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164

Analysis

max time kernel
26s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
Size

94KB
MD5

1aca260fe394efd442e4cbfcb9e1a2f0
SHA1

67b84d367f2d4d558ad2495736d38925ce131f38
SHA256

ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164
SHA512

dd1d2ee7545e8982b065e839985b291285030ce07e34db1de0c1ca0c75eb38a6afb996bb798c247a0f097dd0ee524b750482ffbfa2503ed028676ac533adf860
SSDEEP

1536:D9LHoPTcNl4ZeU4NSpXcXj6oSPlOB+IRQDJeRfRa9HprmRfRZ:62MHX9oSt5IeDA5wkpv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2876	Odhfob32.exe
2196	Okanklik.exe
2636	Oomjlk32.exe
1796	Oegbheiq.exe
1048	Oancnfoe.exe
1868	Ohhkjp32.exe
2560	Ojigbhlp.exe
2080	Oappcfmb.exe
1264	Ocalkn32.exe
2944	Pkidlk32.exe
2508	Pmjqcc32.exe
1260	Pcdipnqn.exe
1308	Pjnamh32.exe
2236	Pmlmic32.exe
2308	Pcfefmnk.exe
1348	Pfdabino.exe
2004	Pmojocel.exe
2580	Pomfkndo.exe
1516	Pfgngh32.exe
1364	Pjbjhgde.exe
1296	Pkdgpo32.exe
1660	Pckoam32.exe
1924	Pihgic32.exe
2872	Pmccjbaf.exe
2496	Qeohnd32.exe
2776	Qijdocfj.exe
2668	Qodlkm32.exe
2212	Qbbhgi32.exe
1084	Qjnmlk32.exe
1964	Abeemhkh.exe
2324	Aganeoip.exe
2996	Akmjfn32.exe
2368	Ajpjakhc.exe
2928	Aeenochi.exe
1804	Achojp32.exe
836	Agdjkogm.exe
1600	Amqccfed.exe
1940	Apoooa32.exe
2120	Afiglkle.exe
2956	Aigchgkh.exe
996	Apalea32.exe
1160	Afkdakjb.exe
1668	Aijpnfif.exe
1552	Alhmjbhj.exe
2000	Apdhjq32.exe
2280	Acpdko32.exe
2912	Afnagk32.exe
2644	Blkioa32.exe
2660	Bnielm32.exe
784	Bbdallnd.exe
1656	Biojif32.exe
2148	Blmfea32.exe
2520	Bnkbam32.exe
2924	Bbgnak32.exe
1332	Beejng32.exe
1664	Bhdgjb32.exe
2256	Bjbcfn32.exe
3004	Bonoflae.exe
2472	Balkchpi.exe
1908	Bdkgocpm.exe
1720	Bjdplm32.exe
2064	Bmclhi32.exe
1568	Baohhgnf.exe
1284	Bdmddc32.exe

Loads dropped DLL 64 IoCs

pid	Process
2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
2876	Odhfob32.exe
2876	Odhfob32.exe
2196	Okanklik.exe
2196	Okanklik.exe
2636	Oomjlk32.exe
2636	Oomjlk32.exe
1796	Oegbheiq.exe
1796	Oegbheiq.exe
1048	Oancnfoe.exe
1048	Oancnfoe.exe
1868	Ohhkjp32.exe
1868	Ohhkjp32.exe
2560	Ojigbhlp.exe
2560	Ojigbhlp.exe
2080	Oappcfmb.exe
2080	Oappcfmb.exe
1264	Ocalkn32.exe
1264	Ocalkn32.exe
2944	Pkidlk32.exe
2944	Pkidlk32.exe
2508	Pmjqcc32.exe
2508	Pmjqcc32.exe
1260	Pcdipnqn.exe
1260	Pcdipnqn.exe
1308	Pjnamh32.exe
1308	Pjnamh32.exe
2236	Pmlmic32.exe
2236	Pmlmic32.exe
2308	Pcfefmnk.exe
2308	Pcfefmnk.exe
1348	Pfdabino.exe
1348	Pfdabino.exe
2004	Pmojocel.exe
2004	Pmojocel.exe
2580	Pomfkndo.exe
2580	Pomfkndo.exe
1516	Pfgngh32.exe
1516	Pfgngh32.exe
1364	Pjbjhgde.exe
1364	Pjbjhgde.exe
1296	Pkdgpo32.exe
1296	Pkdgpo32.exe
1660	Pckoam32.exe
1660	Pckoam32.exe
1924	Pihgic32.exe
1924	Pihgic32.exe
2872	Pmccjbaf.exe
2872	Pmccjbaf.exe
2496	Qeohnd32.exe
2496	Qeohnd32.exe
2776	Qijdocfj.exe
2776	Qijdocfj.exe
2668	Qodlkm32.exe
2668	Qodlkm32.exe
2212	Qbbhgi32.exe
2212	Qbbhgi32.exe
1084	Qjnmlk32.exe
1084	Qjnmlk32.exe
1964	Abeemhkh.exe
1964	Abeemhkh.exe
2324	Aganeoip.exe
2324	Aganeoip.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Aceobl32.dll	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Oappcfmb.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Pkdgpo32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Ofbhhkda.dll	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Pkdgpo32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aeenochi.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pjnamh32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Oancnfoe.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojigbhlp.exe	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pmjqcc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cdepma32.dll	Odhfob32.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pcfefmnk.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Akmjfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2312	316	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjnamh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcmdd32.dll"	Oomjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Aeenochi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmclhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2876	2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe	30
PID 2748 wrote to memory of 2876	2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe	30
PID 2748 wrote to memory of 2876	2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe	30
PID 2748 wrote to memory of 2876	2748	ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe	30
PID 2876 wrote to memory of 2196	2876	Odhfob32.exe	31
PID 2876 wrote to memory of 2196	2876	Odhfob32.exe	31
PID 2876 wrote to memory of 2196	2876	Odhfob32.exe	31
PID 2876 wrote to memory of 2196	2876	Odhfob32.exe	31
PID 2196 wrote to memory of 2636	2196	Okanklik.exe	32
PID 2196 wrote to memory of 2636	2196	Okanklik.exe	32
PID 2196 wrote to memory of 2636	2196	Okanklik.exe	32
PID 2196 wrote to memory of 2636	2196	Okanklik.exe	32
PID 2636 wrote to memory of 1796	2636	Oomjlk32.exe	33
PID 2636 wrote to memory of 1796	2636	Oomjlk32.exe	33
PID 2636 wrote to memory of 1796	2636	Oomjlk32.exe	33
PID 2636 wrote to memory of 1796	2636	Oomjlk32.exe	33
PID 1796 wrote to memory of 1048	1796	Oegbheiq.exe	34
PID 1796 wrote to memory of 1048	1796	Oegbheiq.exe	34
PID 1796 wrote to memory of 1048	1796	Oegbheiq.exe	34
PID 1796 wrote to memory of 1048	1796	Oegbheiq.exe	34
PID 1048 wrote to memory of 1868	1048	Oancnfoe.exe	35
PID 1048 wrote to memory of 1868	1048	Oancnfoe.exe	35
PID 1048 wrote to memory of 1868	1048	Oancnfoe.exe	35
PID 1048 wrote to memory of 1868	1048	Oancnfoe.exe	35
PID 1868 wrote to memory of 2560	1868	Ohhkjp32.exe	36
PID 1868 wrote to memory of 2560	1868	Ohhkjp32.exe	36
PID 1868 wrote to memory of 2560	1868	Ohhkjp32.exe	36
PID 1868 wrote to memory of 2560	1868	Ohhkjp32.exe	36
PID 2560 wrote to memory of 2080	2560	Ojigbhlp.exe	37
PID 2560 wrote to memory of 2080	2560	Ojigbhlp.exe	37
PID 2560 wrote to memory of 2080	2560	Ojigbhlp.exe	37
PID 2560 wrote to memory of 2080	2560	Ojigbhlp.exe	37
PID 2080 wrote to memory of 1264	2080	Oappcfmb.exe	38
PID 2080 wrote to memory of 1264	2080	Oappcfmb.exe	38
PID 2080 wrote to memory of 1264	2080	Oappcfmb.exe	38
PID 2080 wrote to memory of 1264	2080	Oappcfmb.exe	38
PID 1264 wrote to memory of 2944	1264	Ocalkn32.exe	39
PID 1264 wrote to memory of 2944	1264	Ocalkn32.exe	39
PID 1264 wrote to memory of 2944	1264	Ocalkn32.exe	39
PID 1264 wrote to memory of 2944	1264	Ocalkn32.exe	39
PID 2944 wrote to memory of 2508	2944	Pkidlk32.exe	40
PID 2944 wrote to memory of 2508	2944	Pkidlk32.exe	40
PID 2944 wrote to memory of 2508	2944	Pkidlk32.exe	40
PID 2944 wrote to memory of 2508	2944	Pkidlk32.exe	40
PID 2508 wrote to memory of 1260	2508	Pmjqcc32.exe	41
PID 2508 wrote to memory of 1260	2508	Pmjqcc32.exe	41
PID 2508 wrote to memory of 1260	2508	Pmjqcc32.exe	41
PID 2508 wrote to memory of 1260	2508	Pmjqcc32.exe	41
PID 1260 wrote to memory of 1308	1260	Pcdipnqn.exe	42
PID 1260 wrote to memory of 1308	1260	Pcdipnqn.exe	42
PID 1260 wrote to memory of 1308	1260	Pcdipnqn.exe	42
PID 1260 wrote to memory of 1308	1260	Pcdipnqn.exe	42
PID 1308 wrote to memory of 2236	1308	Pjnamh32.exe	43
PID 1308 wrote to memory of 2236	1308	Pjnamh32.exe	43
PID 1308 wrote to memory of 2236	1308	Pjnamh32.exe	43
PID 1308 wrote to memory of 2236	1308	Pjnamh32.exe	43
PID 2236 wrote to memory of 2308	2236	Pmlmic32.exe	44
PID 2236 wrote to memory of 2308	2236	Pmlmic32.exe	44
PID 2236 wrote to memory of 2308	2236	Pmlmic32.exe	44
PID 2236 wrote to memory of 2308	2236	Pmlmic32.exe	44
PID 2308 wrote to memory of 1348	2308	Pcfefmnk.exe	45
PID 2308 wrote to memory of 1348	2308	Pcfefmnk.exe	45
PID 2308 wrote to memory of 1348	2308	Pcfefmnk.exe	45
PID 2308 wrote to memory of 1348	2308	Pcfefmnk.exe	45

C:\Users\Admin\AppData\Local\Temp\ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe
"C:\Users\Admin\AppData\Local\Temp\ed169ace0d2dbab19d76b011aeef57f78fb260a7eed48823912906f54b70c164N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Odhfob32.exe
  C:\Windows\system32\Odhfob32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Okanklik.exe
    C:\Windows\system32\Okanklik.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\Oomjlk32.exe
      C:\Windows\system32\Oomjlk32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 140
        74⤵
        Program crash
        
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
94KB

MD5
45b79555d690f88bac21c69c8f266d78

SHA1
8d6438c926ecab9a13317e988c446ae6c2b01621

SHA256
25cc8625904d0d9e39d20dc5c9e3a5a29b8dee29ea946f8b3a0b04df8c099435

SHA512
9488191e5e1bc59513a1893195e66474de6460c30cc8f66284869f9b619b2a5fd65c78c2ce1b01df3440fecd56e502a3a59740fe00d7b8a3cd908ddbb7c93e44

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
94KB

MD5
c92845cd3496394c930637dcb6a50568

SHA1
1def808aa85a637489936ed8ca6b222f8fa75a52

SHA256
ff5a8d7500e41bda728fa0ad14b43c1f17b3832485b3bec7b86051d9d598b067

SHA512
2e6e0dedc9bae36959318a9b2dd10b973f6d30509318f71b190e4e7e491f74a1e7dff0acf6cb3cc41ddbf4ada6a436c7848cbc551aab534f2bd8a17efab67d2b

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
94KB

MD5
f04e113e61dea63c5734beb5707e6b62

SHA1
0483be33d5ab9fc3f67c47845bb1e72cf02bf5af

SHA256
55f6969d5c70e4b1af176cd7ed41c7d82230727b9b0721b7e7b40af27ad50182

SHA512
d82248531bfe026ed681fc077959ab8f5b9338c7cabc2dcd08a431da49f4d5be6060ada52b05bce2379260f236c35f2d22e659df177b4b315ed9d2e697e9aee5

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
94KB

MD5
a9917df7ad1951271de14fbc93ff3fd7

SHA1
81d10babee29b724142aee9d757eea7eb5380e75

SHA256
3186b6694086ed26f0a75f2119bd43f02b51b0277a8b5ca6a7c0d83be8bfa478

SHA512
d166cfb2ca3d7ea908c39f1eda2c38931a93a819b229bd10964044df84320fb160a88a54047828e8f7b6d261fdbd63ae28b506dd8b22fed7fbeb6097b8e726d6

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
94KB

MD5
b14cdfd0f16ab9697b0bcc385c2e36c5

SHA1
3311ef930b613017cab76bef9444553f855ba9e6

SHA256
735ccabbc401d990551f818d041dd6b0d93074083ca68e8edc14cd03124b309f

SHA512
09d8c42566678d0f870b54013b739096c73f9e1f968b7db1760e866521b15f827b8c5cb4d8658e93905cc1e6075530325ab22afc4df1f4c87db7dabc42823777

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
94KB

MD5
19f80e36ece7e21df1449cbef3b3e2c1

SHA1
194c6741f7709477d1c664c6dd40781b8f0de15a

SHA256
4847f1f22df74cc81eb5df665429b199e57724fd07342083eb8fe9661ced0316

SHA512
f7a5d134cb23e0d51c4ea411058bd7d2ae3cb031fe3e69a0ed69c8942d9de5a568d74b63c0626a5d16e5c9282a8bbe213aa8279d5dc77681c6be6f67f55d16b2

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
94KB

MD5
b42ea6b6d3bcab403c2e8127d434e4d7

SHA1
211e10eb04af2e8e2a68600113b4eec727c16864

SHA256
c3da39c46b2897772e65c8493d0ac3b4e11a21b84d81f6a027a117e556d30702

SHA512
1790cba50ee70f4e080ebeaa3e9fa28ea66986138a59240cd7343b585ed87770c8334c9152ce5a67498721cbe3de7b0717d01588bcd7fec249d6fc1c2f06a87e

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
94KB

MD5
645e2489bd4d934d93292d5796566370

SHA1
8c65a2ca3c7ad11bf5ddfb5b3b9d9c3af59116f3

SHA256
df5b51228b9a299ba5de263a527c6e17b698e1f8f78b6413050a8efd3ece48f0

SHA512
38de43355cb1fcd785b0a5a3b48e73d3721b94bbd2cb3adb06f9bbaa6825540486debb1b896e8b9e09f0c152ad690de66128db4933a7f8432bb4e1cfffda88ce

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
94KB

MD5
ccb51f127aa137e54e8b289e52997eb7

SHA1
22bd2561ed896389f00d03e6ef8ef30ba335e797

SHA256
2868a7d8feefcf326a15ef2554d18da230b4ed09a09e38af53ac5c84a0ba39ad

SHA512
3316bfec1bd5700e15a5453a3c28770d83a9ee264c7baa20eca7f80985eaef48a1cda04089742ae39f1b26a2569f32aefb2fef7b015103efcf56ba15a7f361c1

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
94KB

MD5
3dfc9021b4948801f02a17a7b6766176

SHA1
276c20e0f1a868fb95a2fa51ba5e2cfa524bbf15

SHA256
735113ae6f3de4ce181510ff504baec9cccc54801b1da93b27c82a58fe839163

SHA512
749d6a2b4c75d4a0acaa647a3764f0ca7d36081a0d42fbb91ee66c1e613543f071ad65b7258310d72009afabb94291f2e944c9f09bb411e5bfdbd9c7cd77ad06

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
94KB

MD5
7a00306e51752e7cab0d3f2d71e65a68

SHA1
f17f6fa942054a44ef5e1d35173a0ba912d3831f

SHA256
3daebbce6dbaeefab0b2afe3b7a0ee38f9305643bd98e55797cd508c749cdeb1

SHA512
641095c64594fa7dd78c3d61585c946791f36c9b723a7f6368521641031e92776d57a67cb53cbd4de92ffdc0c21f0a36a4e391ca5e129ad0a792ed52a1f4cbac

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
94KB

MD5
e85cb4cffe7f0e259044d91619888841

SHA1
52d8ac786bbb206274569ddfc144fbd702a438ee

SHA256
b8af92213905bb605808f9b308a0c65af07e5161b4d1819a1b71a26fca2071f1

SHA512
67d6134b77e731a8d6f78e6150d7c5eefd744a42195c6cb9012046907fb448f6c490dc09912ffb6879bd1d983cea5afdae7a620235a7410262bf43ff1d30e2d9

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
94KB

MD5
4bcbc05c9253198be9b59ef53ce65872

SHA1
026b0ff2ebebdec06abe4dbb5c3bfe65e4bf9058

SHA256
10102ebfc0546f2536f395cc8a25959e498ff67a98bce5ac676ac19004b67f97

SHA512
84877ec9ce422382677d7326eb703f3745d7deb42d07543de6c75e29324f0642d0b35bdba56d01a2282d397c03348c8db6a333ccf982017da4431059a890bf71

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
94KB

MD5
6befbcfc26726ac2e3b2b240eec4f3b1

SHA1
c61303b1c8e67672464153d6d98fec6ce91e7c17

SHA256
c1d8e931be578b457d48f8d9d299012b0b225b813e869fed32389252e87993cd

SHA512
fe0771c83bb792e719c12548f5b965f03ee7a046dc6ae54118258615924e8d0d3e63c1f53b3cf9d323b072368d1d0569df9aeb24e92599f14d98091a52dfd224

Download Submit
C:\Windows\SysWOW64\Aliolp32.dll

Filesize
7KB

MD5
9d3a2b332bd8c099058f288e13a2f3e1

SHA1
4496972043778ce800b403ccdab9bc3e659ec318

SHA256
907bb70e1d6a2b50dd88b93cd1c706ab8918674514e5b8c18578b3d87b21f292

SHA512
3917b58f486e66ded8362df3adca9ab0a2e8c4970bb11165ae71ccaebd9c981216558db22789b610f4315a3055015259fd19834b2dc47bacb7fc6db139a33435

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
94KB

MD5
ef7416b17703061bf5fcbfdfc9560811

SHA1
29c1ec97efef2791e2c84ca935ec7933a39ba54c

SHA256
caeb0ef7e33fe354111aa147177b583c0dd62a4ec1b790d6e42a27000657f113

SHA512
b67b7a528995f4dffdefe7f60f336b5f1a55c9a4737675355aef67f67b5f397acfc4a53ab9a3936f6feebcf2b41f50f925f515feb2ca5d2a1523f585b5f40e64

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
94KB

MD5
84c42dee16a10020b99328513378d978

SHA1
339f9142f1b11f4f04115aa61544139745111eda

SHA256
c93c53ccbc856be44ee5a75ee0aa511d207b86033a150c65528b90c374b6a698

SHA512
96b1b7b1a890f926576446ce30b2165f2040e2c7e82463a3ac9892668832963d131edae05beea6b8a179e2388b65d13cf2762d59c9bd54f3686d51ca84dc9025

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
94KB

MD5
4b5f187c9d3946bd77c31ae7442b9f42

SHA1
e87362f9bb9ea163a95711f402fa968e24f919b7

SHA256
1db5ffb540d4f496066a31d123934556b339481da3dd46ef7f5e8383988d3410

SHA512
9d479987be8e586f040a7b1bab6ba82041784274de2bcdb3040221ffa2e2a6e6c0640d4d2129bc7a8decbcff90dc7c4f44232c343a74ac1a5526bdc0cdbc1e11

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
94KB

MD5
7360d94601ee7eee15894b90998785c6

SHA1
5bf3e6ba71a6343a5c2dd7b1736e4e63a23285bb

SHA256
d1c85c51c7adf250899a4fa18cdfe30e19fba5f9c1c6408d259deda2d459f29a

SHA512
6755523146f9d62184246a335e9269437cf7c02fe5a885eebdfa19bbb670ce2d1cf1a57536bc787bdd94cb2c2269e972f4d8a3898157cea26d5b133fda59b02a

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
94KB

MD5
e5b64c269a653302b1a55173fec83bb7

SHA1
93527705a7ba513728fc54f65eaf2256af98ac68

SHA256
595675b34eb87c9337c8ab8ac680fd2bfc8fbcf30a116dd52de50bbfdd70a44a

SHA512
6e576bd4b453fc1f3af9b9c0543b40154b3ce8c9c1520eecc2ef043d471b07a4444fbb2ff6aed63faf02cc8255e4d4776260b3c299eff77cafb9fe37652d0260

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
94KB

MD5
5b650681825ef9485271b0492ab1d05d

SHA1
bf64a0380f4aa29bd030360c725d250238f64df4

SHA256
6b0c2fd872f332dfa34267b3732a0a2068156d77a3648b6569ce78deaf50451c

SHA512
4efd7a63a57fdd6c1d41d4a123a2d9c870df25de52ee73bc2bd3d831c1dbe29e0f34a46523ecef422f815159152839d44d8a6cb583aacb1f83b2f7c9eb11164a

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
94KB

MD5
96cfa22508feecf9c5d4498d5b0671ee

SHA1
b41a4fd0aed5c2410e5817851e6455fafa6d339e

SHA256
6c1ebe860f0d013abfea7e783791c7bffcb9fa09649c47793ac9556789e647a3

SHA512
8594d4ebb33e08cab297c3f900a4307763c9068fa92e9aee0b9f647a4ce732290f5c148090df2ebbf784751fec4add46c1ae298b1264a6b7f057bf64f7669ace

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
94KB

MD5
79c9e02065f9adca1b9145eed49f928b

SHA1
d01f9098bb0f4abea70e870373cc80e19c7b283a

SHA256
971daf90e1742de6274c23f5929a58b2d090dae9858b2a1dc6d72bf7ed8d76e7

SHA512
7ac990f3f4e593d3339c66bb1f1e76853e84cf53c695030ce6158839ebaf1b5404891350c831420e1694895be1ecc77592f389c0e65500b847458fedc9d0730a

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
94KB

MD5
808fac1cd4a68c06a619e64488ebbd02

SHA1
bfbe699619b5594cf1f0a2acf3f7ea22ad8bd48c

SHA256
807b884f693e8e42210f5387df30400a2b925833d63ce6f07da1a4a67e16ea31

SHA512
cf8bc505aaaaab403a408c91bf99c1c60dae8e87bf408e2baf2d2ceac81967f65cac78568305ccbbc9452383a1c833da34d35b2f8733d408595a21f5e1d12c37

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
94KB

MD5
4f2a8827f3fe77ecc8c77ff0e63a93f7

SHA1
e0e15fac460d3b4e586b41c97f55f854163c7136

SHA256
05055c1ef303c09205c5e1e27d98007d74b586e8de9050b163db840c02d3fb92

SHA512
e331648e2de6167b7152d374d788d4ca08860d9a9a082a575327212301459a8ec7a5f0875941d2be7dbc6c56b764fc48a46c24fcf78a4bf152392fed6d15f35c

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
94KB

MD5
e48caedfac2f98813ff960b69696dd10

SHA1
f63df7f55a3cdde3e1d73fcc0e905cdfdb0dfb8c

SHA256
545a798334b11e409275eef1d956a145555ee5306254efc2723f4aaf2f007b23

SHA512
e4e8a302586c2599647ef4678ed02be330bec70d5a4aa0b5f65a42e419396ee3477615de6156285d4aa8f9781df3d5c6fa752789504f4edd95ef6ce443958d27

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
94KB

MD5
dead89109818ffef621cad3d75a88872

SHA1
7622427b2fecb14501ad972b4bce9720b3ea5953

SHA256
0a4882ed65af164c059a1170ca6a87fcbd5bc0729a9928f2aa42ca3a59f2e15b

SHA512
0aeee0e3f6447969adf97b1c47d562a63f4eb508adaac1414caa2825348e3c9be9eafe3eb8d897c2ac76687332817588b2f6ea5f71b26b6621f4a5f53039bff1

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
94KB

MD5
3032716ba98848e90e58da25943ddf73

SHA1
9f948d875764948af142f9a9e8f04b98c5eb67f3

SHA256
b265ad8b1910cbf8ed2b7b6e5de413bb1f8f90a179c9b8acf87124c00a00b92d

SHA512
287e12174d5372a778456d2e209be5fefbcfb814ce7c695d63bfe30cdac8c1e95cf8df93668932c45efc0d2b75df370576389a1e6613f4b802dba01a773bcf5b

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
94KB

MD5
bb7bd256fc9aa2436ab1637c1a943d7b

SHA1
2b855ae6845f1d8ea4379a0bf20d448b0af84d28

SHA256
8608f033fffa67e11e8207e16f80c08ade27a627381285b46d058d6306134575

SHA512
757fa67b4ce2eba57aafb7ab3e0781a4dd5dd8c67a8a696f8323d47747eaa5604dd7c3696d51b6b7433d387b9dbab10da7f7d31fe4bddc9263bde35cd921d5de

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
94KB

MD5
07ac4435bb4cb85e959d79d04385a5b3

SHA1
6b9506826de59e80f15588748267a213312634aa

SHA256
52fde424113b035b0dadc04febf773f705c1b6228c789f0dca8d2278c366c9f3

SHA512
cf17fb5befafc62a488ea76b9733a22bd245892bebaa9c97e97be6f468957f72a1b5172fae7a2224d06ad54b9dca3adf1b427afa7677134fc9993faa068208b8

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
94KB

MD5
e008a0c40f2aa1bf111a8976d1ca1260

SHA1
292084c9cff362284771962b49b6c725321d90dc

SHA256
50ce2f74be25777adfe4b03abf4646a1f17b942a481afbedb98b257694762c0d

SHA512
3c591f466252a928a73ca519e7af15ad4b9934697822b5177d8d1ea852d93889d5b18eb10efad488327ad7b1e05c5e87addf7eaabe601261ba32b6831dfc3d6e

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
94KB

MD5
e4f9f498c5427e6cd2ec98103f8bc385

SHA1
73f9c38886ec06322ab2b59810807087d3449adf

SHA256
908ea9698978f27d20c96f80fdb65d51259760b58b1e3536604a1eb104217e02

SHA512
4b534993f7405f1a51a2bc59b690839af67f6aa43df96e7858ffc68fe42b099250d9b55959d019677bfa789ce3c75ccc3d119f8b12e9ec27b4251fa9ea4c0eea

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
94KB

MD5
bc9a98f98e992b1dd46adb86141b8e86

SHA1
a695991dca4215cadf912370ff281e595cc3c6a8

SHA256
dfcd675b9c62534f84f7829673f2f1175debc1982d44a9591e6c083facd6cdaa

SHA512
31f6d70af98ecd801a9e79b720c43bb83723148c466ef11aa5d14c0a5bafbac0b63b14bee176ff00fce0e888f804e10b328cee738039f54210e16b611569be0b

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
94KB

MD5
e726d0365b7a3ba6c7ad4b62700b7542

SHA1
ae4995104d4f46849dfa42c33ee281a5a2791950

SHA256
207782cafbda0911a780463ec46a8c1d92ee493d9a91335d950b83acc23e533b

SHA512
a545f5eacbd6f656d38a28de24bcde442f531c64ca011a2321b7677bfa4b317d8c91a1af3fa8e1206c38005845bdfd5f1e1a7c2b9f95d14a8cc1092cf10db1ad

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
94KB

MD5
140e32ad5bad3aadb0fb087638c2c51f

SHA1
bb0ff2c9dedb484765b7ffd0a5b452cdd05a62fe

SHA256
daec5712048bf679f59323a7474fcc9ff2262dc5fb349f0647f4dcbd7bc8e8dc

SHA512
3c788c0b4790de7f7e9bc79864d2044b3773901db4b8550a15d5b862a356243439a92ec4942ba0d704ef872fac1d15c303502e01a20b1dc0f890226194c24b52

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
94KB

MD5
25da2c90c8310f4e5275555d25251a0c

SHA1
73d0591a9c107203a583c6bdea6b558d339260ea

SHA256
663f10929b2c11150da267b01eaf9aae24fac01a3cb89c743d6f49638be8de76

SHA512
72f7f2b7e274e8c773d9890dc13c00950248fb0f7d3120b3431b0ada54e5b18020b5c91a9c6c1ae74741fd58a76b05d3ee70a0b4f23b283e72592f3169481d5d

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
94KB

MD5
db655264f3ac1fd3d4bfeb1c0671b748

SHA1
49113c67f7aaa01ff2b00c93782e708f88fe2557

SHA256
89e7ad944f703d5413077fe1a20afce89eaaba19cd3988c33fdceb05a3cd2f0f

SHA512
66d04dea5eb219a8d8998b6a015779c7310a238bb153a452a0ff9ce474a124bb3e9e3e96ec49e2cc336807e30d01e4dafd12b8fab9bc0a6a088a0267a6cefa9a

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
94KB

MD5
4a4d0960a1f8f57e6802d7bca20e0b87

SHA1
2c0ca7dc5de5bd40f599e5b1a1d06c2770b492a2

SHA256
ada9d97609038af966f1ba3396ecb3e81d2bb286ff39029f14f276817f1e4cfe

SHA512
6223b993c26cbd5ed445e22fe7d7f50e2aee12a94d6a122951366d200d84ca7b5f30379d63148cc966bf553fb01f430e3ce43dac5c401bdc4d3f7ac46e9d0e06

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
94KB

MD5
a3906e37b1219f0b4b94cd48915fcc00

SHA1
ac300e8a329f5b544f871a12851d7b59243649d4

SHA256
f446569820f2febbaba17eb89896f037fe54c4c2beab8e24209948898fc0c7b4

SHA512
2bc5920573a707492cdef441936cc871da878a7b8dfca37ae903255fb867b8d96e0f9a682de4f5a59b8f3b846cab83adb58ae719b184afe4726fcd2431843707

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
94KB

MD5
2024316eee2d048a6538b31ef6815628

SHA1
e6c9f1e7b9f6678446a02267897641e619c56d84

SHA256
87b6bfddc7f2cbc9bce6f9dd6f2eb489ef3b08cee2b924de63b41da9b0e893b0

SHA512
0a340bf41156aceab28313b0e1899b315e4d815129dc81667fb045bf3ca3ed6c4b97bb4c4592c979aa7fd53d8134fbe1d92a0dc0adbb4809c9e4ecc1e0f33b06

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
94KB

MD5
66c4e137f957fb5e262dd6d80e961076

SHA1
a51f25763904f0ed62ed3434f5e4f960a4546d3b

SHA256
e341f3e7fc945d03f4d987f19cfe7e6fd4835a252121dd8a8bdad013b0f614e7

SHA512
ecb64fff61fd2fb363e41b2af4e2f89054315f2ab4bb5a017814396ce3ea1a1f28f66b6fddb23eda370f57778c619301e02098b46c2b4aed670ea48b81a1bfbf

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
94KB

MD5
3872a73cd96a7844b87cb99996180257

SHA1
fff2c0d9774a532cd706f5b26dfbcb250630e593

SHA256
636e1ed9329aaec9238edb4f1b09aae8eda14fc0f8c50b5c56201793cf6f5c49

SHA512
f4100d91d4729cafe03b4350635f9eca9458f3efb4af52ba94caaf4cbe0a7b513e5d0a6e40d02f953558b8fb67733d27d7e7e3c426720dba7e6e2873bbb0a79f

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
94KB

MD5
4da8013a7d73670955953fc4234ed053

SHA1
f4f6ef47362078d0bf707b2113c54baadb0c303d

SHA256
64c29fe31fd681fb23450dd75e9c3de0a6d6fe6e4ad59f93e0a9d7b3f514685a

SHA512
c59965405a8bb63db8fd0a9058269fa94943f66fc36409e79b0d190e6f34763994a911518e3f9a29ee7ccdad972a1c58ae8082bd5d3936a5e7e9bbd93dd8db6a

Download Submit
C:\Windows\SysWOW64\Odhfob32.exe

Filesize
94KB

MD5
662b4641164a2c29a118acd554a6bffe

SHA1
21f12767816183709710a774804a64f7e3bf60d1

SHA256
a89a39ca032784a2946d4fe2d8b8ad8dc371abae60b9d8febb6f6081d4cbde0b

SHA512
43b2d3dafaa32b34a3d919c71cf02005dce48a5103dca60138c6857d53e0ff2a60cf3b81e3a68e21b371ba6d6e52bd2a4f69e70eeb9a9eafcfa0a5166ce86d7e

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
94KB

MD5
46fb38d065a5d3f23df3888df0168508

SHA1
007d8516a31bb2e61baf34586704adbb67e305ee

SHA256
46e38fbd41908d564bb639613a216a56eec5a5a8e33b48f010b4d21d6edc4727

SHA512
89c74eea2ff900634b71a3644b523cebe3ec15560d717644bbd10d622ffcc853aff614cc428fa24cfffeefbe1e87c9b2a2bd815feccba578b0210dc9b6788beb

Download Submit
C:\Windows\SysWOW64\Okanklik.exe

Filesize
94KB

MD5
7c411c156ec48601ffbe9e90d038b52d

SHA1
3a25bf3fef28a40d3986b7ae8b3435840086d5b5

SHA256
6a929bc82912e20d9b48cc6a8a60a75e468534fad4535084025fa397a8429f4b

SHA512
2432cb7d496ed90965782a98c42658c55325d880cfa5039d78f90250542e5eda7e4a9b267a7816454e708a71da0be1183bacff4cbfce22f183ef917b11a97677

Download Submit
C:\Windows\SysWOW64\Pcdipnqn.exe

Filesize
94KB

MD5
e0c845b49bc969e1bc267a709e177fae

SHA1
645e47e2c42c8bfd411cca0879951077337a8020

SHA256
4d316007d3c17c6132ae692b9f5fd9d6098dd7153288ab24d02bba8303aaaaf5

SHA512
36ed59711e5212dba22554c92dd96d6331f3bb5c6f9c40056d30dbf1731d334c5d5050110413673e92036c4e6cb3ad29e48d2fbbb3d88ea5d628dd8ec765603e

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
94KB

MD5
ef774296c42d0e12a858fe3df8ea9125

SHA1
613a72c41dfb221c01587323032d0f289b7f6648

SHA256
6fc844498d98bbfb4acaf82edd6b72abcc68d1940f9249a645f2517a72b6fa02

SHA512
415f63f7aac5d07a37f0d15bf37c3a88b0e08ad8b07196c1d1e6c2bc25c118de9c752cec70cd5dfdad64907a9a7bdc587f2704176bc156c749fe15c5274a04f8

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
94KB

MD5
cc9680b40609a1e59a70c54e1018f857

SHA1
b789374ab0c1606fa6017a7dbebcebba37a6f11e

SHA256
e1ab6de278c655ded707aa29da9deff0c059a95039bb8244ec28aaf92ca7f87a

SHA512
b9e04ad4fc68a5671a5f1d3da1bdb8490b9a3a03605d09a74304471641eff1495723e4b131d0720dfa0b5d90bbd92cf5020dc8bdbc0cab655766d4f47660b140

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
94KB

MD5
8b716b5e739065b11cc547aa1ac3ed3c

SHA1
3aaeac4e502a383f7e778fcaafc79aafcbb98ef2

SHA256
b21b9f23c6473bcc07679ff50d67f68f12d7c1d3b894faff90226e1c5776fef6

SHA512
a5e5d847c967e5593815e216bfe40d4043f6ca77fbf52a10fd24f93fbe840b8eea3071c2c75bbc078f8fc69506dd491bacdae2cfa72b5dcbc9fbe3b33b3db9d8

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
94KB

MD5
d344817462891f2718f088e583d62484

SHA1
3bebdc0d121604f8fcae3e9a0a2891c057d049c6

SHA256
0f7c01cadde077f5b7330ce901ddd601b1a0e46ae654c4d3fa08857a735f9e91

SHA512
d9c4e2f84e4afbbff12aa46d3d0a3c001d8648a90e9d56ba9114e04bba7a4f693656cd6073fad31bdb54ac93248cfdd08ff31c2b697c20959551471e1821681d

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
94KB

MD5
e4ac24678b1fdaebc02c5d479b974f86

SHA1
58d7bee285022d3d663d784f7da9f88cdd1909a0

SHA256
2159cee4a0af47673fef0628462448c2621d0807cb3a2f8f009b265fe67aa816

SHA512
6c9c9ba24fef74fc3b0735439194b12b3c09575f6284a80527a33ff6722b92b1bcbf71071190c5b80aeb764fb30ba9e7ffccc2f00bf8b12346bd6e81962287c4

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
94KB

MD5
88f22fc736f2de275976dbb49a149d5d

SHA1
6863c315d919e4c037ff4cc58f32d1dcb0da35c2

SHA256
fc5fbf45b22fc7c84adbe57e483692dbe8276e6eef85a36a6f0ffcaa08a4624f

SHA512
88056b87c505572f3a3fe962c25fde1c8420ec7f6573d00921d59c37626b10e2f7c0b798511ca5bac9e40ec46b73f1bd6384024b394318730e68b77ca9f5dbd5

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
94KB

MD5
ad520ed17193c24039ca7cc7f07d5e55

SHA1
338e799690f8c15d90edb62fb21bc2de2b50cc71

SHA256
5b263d22c192da070809581cebefc30a96f7556c056b718f8888924678d6deb4

SHA512
d661024eb4dec4f2788e1145ccdc217fedf98186b8053b29d655332e5628bd5dba58a5fab4401d4693e292511f47d0ba9ba27a3de318f15d6bdee08dc27ac821

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
94KB

MD5
b54d5c7867345d3b99741bd7cb5122a4

SHA1
be300b241cca6860dd7fd4396c3843b4852d1322

SHA256
dd1fd207c2c9d48ea6aefcb22b8e1b76c3783b2d09b4c4c69d19c0d6c221bf60

SHA512
d7836ff9a4146dc6816da6f5938dbfd461f0f4f14318745518e84369eda0c25c8b8d7ac9b82795e3968c2fcbe8ae51995a2ccf0a28c85c6aef0581f85b43cedd

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
94KB

MD5
a1aec85704ac814068ef0a9dc246f7a1

SHA1
5fb5b31da987f66107b88d7cdb1eba2458e54382

SHA256
95e2132d1636f3c49f2c466fded43a5d8a891ba69cc7fbe22b7155f3f9e0216e

SHA512
0a8eceda62db58c56be482c799e8962045bdbc23cc4ef112d3d8d43e431ee19391fad531689fe8aa24c3b76a0b2d36694c0018523e8f49726433d3d547bf13f2

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
94KB

MD5
a2429a98cb356ad7c7eebc86495ba0be

SHA1
a0fbb49d085dec3196f283c4778857eb8aed5342

SHA256
0c0a6a1119f88f9c4b6ec135e64ebdbfab3dfd93067440156a9aa46355928558

SHA512
708178e996afe8aaeef294c92cc2478e665cba42d523203681c11f1f9d9c399557e2e2d9ef242b4e4a1d61e61fb598e976ce3b38cc61ebe9d7bb57c3fd81092c

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
94KB

MD5
31658875e336564e8409a684e52547b2

SHA1
07702db89bd0e27efaff92cc534fc14a58dcbd42

SHA256
06f9296a9eef3e341710519259d8fde86c9c80757188fd2296749449a0bd2b27

SHA512
5cde560119e30e53da2a35c38d12f8979baed160ccf77ad57a4c64a728bf3577c7389d5aec2b81dafdea818d15df18ad466a98ea1b278dd404c183fdc7e4fa1b

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
94KB

MD5
f243f458aafa461720a73b3c023e3973

SHA1
f70e459fe843fdf319ddf0d1ac2e39ddb908613a

SHA256
3783f44eba16d26f14681297d201334301dfe2771b56f34516aefc292b9e94f8

SHA512
db9822d5d341eefbbef5e69148a08f54e27365c452f60a1ecd94ab87f76cd4c00507992f8bd9f4383d0e8052505e86f85536d57f24a3acaf44371f827bd2e67d

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
94KB

MD5
34e70c669dc09182a58c65b8603c7429

SHA1
9846f968b78ad14611b30d54305521fa1ffaabf0

SHA256
560993eca16cd3c54614ac1d8ed9ba3a5387b3b9c4b167dfe4ff60e6d722d820

SHA512
2be1c49b7c64092e6da7973ba334bf394a93dcc5ae3c5dc3901e8ea11e07c46b3a82ef092c64332c1d1b6b77dcdf839281e892bcb0fac6e4f1ad3c6c946e2e61

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
94KB

MD5
f1971c47bfff110eb62822761e4d3585

SHA1
674c499a1f718162e0b50702c11d8b63feef399f

SHA256
68e4e55fd4bb8452153a4837a0f605bdc60ca353e948c993b6f1c0711781d1bf

SHA512
e4edea47cb96df8732433caa57697980af200bd7c41f44f69e3ba87bac1a46bf1eb47500849659c7234bc5ad938357eefc51b78309f6b837f3d171865d5a4ced

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
94KB

MD5
fc33c56309e6272956b94e0f14ab55b3

SHA1
d90de438dea37a4c3b61239b07e0372a171dd22f

SHA256
5f7ec286df3e931e9ccc609904e6c80c1f5b2c5ff9ccb2a2cae83eeb007016f1

SHA512
9e03aa1e8eea5c8f036b03c2d509783164ad15d21cbec494ee96ed96a8160d5469f7740345f0357fb84d5604e531f2963d6b5ffbb687349b5146b4c10d0a1151

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
94KB

MD5
ff3c6a9cced5828508231fad62ad637a

SHA1
c040913a6128b85f65496cfabe1a171f90c44a99

SHA256
a6dba1c71f5c758a437de83575b47e64fb44cd59d29690d29e07ad2b7560d1f9

SHA512
10cfa83ad2f6b397bacc294f0c35f896c189df4ab0ba41e43feef2ac72d4bd6b02744171fa3cb5e64912b961a0c85a988fc7a0ea2669dc67eefb67705ed53e95

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
94KB

MD5
ba8276a66600dbbb8845a34a80fe47f4

SHA1
1a362b41269f9147ed466b10cfb04af5fb2a4e75

SHA256
f6f5a425f902edba7d7f81281ec378744134ea71fc46231493ddb7ab13be5d76

SHA512
3b32f882af76179ae72a98db50b20fae996463c22f438823c6367e88be7b7dd6ae19a6176898ef5242522d91ecc6551183403ed605198d4c6dd87ff346aac0ca

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
94KB

MD5
647431a02efd48f4cdeb9578c668e462

SHA1
d751a82d5cb57c963f2484ebc728397281636ddd

SHA256
e760e9b966a31611d61c7a4de8c563505bbb6a8816c90e8bd6c14c3b21623079

SHA512
182a69076125e882d29ff67ab506968c78be76164f6ab2daa31e627647105e9b75e98ec88a9150356bd3730321af823a8589c9c9180756f4c81c69480c925422

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
94KB

MD5
b88fcae310dc169c9809987ecfeafb14

SHA1
a2535e16f65d767d7674fd2faf1aea8b05069b4d

SHA256
b276465851850d7f138b6e160fc41f57f206bc3940711319ce09657ae0c65708

SHA512
12cdb33e49815b286a8aef9971202a625a3516a1cfd514b28c644d8d1cda9186db4aebb17c7be221518a89905d2846fa41f828a60d3dea8a34d0ebe9e047f661

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
94KB

MD5
8900afc054853ee047ca62280e23d5ac

SHA1
7ca6dbdba037dd7454947faa93692bae3ac9dde6

SHA256
e7419f6477d17be0e989b077c968e8a41005f71e4b7bc6f6c41fb85b0254a55a

SHA512
09ba84d5b69fc2fa028cf7d38261b76bad95d4c04944212b5c0e32b2e994edf9be68287e5308b5462d7374371b420ec5444c8b3cd69689240c349d831ad5809b

Download Submit
\Windows\SysWOW64\Oomjlk32.exe

Filesize
94KB

MD5
30ec88e4b72c251e5af7c93b554c8310

SHA1
3e019f0bed1bac2bf68871a228c7986ad5ffa6c9

SHA256
6c255bcde96398e5a83e94b76e7154edc4ed38c553589ff27e0b6fe0e408a11b

SHA512
0d444f7f775c0310efb5f3121cb98262c6a625ca8db52a1f11cf162bfe7ec909f45537517a66d3afc41377cc00141e453808e805a9de46df18e019eace70d780

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
94KB

MD5
7ac860c29ad86f5f5a20300be0ed8189

SHA1
0ae7d80c862e2c350e11cc069008d0daced5572d

SHA256
f9f00f148e1fb70e9207aed388826727bcb30677d00a1ccf54f559bfc64b126d

SHA512
742bf3e6972c595cd426db5f4099111981f99827df3d44a12f4b35c7f1c944d235e732645cfacd5d126b20b091d719ed218a8c1050623d4cc360471638b2ae0e

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
94KB

MD5
6994b6376ff642002427cf0c8c28f980

SHA1
ac1277aeb8770e6659e01e4d34de80dad1806eee

SHA256
ffc35a8f8bb8e772aa831016f5d3dc1e26d25783e5c7cc214a39409ac02a31fd

SHA512
a57f1916729c315878689373908c04fd24cdac40fe71f01dfef05692c000667f3384f9dc1028018d306a6328de7c44c0940489ca12b3cc7f808c2a46bee78cf5

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
94KB

MD5
9e280058dbc4d479930ea5c7351eb59f

SHA1
044744a78835e09e12b8b4b682c3df0aad6c7f14

SHA256
e1598d1ce15edeef5153bb5ab5e6bbe741b1e9842c07ecf2161281e07cedde79

SHA512
ed888e475dcf8581a9ba058ee59eb741a40822594ca8f768b9f498f21bcc8370458700fe1c5f54aea89e1545eb12126cb581c861adbeb854a99ebbbd7b071df1

Download Submit
\Windows\SysWOW64\Pmjqcc32.exe

Filesize
94KB

MD5
ced1015213d692dc24cf1aa0edb0c542

SHA1
1b9c796fa11a00f65e4271c3b525caa50e4d8ee5

SHA256
07be8a37bd43461169536efaba54b32b8415346d90129109adbdce8082cb79d2

SHA512
dd3a5f32f0ec03ce3df0ef8ea038fdc27da6363c956ea359b7319417f4c3a49dadc7705de8e871eb59471ee409a349cadacfc044783e55fd7f0dd641d56b5d34

Download Submit
memory/836-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/836-435-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/996-490-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/996-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1048-80-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1048-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1160-492-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-168-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1260-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-129-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1296-276-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1296-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-272-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1308-505-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-220-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1364-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1364-261-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1364-265-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1516-253-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1516-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-255-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1552-516-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1552-518-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1600-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-447-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1660-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-398-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1796-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1796-62-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1804-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1804-425-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1868-90-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1868-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1868-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1924-291-0x0000000001FE0000-0x0000000002021000-memory.dmp

Filesize
260KB

Download
memory/1924-296-0x0000000001FE0000-0x0000000002021000-memory.dmp

Filesize
260KB

Download
memory/1940-457-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1940-459-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1940-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1964-372-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1964-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-116-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2080-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-39-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2196-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-34-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2212-350-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2212-352-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2212-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2236-195-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2236-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-379-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2324-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-318-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2496-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-317-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2508-480-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-243-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2580-239-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2580-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-339-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2668-340-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2668-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-23-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2748-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-329-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2776-325-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2776-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-306-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2872-307-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2876-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-857-0x0000000076DA0000-0x0000000076EBF000-memory.dmp

Filesize
1.1MB

Download
memory/2912-858-0x0000000076CA0000-0x0000000076D9A000-memory.dmp

Filesize
1000KB

Download
memory/2928-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-414-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2944-141-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2944-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-477-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2956-469-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-390-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads