berbew | 373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902a

Analysis

max time kernel
27s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
Size

337KB
MD5

f77b366559dfba882811d981f1a07ba0
SHA1

95258f3629514dcfe0be31488c849a4a36b13938
SHA256

373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902a
SHA512

d5133e653c43d99e9a05fe49ed89c6912a82c3f769a50a09d799595c69569a667fd78bad5bed8ece95ff00f7d75f2a3b77c42d192cd8dfee4e513580f25ecbd9
SSDEEP

3072:roUijSCIlgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:M5Il1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomjlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2936	Nmbknddp.exe
2596	Ncpcfkbg.exe
2584	Nenobfak.exe
3024	Nljddpfe.exe
344	Ohaeia32.exe
1856	Ocfigjlp.exe
1964	Oomjlk32.exe
2896	Odjbdb32.exe
2324	Oancnfoe.exe
2640	Ohhkjp32.exe
2268	Oqcpob32.exe
300	Pjldghjm.exe
2032	Pgpeal32.exe
1688	Pjnamh32.exe
2236	Pfdabino.exe
1812	Picnndmb.exe
2084	Pmagdbci.exe
752	Poocpnbm.exe
1756	Pbnoliap.exe
1636	Poapfn32.exe
2096	Qeohnd32.exe
2360	Qijdocfj.exe
1908	Qngmgjeb.exe
1784	Qbbhgi32.exe
1008	Qgoapp32.exe
2876	Abeemhkh.exe
2900	Aecaidjl.exe
2624	Akmjfn32.exe
2524	Aajbne32.exe
1376	Achojp32.exe
2172	Amqccfed.exe
2180	Agfgqo32.exe
2540	Afiglkle.exe
1304	Abphal32.exe
2848	Ajgpbj32.exe
2184	Acpdko32.exe
1240	Abbeflpf.exe
1712	Blkioa32.exe
2468	Bbdallnd.exe
2440	Becnhgmg.exe
840	Biojif32.exe
2496	Bnkbam32.exe
992	Bbgnak32.exe
844	Beejng32.exe
1644	Blobjaba.exe
604	Bjbcfn32.exe
2676	Bbikgk32.exe
2720	Bhfcpb32.exe
1576	Blaopqpo.exe
2628	Bmclhi32.exe
2024	Bejdiffp.exe
1152	Bhhpeafc.exe
576	Bkglameg.exe
2880	Baadng32.exe
2100	Chkmkacq.exe
2864	Cfnmfn32.exe
108	Cmgechbh.exe
1284	Cpfaocal.exe
1792	Cbdnko32.exe
2256	Cinfhigl.exe
2284	Cmjbhh32.exe
2376	Cddjebgb.exe
1036	Cbgjqo32.exe
1676	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
2936	Nmbknddp.exe
2936	Nmbknddp.exe
2596	Ncpcfkbg.exe
2596	Ncpcfkbg.exe
2584	Nenobfak.exe
2584	Nenobfak.exe
3024	Nljddpfe.exe
3024	Nljddpfe.exe
344	Ohaeia32.exe
344	Ohaeia32.exe
1856	Ocfigjlp.exe
1856	Ocfigjlp.exe
1964	Oomjlk32.exe
1964	Oomjlk32.exe
2896	Odjbdb32.exe
2896	Odjbdb32.exe
2324	Oancnfoe.exe
2324	Oancnfoe.exe
2640	Ohhkjp32.exe
2640	Ohhkjp32.exe
2268	Oqcpob32.exe
2268	Oqcpob32.exe
300	Pjldghjm.exe
300	Pjldghjm.exe
2032	Pgpeal32.exe
2032	Pgpeal32.exe
1688	Pjnamh32.exe
1688	Pjnamh32.exe
2236	Pfdabino.exe
2236	Pfdabino.exe
1812	Picnndmb.exe
1812	Picnndmb.exe
2084	Pmagdbci.exe
2084	Pmagdbci.exe
752	Poocpnbm.exe
752	Poocpnbm.exe
1756	Pbnoliap.exe
1756	Pbnoliap.exe
1636	Poapfn32.exe
1636	Poapfn32.exe
2096	Qeohnd32.exe
2096	Qeohnd32.exe
2360	Qijdocfj.exe
2360	Qijdocfj.exe
1908	Qngmgjeb.exe
1908	Qngmgjeb.exe
1784	Qbbhgi32.exe
1784	Qbbhgi32.exe
2852	Qjnmlk32.exe
2852	Qjnmlk32.exe
2876	Abeemhkh.exe
2876	Abeemhkh.exe
2900	Aecaidjl.exe
2900	Aecaidjl.exe
2624	Akmjfn32.exe
2624	Akmjfn32.exe
2524	Aajbne32.exe
2524	Aajbne32.exe
1376	Achojp32.exe
1376	Achojp32.exe
2172	Amqccfed.exe
2172	Amqccfed.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Oancnfoe.exe	Odjbdb32.exe
File opened for modification	C:\Windows\SysWOW64\Poapfn32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Pjldghjm.exe	Oqcpob32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Aecaidjl.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qjnmlk32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Ohhkjp32.exe	Oancnfoe.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Pjnamh32.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Picnndmb.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Aecaidjl.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Pjldghjm.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Pjldghjm.exe
File created	C:\Windows\SysWOW64\Poapfn32.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Blkioa32.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Pmagdbci.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2228	1676	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaeia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljddpfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll"	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohaeia32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2936	2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe	30
PID 2724 wrote to memory of 2936	2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe	30
PID 2724 wrote to memory of 2936	2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe	30
PID 2724 wrote to memory of 2936	2724	373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe	30
PID 2936 wrote to memory of 2596	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2596	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2596	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2596	2936	Nmbknddp.exe	31
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 3024 wrote to memory of 344	3024	Nljddpfe.exe	34
PID 3024 wrote to memory of 344	3024	Nljddpfe.exe	34
PID 3024 wrote to memory of 344	3024	Nljddpfe.exe	34
PID 3024 wrote to memory of 344	3024	Nljddpfe.exe	34
PID 344 wrote to memory of 1856	344	Ohaeia32.exe	35
PID 344 wrote to memory of 1856	344	Ohaeia32.exe	35
PID 344 wrote to memory of 1856	344	Ohaeia32.exe	35
PID 344 wrote to memory of 1856	344	Ohaeia32.exe	35
PID 1856 wrote to memory of 1964	1856	Ocfigjlp.exe	36
PID 1856 wrote to memory of 1964	1856	Ocfigjlp.exe	36
PID 1856 wrote to memory of 1964	1856	Ocfigjlp.exe	36
PID 1856 wrote to memory of 1964	1856	Ocfigjlp.exe	36
PID 1964 wrote to memory of 2896	1964	Oomjlk32.exe	37
PID 1964 wrote to memory of 2896	1964	Oomjlk32.exe	37
PID 1964 wrote to memory of 2896	1964	Oomjlk32.exe	37
PID 1964 wrote to memory of 2896	1964	Oomjlk32.exe	37
PID 2896 wrote to memory of 2324	2896	Odjbdb32.exe	38
PID 2896 wrote to memory of 2324	2896	Odjbdb32.exe	38
PID 2896 wrote to memory of 2324	2896	Odjbdb32.exe	38
PID 2896 wrote to memory of 2324	2896	Odjbdb32.exe	38
PID 2324 wrote to memory of 2640	2324	Oancnfoe.exe	39
PID 2324 wrote to memory of 2640	2324	Oancnfoe.exe	39
PID 2324 wrote to memory of 2640	2324	Oancnfoe.exe	39
PID 2324 wrote to memory of 2640	2324	Oancnfoe.exe	39
PID 2640 wrote to memory of 2268	2640	Ohhkjp32.exe	40
PID 2640 wrote to memory of 2268	2640	Ohhkjp32.exe	40
PID 2640 wrote to memory of 2268	2640	Ohhkjp32.exe	40
PID 2640 wrote to memory of 2268	2640	Ohhkjp32.exe	40
PID 2268 wrote to memory of 300	2268	Oqcpob32.exe	41
PID 2268 wrote to memory of 300	2268	Oqcpob32.exe	41
PID 2268 wrote to memory of 300	2268	Oqcpob32.exe	41
PID 2268 wrote to memory of 300	2268	Oqcpob32.exe	41
PID 300 wrote to memory of 2032	300	Pjldghjm.exe	42
PID 300 wrote to memory of 2032	300	Pjldghjm.exe	42
PID 300 wrote to memory of 2032	300	Pjldghjm.exe	42
PID 300 wrote to memory of 2032	300	Pjldghjm.exe	42
PID 2032 wrote to memory of 1688	2032	Pgpeal32.exe	43
PID 2032 wrote to memory of 1688	2032	Pgpeal32.exe	43
PID 2032 wrote to memory of 1688	2032	Pgpeal32.exe	43
PID 2032 wrote to memory of 1688	2032	Pgpeal32.exe	43
PID 1688 wrote to memory of 2236	1688	Pjnamh32.exe	44
PID 1688 wrote to memory of 2236	1688	Pjnamh32.exe	44
PID 1688 wrote to memory of 2236	1688	Pjnamh32.exe	44
PID 1688 wrote to memory of 2236	1688	Pjnamh32.exe	44
PID 2236 wrote to memory of 1812	2236	Pfdabino.exe	45
PID 2236 wrote to memory of 1812	2236	Pfdabino.exe	45
PID 2236 wrote to memory of 1812	2236	Pfdabino.exe	45
PID 2236 wrote to memory of 1812	2236	Pfdabino.exe	45

C:\Users\Admin\AppData\Local\Temp\373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe
"C:\Users\Admin\AppData\Local\Temp\373ac2031d35bed0edc9e2623fce3e56abcf1c9f0da000925c7fbe61a1fd902aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\Nmbknddp.exe
  C:\Windows\system32\Nmbknddp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Nenobfak.exe
      C:\Windows\system32\Nenobfak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Nljddpfe.exe
        
        C:\Windows\system32\Nljddpfe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\Ohaeia32.exe
        
        C:\Windows\system32\Ohaeia32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Oomjlk32.exe
        
        C:\Windows\system32\Oomjlk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:108
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        66⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 140
        67⤵
        Program crash
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
337KB

MD5
36e9a234f819f5c85d1f53e743867847

SHA1
fa636377f393e1fa2ffa47374181d9bcaea1d7ea

SHA256
342375174053b5368cd67a1726f353363c1923cd46bd543effa4940923309e30

SHA512
2101b956f62f996c4cad3d21f8e31315d169efe61d64504a8ba18d9606c82c4e0b15d3777de1e18e67ba759d7bceb218077df240a3b069aabf7545729b74622c

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
337KB

MD5
d9b66d68e0b9ea926b40c2ae60973c31

SHA1
c22b98cec4c45bb92ebddb7709f487fce33d8fd6

SHA256
d2175cf04d5c1e3eae4c630c2dfb4b14a6be6d0383ed58c439536f5c25ffcc70

SHA512
2d8dddc24058b5bfec2ce3df7ff937f1a17282ce4ffe270e11b5995e94f6022552f133afd9968ce252a439216a7152cf2674c4f79f1aeb24dec49199e9d536be

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
337KB

MD5
11ba67bdcb3924cb3be0138a8262ec42

SHA1
3d27c5d0c20df10ad737cea2987ec7f4b0a36527

SHA256
10072b65682920ee4d5755abc4f471951a22751be15b6c3f7313d7ac36383d25

SHA512
20fd34ac7d2726714315747a4d4fb1b1126b5eb423d1cb2398cb8c31518586f74f629cb1e8bbbbd4f25e9d36ca0ed8ef87dbac7a298ad9e6c367b34514a468eb

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
337KB

MD5
2d462fd6c8c2507661f01cb3078c30fc

SHA1
14e6dd9086cab6b21f80078adf183bc42f2f4929

SHA256
f345bd1a2777ebb80aa4813a57c0b61a3cd77c848395c4bc9c33c8e7169e7cff

SHA512
9e3ec4c4fcc7c48e4ece18ade5870f4c996846b042af39d8ac8d760ac999f50bd15c93bcc6d86718173637ccda95962f4d6f9773bfe4e1a14b2d5e5a04a2f4c5

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
337KB

MD5
386dc7648a6e5151b4c7e66cda7f6681

SHA1
577dc8afb7065c74871895c82a6e1676dbc76980

SHA256
02510f25f6f8e63fed237a9b4d80b560ec0b245e4d985733abc4718290fb9cbf

SHA512
7a373a437af965cbb125b20ea9afc4d3a46f3d558d53295b67d11ba6b04c182297058df819f627b44a1e5abae9d575344344cdfaae78419dc19eb11522b5a84d

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
337KB

MD5
042bf76d92c4b93ae4350ba711cd4a85

SHA1
71a2c0e4a9df60360c983b87228d1de5fa47b347

SHA256
28d1401507de1f3ea31b8c188a8e5e3d2c4819bd33124591ef4b7923264b8942

SHA512
76bf5f9ad714d914a7fedce94e32835bcfdf013c922676ee555dda8b65f848aa23bd8c6806f9383912f7a32f38499e1eb4b4795a53a6fbe13b7a510847fea8d7

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
337KB

MD5
50266776554af1d7f8b7170e7b6fc31a

SHA1
4bd5c709548c51add6e41c460f94df55761985b5

SHA256
31151ef45668a4719ef05f0418c3a95683b736e5db40fcf4152c8fa60b4ad996

SHA512
260098acce33aaaecceceeb57af4484a4759dbfec2ca15af6a42aa81a02ee5922b420f2133b54a86e2d072d7d64a4d61ed520f0284fede99d8fdef0ca2881d53

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
337KB

MD5
f4b1262ff944089d1c030d905149e140

SHA1
7c2b3ffe91d1a1904600809f3eb37fc79b78dc00

SHA256
5c881ce427800554387a017355a5c6dc197ffffbefbb1d3cb619cdc49d291d04

SHA512
18bbb2923cd9be3abf8e789e9119bc664378f9dea84c5d1e819a382bb0e08bd4933668a6db61937e4dd18ae7fe23c83131e977c4784a1620985c5779b489956e

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
337KB

MD5
972c401bc6a2526552b3ee643989c9a9

SHA1
856cb099772a5b7c87b93228d5c26bfea3e6831a

SHA256
f3508dc4a46255b51442ba1d7fb2a3fa5033e2463fcd501ad51deb5d9670e180

SHA512
853f4324a63e7db8e4622da1e086f71b0ef0dbcd9b9623fa8d87f8afb66192608faf0e467b383f7560a6b075e064d7297bb9d499011b92dd2bc4681b4c9f534a

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
337KB

MD5
20e6240a7de31e28f0d395078d342584

SHA1
3e72532f76807f1a4ef4dabace9a190ebc23ff50

SHA256
76365ef5459ce91ccc1cde73347a064218ea3c0dde64dd49e99350cd02dc570a

SHA512
f73a0325869ed092f57c62afd78cd919b498fed36a579abe8ef098668eb29dbb736c3f68b509d6814a12ee3c04a36a05e13d657a2aee7d76d253e353b88c52c0

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
337KB

MD5
21a4202b348f6f838b8e7226b05ee646

SHA1
b4790a8f6262b64d7860c861c1ea29eaf3f00754

SHA256
0296cab0cd29671c25d9f40123825109a768725ec7abf7303faad907b7ccb023

SHA512
0c04cf350742f066bebc8df64ed082b930b36c77bac14920fc94bd5fb85aad783193d3a2cdcd7c5f07a5e8de6f6c4f9602496e64369c8d5b30e1b07e96b4f11f

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
337KB

MD5
f70752935d3527798c0e45db0d90c90d

SHA1
f9269cd589db8cfe4fa016c4765fbc99e2be757b

SHA256
7fff3e1b132339edd32347bdbc2a0a77ac95c8d7882d4bb27093aac56285c017

SHA512
e9e73d8cf79431725a58ea170f1ce5b5617580a8463d1af27a8b8cfac92c6da13a6cc925445993aa314f3a53ad63b19f05b07fc07f5866c282dcc12f62fa7579

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
337KB

MD5
5a738ac9470a964ecad24a2798e8c197

SHA1
f9827fd2c7b5af82e46bca376cc2e81e59efd93f

SHA256
1175fc2484843b94d9ff31e7ee8a3315de73112755a016c20ff47415410ba084

SHA512
1b7809bbd6578411312fc7e69058475f5840fb28139e2dfea67d1cc3b4be7517e29ee38f0d0b85131819f90c62fbb363588f036b179e90a2c70956ff2c715e63

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
337KB

MD5
0d101c818acf143b22c24891950e6a03

SHA1
eb5ebc5072c60025edb621e0ae1b4652a258d350

SHA256
0de28d79c083c2c4492f40750d6ed36c9dd34dff9793704404286ad174fe78e3

SHA512
ddf7f0a2dcdfd31c2b26a5e2bdc762782a91e36e781ff0ef2f0fa9074c7c44242393d09612d25457fc26477090e3411f5c02a1aa1dd7e7451a5483b65be3f293

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
337KB

MD5
22e13e86adff46e48abcc31745108330

SHA1
0ff8c2285ef9082a939dfae5548d1683c7994d2c

SHA256
76a467a2c12c184fe56d4266b56d66503e0264a7d8c0e45d07ca5d6975deb32d

SHA512
21328589cbcff7c4be7d3cc4b42ecfbc998081cea5797f9547fcfa42dbc2f08b42fa913ddab1891b7d8ef12b8e3ee67b45cbfe9e079e3b3b1544085981513125

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
337KB

MD5
66c0ca950e832078946fb77b41395697

SHA1
7d72a823cde1962d84cab06650f5cea0431e202b

SHA256
07e79a8d7be3de198941a3dfeb852fb761063cca16da34ce62d419ace19c7ea9

SHA512
6c87a5cd2f5c064b3234759b625eb96629ce8e678e5f940dea2006b248b8e34481439cf09f010a1eb44ae89cc2cdf4cdf20f9361a7d4e0d2b266ed384d132726

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
337KB

MD5
37f1d8fce34dda5a989e55ac86f1e81e

SHA1
481cf206a203ff2d842a59c4ca032b076c9c1c13

SHA256
76ff4bdbb516ffa083354aadb6e11245055384907a5791fd70eab0b6b601edcd

SHA512
2a72197c898f4dfed00b341b383da09cc677bca1f9111dae36e514a67ece3df4eff5d22d344deedfb8342f8aaaba9af998bd5030e8a5906df76709b173adb5f6

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
337KB

MD5
628c6f36dde3f00a7f0b969416f5330b

SHA1
7877f5119529ed7ca738264f2f0cd258afc0fc3b

SHA256
22bbb084b432decae80cf488e179c309876ed7d8542fbe030ac23ff23d8736b6

SHA512
9ef534fea9f3c5b40e9e11d0eaaea61cfa3999562bc0c244cebbb9673442257dec12f77ba7d31682d668429dba260f7b54bb5f6c06a6eb5d869cece46c595c61

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
337KB

MD5
35e007cff1ccfa46b55e2f30cf75e878

SHA1
4ef8683a8420e950a690fa6274cbc29644503d52

SHA256
236145d277c0af063a480924d0c73d13faa1a593093960fd4db56c87acbb22eb

SHA512
2aa05f9b215aa8b0f6a02e0ab67696daf492ccb24c36f8617c40f69e664c743d220a6e915271071c343f883da7e4dce909919690510e7a3bbdb2760e5e231f09

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
337KB

MD5
07eea5579ca40021ba24e067c322ddc3

SHA1
7684d345bb40c70a4e7143e944e8531f46460675

SHA256
e571605127d39ff1e291356c692643774569548b8ec882b897c0d3dcb921aa61

SHA512
0954650e6111852497c861c424bb4e287f75a9361ebdd07d2897484dbfa6b3e1b70c0fa80e9fcf12282a84a88b26cb2b7de1f5b31da8a23705c548fca76cd29d

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
337KB

MD5
4a5f35ee0d61ca9d2d6d30cd943597cc

SHA1
e08d2dbd2a5b3540fd343748396bc30468bd7783

SHA256
c767302c1c69939b3c8e19f7ac11f4be0b34ec866a62ced6022e23f1d2f62a32

SHA512
32909828b6c8f4608322b8225a32585a4fea8c3f27b53807d0b613fd2619deff771ed73f335e5df467530e209183d1393aece402f8ac932d74e9cdb921f0e120

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
337KB

MD5
4ed063ce51cceeb33f172b0595d3b8fb

SHA1
254d23ba0526099689bf783d31cb04c98cd473f4

SHA256
41996db98b75522a698853543f69d41f9f7d8c09e173f4d95b8d7e7715e949c7

SHA512
a0533553a5f6fa6292d1a8b985dc2c60c1eeb6257d2f75b6c6ace0f10f42402fe129deb00b52bf28bfa9b16b89ba0d74770372d8a9c05a3cb9fe7b3d6dca843f

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
337KB

MD5
1053388e480a41971efe08e7241ae959

SHA1
8be92c7c3ce35bde1e8da3575da7d88cba8a0832

SHA256
7cb5e066f4f4ae86cff4a3c5cf8ebfbee8162fd350c0bfd6a47b3ca504771479

SHA512
3ad00e874ca7bad76b0fb47a46ffa61e22a1456b9b9b2ef0272a08dedc7ba33b03e46b1e1c7b065d7402ce4b1b076114aae15f2c9684c5c5abdc2fdfb56bc7ea

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
337KB

MD5
7381d7212c982aa755bef88f00e44673

SHA1
d3e1f7adf59951cf3aa648a5b6d7407075aa7539

SHA256
697a6a67d9846c9b29578aabef8e2d5a0c8ab75330bdcd0b0dbb1bbd2a6a7f97

SHA512
9d7b8789d324b5c609d9bb36927dbe4321a8537b090a942ea5e4b5dc0baab4bcf7e24a5d8d89f0cd49b65fc5e0d829f894635c5beddbfe19c977129dd6e5eca5

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
337KB

MD5
a3dd174d4437af77964c0ea247fd2f47

SHA1
81dfb8cadab4d9fae968546fecbfaa944062b210

SHA256
3343285709e2565e764ef899282fb2708374f4206f80e352d0fb739715bef5d7

SHA512
9660b5458eb164b394b73815bde9b1bb1bcc9453d757a54343d890e39da46e90b3cf0317aa9d69c7fcd86a22b35667505dea46c267185c2a7d86338e1c09d7d2

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
337KB

MD5
1ba4c9f478321dc517c59f9c1b7898be

SHA1
1681f6bff50afb8a14cbe9bcc774970c89bad004

SHA256
2c8e24486704ae51bcee56f58de63867b4c9875cb78c839db2ede58c1b83ed32

SHA512
793c05c745ca74042078eefb20d1b5af5322886c9ab9ad78cf03725b1c30e10c00965b04c232a92eba6474afd0693785f1ae334ccaaeaf30237c8bef6fca90b3

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
337KB

MD5
b67f11c474f59bf25166a93ebbb4ace0

SHA1
144a12ec299c78ed996e2d3af53c2a80c9f6c468

SHA256
efa1b26eb5552b995499369148d7e15fc876b1f38a9b47c93f337ba5bd7058b3

SHA512
edc21c56c5de4d416f2e71106a94fbe72ece3546e79fad8e21e28b0380db3264863908ed64ca18a03a85d447b6434f29d07679b186b825222dae6af3e36db111

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
337KB

MD5
dcd1ec03f2d2856bd932f706568240aa

SHA1
a0a34d6c092c7828e6fa937475695dda81cb0946

SHA256
3c628fe0010ca652e23b3bd9db2d0541d121b65354f570aa4d60ab4861bdc522

SHA512
3b295c6563f2cf0dc6cac411975d5fa98bbce1ba1f63c62cd40d37be297fbda794a6f767529fa1c341b1e31bd7c953ec30d598b03496ba922b56296c0a7bdc4c

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
337KB

MD5
5f3edba0584d05d814e3af0c0a855087

SHA1
bea94c201c9399299e980d63b085c9f88751408f

SHA256
8131135d65ccc66db520a7b376407342c09d751db3e225e8f3bbb1fdbccc1705

SHA512
cc3c2cf1a08c18764a655fd4426ffb3d10ce3302ecb8ff5c568fcb053ddf275c8b137fed6232489f0b22e3566d9a7233ab975c84fd8800066a3a05fa946578de

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
337KB

MD5
a29511419b329d25869cfd8e6a89f552

SHA1
2e86b4e7c5745e0ec9d3eaccb149957518ade1c8

SHA256
520f3a02f5796cca3cae1d80ce2699ebf650ddcf5d3449977c7963199ccb9a89

SHA512
24ae42165a29ab9044e44de2104343545c83c335df3c048f7c07f297dc01ef01952f1a96955a11d678b61c4a20fee24720c8730cac7e00908bdd6d420b1c1e3a

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
337KB

MD5
b98893862ba943f6e4719acca5d63e6a

SHA1
c23b118e0fbdd565793f68095b6a40a855bd603e

SHA256
82b11bb978e949f9449674b0bcaf670a4781e0eb2b86de4a06ef4d91575d55a7

SHA512
4af55b0c74b292a3cb8ad810ecb4cece8ddef0df50034e86efbbfeba450882b2656c825142d9b9a8735b01231bc85c0b93d99a90fea5acf3f897292a3ebf2bdc

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
337KB

MD5
c2e42dc3812449a7b55d66dde15ef51d

SHA1
79cbccdd377fe5a1737aeda48c3d0b05aa91cf62

SHA256
8346d68134195f86e002b6f60cce2461bc448cfe6ce82f0d1b9408c1d5bb26aa

SHA512
c3ad986ccaae88e6a968449521664df0d833d9a19918cfe5e3082dddf6f231b13f8d38503e242ea16777395fb0ad5d3ebd0867ef04ec9736660ef086169cf46e

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
337KB

MD5
dd320b322151bd9b9b32d25a70bc04ea

SHA1
1694ac6d48b2e4db54234ac1895f4b6fb7a1287f

SHA256
258d88e6a6aea580b9fbe9fd88027f6c58391b97525afd4241fba7cfd3355395

SHA512
d7343822b5f645bb245b94b17c376447de4cd65859cf5aa6bf55c97a82a0ba53075688d6e84fad5d49f5af3da77a9e2c090638b8caf8eb5e39d5af3b50c1126a

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
337KB

MD5
8a6650c3496744886a081b1bba77a154

SHA1
939a5444325f4d79789176f8c435b425f369821e

SHA256
9742fabfabbe0787dacc81e33b397559c874de41bf7284e5859b960143f83658

SHA512
af9cb1e61293df0a7794a2d7dea9ec88a853858d523914a54f214ca81dc5890e4299521441c51f7fed664a07336c871c90b0f715054a17b3f5e0c756b53106d7

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
337KB

MD5
670cfb6344d153786ce5ec1bd1c4ff0d

SHA1
94124cb491f9e909b8d2ba1497dc7e6ffab675bb

SHA256
fca36e7481180907d3156a6e680604f0bbc84675dc9bc112b5739b4678149c3f

SHA512
ebed2e951b33a0551201976e994c8feddb3534909b661a506ecdafc43993b579c9493e2026039f39b6765880d02e4ef801f93fa6c5cd35b3649ce20fa350a3b5

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
337KB

MD5
a295ac52eed941a9e22a19693f169ed6

SHA1
c8ca7e971738f213677be83fb020ea423acf3d6b

SHA256
352f9b6664b2b2dbe96afdd214f5799f8d5d6584419681e79e77fa75b213cb55

SHA512
93a5b3e38cd759537dd7ddb6a40ea8fc2296fa54555aa28ed16f29e0d34f68d2b46937ce636e756ac7df12faf7aba8e2d78148a18c0cd6dcff1a66d9d135d87f

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
337KB

MD5
c6da7c46501fd472c55ae7830f6b6631

SHA1
cf56ae202077180553394dd3488d76b27f639979

SHA256
6fe19bfbf06f96176b07a1191ffa4164e41a10006ff9c11131daf6c7d6b4bdfc

SHA512
9dbf7a6876b7026b8182c0a72c56b9a8bfe1a30c1606450ca5ff705003d479cf37e00042db8f3621485f5df4aeed4ac8f5fb25b348617a785951f045e7eac26d

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
337KB

MD5
a5864171f52aee1ab63ed9df7a3acbd9

SHA1
c69218621e4de9a7f4b35658ca46114e9a57590f

SHA256
3a7e38d01287df4f410716c7e1b27180a9414b3b5f1ca2fc510b572aef69fc52

SHA512
9c16286481e01edc517d2c36bde6769e988a83019b0c96c19398941b8641178defce134ef8d46bcf4a2585ed1f15e07fcecbeb54392070a994df0a64a66b11c0

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
337KB

MD5
6db8d2f620ead4b9e558980a51ab394e

SHA1
9f84a57b4f664e377493a765b4d19ab7c042f1f4

SHA256
e38e5068bc0c7f0ed31313cc5b347b83e78bff50075dd99d3d33527272be1a37

SHA512
5c0ecd924df5a4d18f16c648c14d0296f257f44340d8c9e82e7d63ae3bcaa6ba5e9fbb9171b4aec61443f46481d1da90f2b1adfc5ce321a6f359333d0767a0af

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
337KB

MD5
5829f93c2520f926e511c4015c9e4e4d

SHA1
7d2c22e8889cda1ce8ea233e57bf86c32847cfb2

SHA256
047f59a83e3610b027cb427de5778f34ab79b426a7b5e9e667bfd467999a29a5

SHA512
8c8b29bdd373c20f1df06a02b0b25aa834712c3303025edddff2d304346455420e5e18ea885cc8c2cc0f2788b010e892f546e4ea0a4e1f0eefe996dfa3c837d0

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
337KB

MD5
af6dd4ba46398de9fb69508713ae190a

SHA1
f00b926233e9c8c50b40de5d973e13ada4bdef40

SHA256
83981cebb62fdb0d6a343b151ed77cedd2073ed1bbcfb895db6b1fe321109770

SHA512
c672a3f8409eee16c1c5f1726664bc3585b33d90f8259d17848f92c1e2e83d91a8e3100f2e9a1166831fb9df1afe731efc0878a2089f13672d546dabdaf92146

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
337KB

MD5
f33b377a33b96b7cabdf7935947a77b2

SHA1
7d64b95617e2b846b41caaa442546fdbcb79b5ed

SHA256
272d53624ecb62199c3f27ed43f8dfc92d5e4a1d423fb1ceb1dfbfb13ab66fd5

SHA512
7f3dbc18078de86c689c785a5c5b65eb50d519fd946ca8492068fe156eff7a7f94437c9d8fe1b892ae472c30f64151bb53ec5a4a0dde0550863a5e73370d23bb

Download Submit
C:\Windows\SysWOW64\Pjldghjm.exe

Filesize
337KB

MD5
f83fdd3add71dd56f97af15c0ee03688

SHA1
3fe3587ee8fa60faaa8ed4faddc6b6af6f502a9f

SHA256
833328a9b567131b9c53753597d7d2b248b582bf688c4094abebd35fa88a5ae8

SHA512
7626491bcd6a2d95d5e7189f2e29474a7673a719e2bd4bc69fbddd5c6155c8b28278b407d70d5424d42cc1c8ce75d2b9df362c3836b54812ec4e30cf8ea8046b

Download Submit
C:\Windows\SysWOW64\Pjnamh32.exe

Filesize
337KB

MD5
9eb57bd97dea848895cef022ed7c6c42

SHA1
b891a843df87a47ef00641556d590e3dff9dbae9

SHA256
73f1543b6c440d67a945da5a5298a5c7c1b8d284b8564709c4d36a7f39059866

SHA512
c44608b402311d200e595d444dae6a659a1e14003f8036897249ea8ebe4ca05301cdad0f394459251f5c813220f00330008317650f381b2bb67b7374c6cc7f72

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
337KB

MD5
060086894d25c28815f3c9feacdbee2f

SHA1
e9bfaf27c58d2cfb206650886cdf73f21d2bb19e

SHA256
9ebd16544646f2de03bd39a44b531457b00c65031fd8ff8c8e93e6f21ffb0573

SHA512
2349c0272881d656e9defc128f05d923955c164371a866568f659df03607b0fb28a8fdef74cea213cf8a24b314d20b369c1279dbaaeba57eef9fa2ad7ceea340

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
337KB

MD5
7837dff5bb8e6f1a71059367ae43119c

SHA1
bf5f300a7092560e41dbfa84d39c17a4af042651

SHA256
6079c2adb9f18056bb2961a9b5e736ee711714640f16572cf13171caae1a5f69

SHA512
0499459624d14690a8ae909f39012cfa2a171445e954b09fb802649bbda6538685b5843b1b73231955176265216497487514369aa04100bf38a78d802274d201

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
337KB

MD5
b1bb15e29a3926bcd90b3f320ba0baaf

SHA1
eb80c9026327fae60068fad1d789b1708338d00a

SHA256
544b3070a02c6f3228d454d9c1695298615922832301ae1f86b29a664b3cd484

SHA512
9d0d30fc79ddddcbc7571a77ee9489e21c4ce7c93c553cf4a802a6b9c40b46b6d03e6c365610c2038fdfdba7fab42f7b696f389a8a7c818694becd3d0f1018e8

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
337KB

MD5
d3aae23ca43f45a46864082bb0885d23

SHA1
ab92193eacb064344fa9c7641fb3811ea65a0c7a

SHA256
f5b570e63434a27bce12a5f8f5b9e6e3384ac42253215afa75daaab244675eef

SHA512
43c7b3be675c7dede9623421f97f44f54d471589662c870a1e521532677e546df861eedbb9c9e93f23e23a22f85d91338572e517661a40f6ea883d44aa350678

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
337KB

MD5
bb372b3d1b547e1745e98a841b399dea

SHA1
d7623034a7e7cfbfbc8f50bfeb783edbbc189c2a

SHA256
e800730233196457edd6a7cedf3eda51f5aa96444af9b01073540b88dded83bb

SHA512
dbb8c4c0af3a2e6d12c134a427d1f5acaed174dc3116c8383a2749ac41f3a5485f991cd412ea7b85f45937341d14a7c49f23747b042860a1588b31421c33c6cb

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
337KB

MD5
87f4cd6a91b6aa1d0771cae36891490c

SHA1
393d7a850b8464b666154d807fe0c7aa1ab30bb5

SHA256
511c19f5c87b79f25da7f23c6cb2208ad3607df4e55899b33fdf02630afe8ea4

SHA512
9b49dd39a04532ce61420fdf130dd9c0ae5d77c4686e426d42aedf568fc45cfa0c43a737febf52db2db41937e763d3326eace1edf740d7f1a39cbfddf4ffd3fc

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
337KB

MD5
677d21b8383a60331ec0e491b2c294cc

SHA1
2278686df9c7ec7881c1e5fb1e9c19a8eb4f181c

SHA256
bd8d535c411d39f50bb2274f130ba5d490b4dfe83af4c631a458f367258f285b

SHA512
50ec7d8ba8b62636e2c3eed356569762c234bba342b56394b63513fd8c380d1311e628b040a946aada78d9123fae16eafe6fd463b7135f53d530cd23d9cad798

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
337KB

MD5
744bc766f423d79b1b846b952ed189fc

SHA1
5dbd4ea8dac41ac78ddab9d2ca5fcb57ee3150c7

SHA256
179ed4922fd5f67dece9b6fc5cfcba8b41b529be6d114d362d0ea439b84c2b6f

SHA512
660bfda0f9adec459107ed6bd950663fd184a9991a014ec3dfcf504009fb9248273c5e352d76a81418c6a34fae1af0e7154c6264603d2113197fbefef77ab695

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
337KB

MD5
5ffeb0fdd4cb9a77356381afd8f3d673

SHA1
8165109d8b7a210f7cad410db790c666ab067dfc

SHA256
03146af2a7473fd3cd6c48c3f383d174a6f6f669dad02b65560a77512e2d577a

SHA512
ba667841958ae2ecb3c1b6ec575ec30256fc5281637abfa9d996a4f1056818c2f054607ef89b805a97e284c16e54970731ce5e92c6d7bfb872df35723131b2e0

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
337KB

MD5
200e38ea614c74c775f2a9cd59c66cc7

SHA1
2da2e1213458c3583a44d7870d137f341d9cbd22

SHA256
30cae95106268c46db1a065b4ba9d9b96dabc8e9a20a66576b510abe44e131f8

SHA512
5afa69f2cdac48eaeb8babfffc1ff1d86a9fd75450006ddf8a0003eae9256573c386b0d4a2cd896ac39a832b9db722e3ab1f2a8936a5ef80b8516645f0d07856

Download Submit
\Windows\SysWOW64\Nljddpfe.exe

Filesize
337KB

MD5
a80dac006027d11c954b2cee0225c3a1

SHA1
1a6514506463ae9b89dc7c10093336e868c65af2

SHA256
542edae17ca6ab2e783dd4bed366f0047b5ed1e9460dfadd00f289fb0c86efa5

SHA512
7a64eee643d29b3049befbbebbb1deeae17759aa4e50d4bdabab707b30f9c1a15d2c869b081745c8de020ca858799f28fda7cd17767b28e10ea9778a53c2569f

Download Submit
\Windows\SysWOW64\Nmbknddp.exe

Filesize
337KB

MD5
e6e539793583e437d7c2b24eae38158c

SHA1
142b207c8b75c84efc389f6294b3aa83b7362adf

SHA256
c6193da4d448d1c1be5a257657b6d3ec424f04867f5c40e1afedfcfbd4be0efe

SHA512
1b44a706cec42c5a9d206c38574c3255b846f8c976ec4f1e683334805b21a2105cb77c08789678a661fcfaa36ba6373622bd141882233c6a0e187702fb697fe0

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
337KB

MD5
f21d740c41dce6d547379ae10ea9fb89

SHA1
8a70626b4e3da99aecf1c48536e060dbc168a8c2

SHA256
29b7724e6a1192dc5bb462fe7fa8a30a7fc72c32f585463e6c11d73a35386267

SHA512
499174b51f75a46f6758e6230804270e482a25fc12df4d93b4669492deee2d76b0243685e632f3f7832e22e3261d0a67c04112f635d788e7a0a763ef44d82c04

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
337KB

MD5
fdf038bfb73fa660abcc537dd3e1f7ac

SHA1
4878ff76f757ac2da7a28f37ff5e0a43eabd8f87

SHA256
42fb27a060cc4aedadfedef83cbce75bbc20a04bb8c432a7bfec33871473754d

SHA512
bbccf50e7d263c1b56aa09392278eaa9d79129cdc4ec1d83534ee742ff5ba44635e02ee62737571f23f4955dc2af3784383258f48b53421e84dc09031407eeda

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
337KB

MD5
fb2c6409fae07523e381bb92e1b21a9e

SHA1
e5bc0f49d28e11dba50dc48577b60348ac0cac6a

SHA256
747c66dda9a1d326ee4ae9d07ebed943db4f87653b43edf63a75a9cc28597890

SHA512
c9ddd9f153a976daa35f8bc72274dc20fea0e9214c0d25373fcf9fe6a18aafd2cca26d40a61a3dac8a97e7cb1c20c848a084f3d88311a8a56e1c827bc1961f93

Download Submit
\Windows\SysWOW64\Ohaeia32.exe

Filesize
337KB

MD5
f4288b5b7535a7553abb99a8f567b384

SHA1
89b55ea37d192ba467a36207a0f3c2db7ace6bf7

SHA256
07f19fc6f5bdea20612fe89017fa9821ac2f5d4addf18e815ce2a1b8354e9556

SHA512
0df4a2cf21beabf807edcbd29edae82b7300d89f9704eab2f597aef6c0267015231ada410b949f988beec7d0c8fa2423769b02503742b2eab03834d1e86c64aa

Download Submit
\Windows\SysWOW64\Oomjlk32.exe

Filesize
337KB

MD5
569fe538362d94fc9e1d974557858252

SHA1
06f2a563896f0e8a7c73088ab2f0b9a0af7176c3

SHA256
d71201954547b23a7aae112db609ccebd34dd56ef708072044b3c9b89c1e75f9

SHA512
b26c9faa63a76d306921d8d887d1d846f0b9026a943d7fa644df7c085e0a0ec0528c11d314bd953cc705c2b23bfaf40c2baa28ecf060a355d17623902b45ac75

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
337KB

MD5
a541b756a057171e29eba8ef86d62a7a

SHA1
f4f746cf64ea03d32dce91452f1e58294ba7aecc

SHA256
d5f7c93b4beb602d4db85341ecac7880b2c3a3dc6e39b44b87020d4ce8d826f8

SHA512
ef22cdd69e42970999d8c7a78689a7ad994f89b726f14a33eef96f392d5a2d21915166003b0ccff1af3b98f604a1602025b99d52f3136ee31cdc357aba3e2dd2

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
337KB

MD5
915535cc95f6cf871b67e6a91c65fe50

SHA1
395e7585e3e26045e6ee34641a5f30a954709095

SHA256
e0ee07ef9f16e891c4c241e70c2f00e334f89c0eda60faf09f581e74fca9ec74

SHA512
81aa67a4ccad40cde2043800d1a793df160707faea7744e6a6cf97932be0ede14a35f9961a4f21570dcaced5324a93756680671cb9b3104d5de34180c4d3113c

Download Submit
\Windows\SysWOW64\Pgpeal32.exe

Filesize
337KB

MD5
1097ec3e8586bc0025958dc721175130

SHA1
83311039251917ee36fb56a9412540df64d068f1

SHA256
d15f713ce62ba74a77f5a3957b228b4ff9ffe2753326dd162e9d8591b960cd19

SHA512
f993e97c7ca389f707be94a57a5931ff92d7d9b3bb3b5ee52a32a7bfa49c8274390b6d5be3c72b7879ad1ab41561f42cc74a1a27d1c6c2b6080b22fd57a2b33a

Download Submit
memory/300-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/300-173-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/344-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-81-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/344-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-414-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/576-852-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-247-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/752-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-839-0x0000000076B20000-0x0000000076C3F000-memory.dmp

Filesize
1.1MB

Download
memory/1008-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1008-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1008-840-0x0000000076C40000-0x0000000076D3A000-memory.dmp

Filesize
1000KB

Download
memory/1240-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-459-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1304-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-425-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1376-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-266-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1636-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-833-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-204-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1688-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-259-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1784-306-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1784-310-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1784-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-227-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1812-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-90-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1856-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-299-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1908-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-436-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1964-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-108-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2032-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-240-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2084-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-279-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2172-390-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2172-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-402-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2180-401-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2184-449-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2184-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-447-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2236-218-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2236-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-163-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2324-461-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2324-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-135-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2360-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-289-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2524-366-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2524-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-410-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2540-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-53-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2584-391-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2584-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-379-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2596-35-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2596-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-357-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2624-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-144-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2640-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2724-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-347-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-437-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-435-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-324-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-323-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-334-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2876-336-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2896-117-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2896-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-342-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2936-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2936-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads