berbew | 5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97d

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
Size

90KB
MD5

1a93d482318f253f9ea95f21c23944a0
SHA1

b854eb2fa528be4d90e9c91a64b84f0c01990e73
SHA256

5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97d
SHA512

75910d8c7a57e70cc2cf9965c9720ab4c6a79c7bc7b9d63352c96231c68ee476ba9dfaf454733e7e8dda4d781078bf96eb7e2eb94f3ad980a2a5e868f8db1909
SSDEEP

1536:bxPLb1pNrwSuEM6LXpCAxFAk7o6JWDGu4Sy9kIGmu/Ub0VkVNK:bBdd7bLXsAxFAG5eACIGmu/Ub0+NK

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjldghjm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijpnfif.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2132	Onbgmg32.exe
2812	Oqacic32.exe
2700	Okfgfl32.exe
2664	Oappcfmb.exe
536	Ocalkn32.exe
956	Pjldghjm.exe
2140	Pqemdbaj.exe
400	Pcdipnqn.exe
2968	Pnimnfpc.exe
3008	Pqhijbog.exe
3016	Pgbafl32.exe
2768	Pjpnbg32.exe
1064	Pqjfoa32.exe
2176	Pcibkm32.exe
3060	Pjbjhgde.exe
2172	Pmagdbci.exe
844	Pbnoliap.exe
2392	Pdlkiepd.exe
1324	Pkfceo32.exe
1308	Poapfn32.exe
1696	Qeohnd32.exe
928	Qijdocfj.exe
1292	Qbbhgi32.exe
1864	Qqeicede.exe
996	Qgoapp32.exe
2720	Qjnmlk32.exe
2644	Acfaeq32.exe
1984	Akmjfn32.exe
596	Ajpjakhc.exe
1048	Aeenochi.exe
2080	Achojp32.exe
2508	Amqccfed.exe
2628	Aaloddnn.exe
3028	Apoooa32.exe
2920	Ajecmj32.exe
2280	Amcpie32.exe
552	Apalea32.exe
2052	Afkdakjb.exe
1080	Ajgpbj32.exe
768	Aijpnfif.exe
1076	Afnagk32.exe
1364	Bilmcf32.exe
288	Bpfeppop.exe
1392	Biojif32.exe
2296	Bhajdblk.exe
1312	Bphbeplm.exe
1616	Bajomhbl.exe
2164	Beejng32.exe
2288	Bhdgjb32.exe
2620	Bjbcfn32.exe
380	Balkchpi.exe
2988	Behgcf32.exe
2404	Bdkgocpm.exe
3032	Bjdplm32.exe
2912	Bmclhi32.exe
2300	Bdmddc32.exe
876	Bfkpqn32.exe
1820	Bkglameg.exe
2056	Bobhal32.exe
444	Baadng32.exe
960	Cpceidcn.exe
1260	Cfnmfn32.exe
852	Ckiigmcd.exe
2272	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
2132	Onbgmg32.exe
2132	Onbgmg32.exe
2812	Oqacic32.exe
2812	Oqacic32.exe
2700	Okfgfl32.exe
2700	Okfgfl32.exe
2664	Oappcfmb.exe
2664	Oappcfmb.exe
536	Ocalkn32.exe
536	Ocalkn32.exe
956	Pjldghjm.exe
956	Pjldghjm.exe
2140	Pqemdbaj.exe
2140	Pqemdbaj.exe
400	Pcdipnqn.exe
400	Pcdipnqn.exe
2968	Pnimnfpc.exe
2968	Pnimnfpc.exe
3008	Pqhijbog.exe
3008	Pqhijbog.exe
3016	Pgbafl32.exe
3016	Pgbafl32.exe
2768	Pjpnbg32.exe
2768	Pjpnbg32.exe
1064	Pqjfoa32.exe
1064	Pqjfoa32.exe
2176	Pcibkm32.exe
2176	Pcibkm32.exe
3060	Pjbjhgde.exe
3060	Pjbjhgde.exe
2172	Pmagdbci.exe
2172	Pmagdbci.exe
844	Pbnoliap.exe
844	Pbnoliap.exe
2392	Pdlkiepd.exe
2392	Pdlkiepd.exe
1324	Pkfceo32.exe
1324	Pkfceo32.exe
1308	Poapfn32.exe
1308	Poapfn32.exe
1696	Qeohnd32.exe
1696	Qeohnd32.exe
928	Qijdocfj.exe
928	Qijdocfj.exe
1292	Qbbhgi32.exe
1292	Qbbhgi32.exe
1864	Qqeicede.exe
1864	Qqeicede.exe
996	Qgoapp32.exe
996	Qgoapp32.exe
2720	Qjnmlk32.exe
2720	Qjnmlk32.exe
2644	Acfaeq32.exe
2644	Acfaeq32.exe
1984	Akmjfn32.exe
1984	Akmjfn32.exe
596	Ajpjakhc.exe
596	Ajpjakhc.exe
1048	Aeenochi.exe
1048	Aeenochi.exe
2080	Achojp32.exe
2080	Achojp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aeenochi.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Okfgfl32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pgbafl32.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Poapfn32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Pjldghjm.exe	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Okfgfl32.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Onbgmg32.exe	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bmclhi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2072	2272	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjldghjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqacic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkfceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbgcpb.dll"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okfgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjldghjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2132	2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe	30
PID 2840 wrote to memory of 2132	2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe	30
PID 2840 wrote to memory of 2132	2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe	30
PID 2840 wrote to memory of 2132	2840	5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe	30
PID 2132 wrote to memory of 2812	2132	Onbgmg32.exe	31
PID 2132 wrote to memory of 2812	2132	Onbgmg32.exe	31
PID 2132 wrote to memory of 2812	2132	Onbgmg32.exe	31
PID 2132 wrote to memory of 2812	2132	Onbgmg32.exe	31
PID 2812 wrote to memory of 2700	2812	Oqacic32.exe	32
PID 2812 wrote to memory of 2700	2812	Oqacic32.exe	32
PID 2812 wrote to memory of 2700	2812	Oqacic32.exe	32
PID 2812 wrote to memory of 2700	2812	Oqacic32.exe	32
PID 2700 wrote to memory of 2664	2700	Okfgfl32.exe	33
PID 2700 wrote to memory of 2664	2700	Okfgfl32.exe	33
PID 2700 wrote to memory of 2664	2700	Okfgfl32.exe	33
PID 2700 wrote to memory of 2664	2700	Okfgfl32.exe	33
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 2664 wrote to memory of 536	2664	Oappcfmb.exe	34
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 536 wrote to memory of 956	536	Ocalkn32.exe	35
PID 956 wrote to memory of 2140	956	Pjldghjm.exe	36
PID 956 wrote to memory of 2140	956	Pjldghjm.exe	36
PID 956 wrote to memory of 2140	956	Pjldghjm.exe	36
PID 956 wrote to memory of 2140	956	Pjldghjm.exe	36
PID 2140 wrote to memory of 400	2140	Pqemdbaj.exe	37
PID 2140 wrote to memory of 400	2140	Pqemdbaj.exe	37
PID 2140 wrote to memory of 400	2140	Pqemdbaj.exe	37
PID 2140 wrote to memory of 400	2140	Pqemdbaj.exe	37
PID 400 wrote to memory of 2968	400	Pcdipnqn.exe	38
PID 400 wrote to memory of 2968	400	Pcdipnqn.exe	38
PID 400 wrote to memory of 2968	400	Pcdipnqn.exe	38
PID 400 wrote to memory of 2968	400	Pcdipnqn.exe	38
PID 2968 wrote to memory of 3008	2968	Pnimnfpc.exe	39
PID 2968 wrote to memory of 3008	2968	Pnimnfpc.exe	39
PID 2968 wrote to memory of 3008	2968	Pnimnfpc.exe	39
PID 2968 wrote to memory of 3008	2968	Pnimnfpc.exe	39
PID 3008 wrote to memory of 3016	3008	Pqhijbog.exe	40
PID 3008 wrote to memory of 3016	3008	Pqhijbog.exe	40
PID 3008 wrote to memory of 3016	3008	Pqhijbog.exe	40
PID 3008 wrote to memory of 3016	3008	Pqhijbog.exe	40
PID 3016 wrote to memory of 2768	3016	Pgbafl32.exe	41
PID 3016 wrote to memory of 2768	3016	Pgbafl32.exe	41
PID 3016 wrote to memory of 2768	3016	Pgbafl32.exe	41
PID 3016 wrote to memory of 2768	3016	Pgbafl32.exe	41
PID 2768 wrote to memory of 1064	2768	Pjpnbg32.exe	42
PID 2768 wrote to memory of 1064	2768	Pjpnbg32.exe	42
PID 2768 wrote to memory of 1064	2768	Pjpnbg32.exe	42
PID 2768 wrote to memory of 1064	2768	Pjpnbg32.exe	42
PID 1064 wrote to memory of 2176	1064	Pqjfoa32.exe	43
PID 1064 wrote to memory of 2176	1064	Pqjfoa32.exe	43
PID 1064 wrote to memory of 2176	1064	Pqjfoa32.exe	43
PID 1064 wrote to memory of 2176	1064	Pqjfoa32.exe	43
PID 2176 wrote to memory of 3060	2176	Pcibkm32.exe	44
PID 2176 wrote to memory of 3060	2176	Pcibkm32.exe	44
PID 2176 wrote to memory of 3060	2176	Pcibkm32.exe	44
PID 2176 wrote to memory of 3060	2176	Pcibkm32.exe	44
PID 3060 wrote to memory of 2172	3060	Pjbjhgde.exe	45
PID 3060 wrote to memory of 2172	3060	Pjbjhgde.exe	45
PID 3060 wrote to memory of 2172	3060	Pjbjhgde.exe	45
PID 3060 wrote to memory of 2172	3060	Pjbjhgde.exe	45

C:\Users\Admin\AppData\Local\Temp\5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe
"C:\Users\Admin\AppData\Local\Temp\5195591a75517f9cd0e44c218e5aa0ccd27fd9c27d89a3b7ee80a0247c00f97dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Onbgmg32.exe
  C:\Windows\system32\Onbgmg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\Oqacic32.exe
    C:\Windows\system32\Oqacic32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Okfgfl32.exe
      C:\Windows\system32\Okfgfl32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Pjldghjm.exe
        
        C:\Windows\system32\Pjldghjm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Pkfceo32.exe
        
        C:\Windows\system32\Pkfceo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 140
        66⤵
        Program crash
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
90KB

MD5
3aa1a4696e07e00ebaa5a574e60d8aa4

SHA1
e823cb4cfca7fec6edd8dee2345918f884412b89

SHA256
acaa6be882f34fea8c0b9ae19947625b30c88f7b767be721431c0659303917c4

SHA512
eddec910edda243347c73d4eaf72d9296ffaec8a8319007fa06728be5425a5f85df5f8320a2b57ca1e3adc093d84c4b3e1c57214dcd3ba4e637c49cfec4a1128

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
90KB

MD5
64712e3caf4f2ff9183c872d2981b92b

SHA1
38ba0c9b9416055e9ca822d54424c58542d07fb1

SHA256
b6464f0129e1abd3d7c63e86b11bf2dfd36804b459f9d80399aaa0153eccdaa1

SHA512
74c4f4a1e8cdaecb913d709e3560138d6153d8bb97defe3cfd6ac884a8fef582eadd79d92859e4953ea7095788481aa9c64f337301f32c884ee1f79826232908

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
90KB

MD5
b7591f065f5db6b6821c1f4dccd9ad78

SHA1
4632a8773d0ee0add98bb94473693ff843c45170

SHA256
0cde65cefb3e68602ff4ab4917204a9827409729604fa9db317708b2b6ab298f

SHA512
6bf2a60d5d12f043f21a54aad3608ebd6c52afb005e6887f98d774c2fe47b5eef0af2ce443d3aa8104bfa627f650ffb9af7c12cf55740a76c447898ca22776d1

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
90KB

MD5
4d0b0bbdf5bc85df0444c48339e68d08

SHA1
608239d0840b03d2a174fb4558de9aec54bf8ee4

SHA256
b399dc43d1abe7502cdb215f6021691e79e3c31da336a2d7e455cfa149a79956

SHA512
8e98d2ef41628611385ff9da7ad1840866571763f447b880c40b342de5dd4eeeb8dc1920b9e5ef45bfaf482b59c288e7bad6c5277b64d1b72d187c8dc2de577e

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
90KB

MD5
c3aed557ede1e5c700825071813856f0

SHA1
33d9e8cd68d90440bfb8f2b4c72ab50462aae73e

SHA256
e07cca5c8e8b67c8bf86a43396d04acdd94012c71c0fa4725c44da3816483ed2

SHA512
da9d9cc79cc24f2dcc19a8331ab04dc3bdff94f4fdea02734d3d4c1931768edd3526bcb0a3e27d94141b4437d42697e18f63671bbdb8164a9d132d5f8d0212ba

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
90KB

MD5
e7ad86686374b342849f9a101e8565de

SHA1
c7acbf047e047fb9d4ff00d84094d84e986beda7

SHA256
788525fca974fa9cf3c9b0eafcee3c519b4748d8f74ea8bbed1d319fd1e7d630

SHA512
49d029a072b6dd4f25cd1d52b25c4d6db2e41d995c0b8206d9f2da1bff8e0d594a62833487f405cb214396f84bf64f773d4d8775e8d0aca65ab0d6015622f4f1

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
90KB

MD5
b061bd73a4e8278a4cbd97c299fae8ed

SHA1
f44a1dde9e72e434357b2ab57e923e9c906ec8a1

SHA256
de6165c4d3c1a966c4c46fd69e9e8b3e58a56eb82eeee754a71152ef3c618221

SHA512
bb0f1ed39d78a4438899df39e747244fa67aa030c9159e3131ce9507a5567bd9936cee3f18dd2bf6fd98f6906d3856f71c43bc785e9ee1f1be290329eab5234e

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
90KB

MD5
13e443f0eb34b415701a58a218b98e0b

SHA1
64a3dd1cc12241d2764a2d883e312f7a5bd86e40

SHA256
8905c9fd106b41369d711ddeef0ac96a3a76094d9767b0157f7d06b0a78e0d21

SHA512
695761311c6209b57fb928012f6e0ca39ec5180ea682fd5b9fea450aa350f092ab76b1ca650aa4e78e691f716081380dbab2d847c86042eb0d1a7bf295e69b94

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
90KB

MD5
81f5773969420e962d9dd2f12ad75bd7

SHA1
9e843ee3385d0a7a9e1be18bfc32fcd2fe956cd2

SHA256
45611e6ff7dcb1a418f3d7fe4b4c8cafeea0d1d6868e6df36c814e78af179f23

SHA512
40718e924c30fd2f7721d8e86c3319718954f3384317c0e030d995766691f759b7aff81dceeb3ac28e4a0ec8b93451570645a41a8a3b5f11a7c4a1f92a2b7c34

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
90KB

MD5
3cfaf02f30751804f0e750ba5317971c

SHA1
5b0fe3872d1986c5a8899865c1008fcbde700a2a

SHA256
6a046e58a92529bfff92b6905284e9582f1b6fdcfa56cb714bebd622b7899281

SHA512
baa8074e64c4f85f92a1d2d5af06c0cccee1bb3c84fc4ed277ccc4c152a7f33fa684edd53ca6a0d648acf24db4df2e85bc1c9cda87314da5e84507100c48b468

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
90KB

MD5
72bb8bee21f3a94af0c2bd1ee6ab31fb

SHA1
a0c43c6f04a1e858bfd620aac9af6f40e4bf25b9

SHA256
948e17cf807a925fd1e5d1be496e29441e6a9b5e3e9cc3ec4d88c6dacb4f47ea

SHA512
b2ff65db676a0e16cbf67b0c4741d15e09577f921a48ff7cfc7e7cd773e403545df8974369848a466dc55df29f0467709847f648fc8c6bab5c6e162466c43607

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
90KB

MD5
35e691d3d4e9990b4bec05ada76e3e22

SHA1
4cef296c0d8b6bdeee42ff02dc9d54f46263b11c

SHA256
365a4b525d3ba22c64c1cce6bebd9db479a45f0b2f42c1219a5e95411b02b7bd

SHA512
c9119b8e96e00a331ef35bafd3167ee099e970c1389207bcebf4b2f6b6f4ff376f3871054523d880be7e17b13394b09031873299ef9b60dd1baa3eadb5f015a3

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
90KB

MD5
0ee38fae6c3524475b74b543cb60806b

SHA1
02651c6c6ef75fdd2956aabd05901e4cc8478fd5

SHA256
b06d5d3f6b7562b85218d62fcda75c11bf6049a96117f7239e0fb4be58aa77a3

SHA512
6019d13fe3fa5a2bc50914a0de20a2408fb0b3ede8900b626f17c0e46a1f73f25ce5a1458ecb624b364ead782a7c4865dd7661bc5717d32510b06452b932674b

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
90KB

MD5
872ba0667b57020c80e5cfadf3e25c4d

SHA1
c05c68067153293b0bee53238230b19dad575994

SHA256
dd13fb0b366c72c3284977e2f5d990c0540960a01650e94428a6451fccf11fcc

SHA512
a24d69619a5b080c5f42dd6d0fd88afb1896d60d7acb61486cd1ffe8e7c9e3ff1b1d5d7cb04d4f525358e2201405b9cf3c01d8581db39468b56c92d35a228a18

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
90KB

MD5
673fb6df62b340a3848051c982ae39f6

SHA1
30d93f08e27f952b39e1e7fb3e9e174501b85c52

SHA256
1a2dfc68cc3f4964474b9a38ddd6733b199e1585ef38c0dd00d1173e3ea47d3b

SHA512
ca398b90988fa1a5f79660d68d1e3ad1a00a079fdb47e7de55515b467ef753a9a6576fcd85182fdec36929e816c81b35effb8fb1df8cf32818cb9fb9dcdda3f1

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
90KB

MD5
5ed62a424141ed476ffc8211541a88d4

SHA1
6ccd061d5eba31a34510f29e6af64765ae86e2ff

SHA256
7b53a8bc2bd533d6328f479e44ce9d5fda8b23846a190807f43526cb1feedc0a

SHA512
5e76d0fc98eda4270c3117b5a4aaaf9ebd66d498b4c0427e1182afa9cf0059eb86ef9b63f93759805fdc7a1c391f6920768d5847abd5912d829172deb0c29f34

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
90KB

MD5
caccf3142f563871d7b3a4244b36462e

SHA1
1a6fdf17d18ab8f648fd279b95edf56919f20ec5

SHA256
2ad28234731fca97508b4c4b8942e95b8fec08830c59e6a563c3876f2b242be6

SHA512
8633595e0002772b93f532fb2212d2c62e7cf2b4d026e24651ac7aac6347236124e349f05d4d054738732b3fddd72f158ca9b860b23b08a8bc9295f201d9bb69

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
90KB

MD5
119c1dc0f8679e6ca9ffd7a4b7a8655b

SHA1
dc3fbd112c6a5de147be343b796d14665931b4b8

SHA256
3b30b24bbd005e5ca0c4e42e5308dded3a9471adab20767eda2b8288720faca5

SHA512
67a9f8b824047647ef07de7e4761668f22cacef97245c888378a10913dd80db166f02c9e9b6f383b524f29147c798ea626566495599d2f14dd4ac8d10fd60d29

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
90KB

MD5
6a1ced1708bc21f20d404dfabafb997c

SHA1
3900e7b97e2bd038215546aea71fe3b80ae65b35

SHA256
46316e6e26c87469e707d226a6db3bbfd167a7f813f01322480391ea082b95d7

SHA512
ea6f18f7eefea42cb02afbf995d844d687a3e46d54b95d3d70021e3842c8e2bd608013b56c5a26ca5d03ec43bf21e04423c6b13085be96b886d67bbcde2ac20b

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
90KB

MD5
8e18f83e707d6026266b4f18c716de9e

SHA1
3465aeda892383882b2868d9613d2251e741eb31

SHA256
4886fb791a0034715a664ed573531ba2e0d17cd96160119d009a7cf50585e076

SHA512
be8e9da2221993824293a6c033bd678d526ebd045663202c1bc343ee0a111c1b5ee97e253f52afb0f23ed69e997fe470b68bcf04e48c5b21159f24bc50be1fcf

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
90KB

MD5
b23f392739e4e460091a2b0255639c71

SHA1
af5ccdd0af2a2b0034fb725514aea8372b262c15

SHA256
b31843912bb789bd72b45aefeef80e151784474004b84653e43d4e2d30ba231b

SHA512
81b0d28ccc41373a53664c89906c86a021cb1d730cb8ce95c57ca1eea681a040162a755548d3e1f4571b2d8fb782a07eb571ad2b4bca4a724926c068b5f20488

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
90KB

MD5
a46b65028d62b8fef13cb7f0bc5e9fb4

SHA1
2d75542514043907f1e9a2bfc6a7ccd17d1e6f01

SHA256
2d8f87a808864ccc62a6f3b831439f311ab88011f0bb1e6419b847806044d251

SHA512
91ba7cc8add747b6b334389c493dc6dea844a45e08aad1e30a4a3d9dd3c1c89a93d3b94d60c0cb9ae1016217b843197d8de5cdfda81cb06fa46dabcad945ffea

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
90KB

MD5
c8d125fa6db90c642ca7990aeca41434

SHA1
20e749500fde86a4cf2f67ba10e1a4642ca1a340

SHA256
01994beb7a114ba3896c5123f7550eea142266a64ada9492bd245cb79efe0e10

SHA512
c5898a1fc3b32a13f7ae4c9d8e510b9d3eed7bbda7af712b9c2bc03852ac9ff50504016b3f4b09dcd8a48eafaa09a399262a15dae006d7526b2040c1d24c7441

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
90KB

MD5
e8a8cc9762217e52f8c071f7ce5741d0

SHA1
c688399bafb1497c7c6ebd7730f26a4e881e9f5a

SHA256
5cf4e163c670893ccf3db1c82deea1134545ab929d7857a8950277fb19671dab

SHA512
7e3e267db5b366cac5b6064cf17bddefb5208fe2f76163788b1c982a67ca4b30a00bcc155fd0d9cb5079e16d1876b2b10104529fcdf3ca1551df4f3bed95649a

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
90KB

MD5
48afbe5b6aa04d7b54eec174e12339cd

SHA1
62b60da53c18b1a90ca9212b548a435ec4084030

SHA256
5fb0c0e9f487333e2d2cf57ef496d67b38464eb56911c89bbe656a6ece24ff94

SHA512
67d8ab8e02f5dc8681d37ea88c71efb967862747b394fa0be0cf8cf38c21c56c9df743060572f919cd9663d1c3de9fce7ae220353a104a06eb99d55c6e567ab7

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
90KB

MD5
6ad6a2118900db3b75354b2224121fc1

SHA1
e33affc64678ee1a5b7c239136745625d5c1b44a

SHA256
9c0a8d6499c5aacb44d880f41c13c996e83e41dacd5939f19c6789d74d0adc4e

SHA512
a9e5caea829a5165836b3efa78e09a9b71b2e0d868d03d805409e9b0230f6812f0dea82c98c1f39a18a49ca08f26c25c23f67e53bd32935e42c5182a07a269a1

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
90KB

MD5
11a452f40b7d6b9b585aac5ef83f977d

SHA1
d309c63bdf66d4ade489d52c8e65740161ad8c7b

SHA256
6a6b0de7ef00c862f0077ad0691ae927dcce9d07e7c0def09b93538919068730

SHA512
a48d373d52d08751499796c9da49232168d9f90017cbe009fa94f55e504d8c8d92ab50a9548c2e29319c6021ab704b128a4081169842cdf95ccde552ff07d8b4

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
90KB

MD5
5a02e25b29d405eb67122bca0e3cf513

SHA1
fb243bb6dad29500a43208899d42db25d0c526f6

SHA256
2a0167c383ca320036d422aa67de9fe708e16959ca3f5dacf7987884c6c63570

SHA512
c49e7c89ef3d49290d373a1a0c68db88001933ff81ec689ae464f5313efed6d9cddf5580c013648a636115fcd2d6fa6b0a1024a67bdb4e269be95ceb9e659410

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
90KB

MD5
7226dd6a5fb833b8678be26d985dc717

SHA1
c9122f1eaaf29d51067bd108ae3c8290b8c295c6

SHA256
2bfe363209c43080ff5c60c4d51fc7e82e5dd924700444a04c87b20c06525469

SHA512
99e03f2fb17f99e3497018326bdf54358303e651684adbbf8e1fe3053ae227dfc851daffc37173a9392e0f39ff635a48d28902be994f850918e9c56db1f5b75d

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
90KB

MD5
b25de9c3dd4f1d14fc0cd50a80011ec9

SHA1
312d06eb961b65b3588e1560de58fadbb7aa8bcb

SHA256
cdb109363e9ee30603b38025ec9a8f3191c0d868cb46404336664e0f5b5a05ad

SHA512
ac6f52a616520f04283649c1a6aad9bad119eecc6c51ee1f07a911e3a77d275757bce4a03b5e2fc853cf5a88c95a8c1f4b63fd1d86c61bc8f338f4aa9a489cfa

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
90KB

MD5
16add0757953b64a30173e7cdba038fa

SHA1
064a0dc4388dd6cec4ce00f306893bc2bc89c2ab

SHA256
ef5ffaa2c39ac892b5af2b0dd7ca80c917234ef5a853c6631fe7814e0e0f3ebb

SHA512
139c22549b86a8dee9f4aac376a0a8fe2c291593f22d9cdcc35087827e5e5be2d652dcc9dac66af4c8fbab3817824e33b07f96fc8dbc6bb27a897b1ad4e44632

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
90KB

MD5
821a5f06992e587146513729af6dee59

SHA1
b2363de074ca5ec586dd8864218175bb96f9ddc1

SHA256
07e3be7964265ef4aa52f9ce11e085cabef7d0135fa44ff1e293e5a9a12a0d73

SHA512
81090beed1a23d0166edd8d54de49f38ad989050bac1f93fe5c1247b6eea3edee16b794cf154081bbe4b3141fa200430fb7722d6fde586445f3574fa32840e04

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
90KB

MD5
808432c2ce311a155cc40874e95d0ef7

SHA1
e88c7e196ae7d51f78c4f48de05cd8b685aa5473

SHA256
25fb644de2c687114aa26be5105d1f0c4e8eb585888655fe47c8d73ee5ca74b7

SHA512
539322b3d887aea4030a18962e61f7c48c91488e380cf994648ef7320116606313a6662b31846338801e7cb92d34cd321251b146b5a8268bfc880d89f4caf8ca

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
90KB

MD5
647ebcc6f80077db5e4fa05c647c8426

SHA1
dd661a6f504b267cef6b8caf4c7bf3b063addcf7

SHA256
6fb986d2ee349f5fa200e078fcb6013861acd2b2e75c10e79175dc094b003bf6

SHA512
057c7bc5ac9126600049fe21f3e2021fd1e016624a5d853bf51b6713061aa7b79b0d23afa4cea1a7196d8875e062147e638809a98f4a56d81764c48bb32a6ac7

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
90KB

MD5
5ec9e5e8e3cde346b17451bb8a4b9bf2

SHA1
47f949c067560bf49164e69d30df94e144f51931

SHA256
83db7572cf7448f33afe4421f4d7acd5b127f069a8e46004dbbe9d0ee29a06f3

SHA512
9c40b62a9a128e2b0cdcababa984e4b9775758805c623b0320139acfc9a8ab68fe824653b6c7fa3e04ba994dd641e2027b658763ba88473ac1f5762f888ce997

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
90KB

MD5
9431758610a28453cef014d87d6c245c

SHA1
a9ddd22ba194728edca4feb0210b09b0b27b44cd

SHA256
1ca48aa5c538dc002734e6e52556866b3bb3e2c1ffca3fe9cd36c364c9275e6b

SHA512
27536926f81e3d3173a2384d353a0bf99f27522d706ab3917259dab11b06aa443b7b3f09fa5f826e3d68c124395ee4a3d86d1ea84de85457661065f5d91c09a4

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
90KB

MD5
4f81532a71eb09631e3d32606e1187b1

SHA1
1e1fe6f5cfa214a1bba4f6a33143dee03cb5819a

SHA256
28c5f96d060ddcaf10805ba3215c7a04b0c5031cd6d322faf7ec687470252678

SHA512
391ab9d5e132306be3e352eb88f0496bbd813e27dd1e76b02684705af547d7e80c1557a3276a681dc53826aac620cffbfa153e3a118df96877dbfda1c34961e0

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
90KB

MD5
15342af0c73389f383a44c2ab6a15b75

SHA1
6f985f6c16c776da3a27af94ad6a1283916c5c22

SHA256
e49279ebcf0bdd10083102ccde87af3810ff25ad551ac577d87bb3e4290d4497

SHA512
1e9f5dfd522491c09dd948ef3c5a6f9c00518f23b4a0e8abdf7e99165b22a352bec82b5a978bb5fd234974a3b4bf2feceb04d069478dcfaa2e0430fcdeb28651

Download Submit
C:\Windows\SysWOW64\Oappcfmb.exe

Filesize
90KB

MD5
bf246e67b12033ded60e19880307f901

SHA1
987114d5b1f064b43e12fef92773a7f7752f1661

SHA256
22526e0915233e52fd350ef1fe5118118a558b840966b2e0bcc80f601feb8d6d

SHA512
5ddeaf5235f43afc4d7ac4b18f0c6fc3e328ec2c066b4816a782a08f455422df1b126be446219487d085be9c62432d99ce276a83961b0aa662759ffd33c4ef52

Download Submit
C:\Windows\SysWOW64\Oepbgcpb.dll

Filesize
7KB

MD5
01401e643bd40b761ebea4ab8233b460

SHA1
ae9698e89e11031e7348405eef27f604d7e5f391

SHA256
e95b228b77363d5ddccd4f768cc31d1076b1f7a436846bf7d10279b5043f6d19

SHA512
cb02354ee47764acc0047e4d8387037feb61c6fc0cf6ab168a341f1aea16922f6d74b605100cf3e0dfe322b29784c523f5e69eb5656ee4b867a8aeb26fb820c9

Download Submit
C:\Windows\SysWOW64\Onbgmg32.exe

Filesize
90KB

MD5
7e960ecfbd685ad45e221c507a48b9dd

SHA1
26108524719b39d0a399fa664f1d2f827af8ec2e

SHA256
95dd4e56c6e5300c337202212121fe71635f7c87ac09bf82df6ce09ba0e3714b

SHA512
59080ed80d0155233c617cd68808bd1db06fb69ba335b6b224336b90076f4e7449c1b8f6472f9f15a225eabc06aa5a40a07ebb07da2e89e79b338523f2413551

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
90KB

MD5
7e4153e9758be7347cfebbd67c316710

SHA1
a3ff4687ebd8a09c23802b039319dd72ee686166

SHA256
bd4579778eeb1142eebc8a8109ef90351d11716d8321c635df8c7e8046bee43d

SHA512
d77b46fa4e8a23c1762922a311151ca49f0381284d0aeac080078521ea9382ad95145542a53871bdb72ce0acf26fa4977f1c994cd1213c8ea2a3cc349b21ee26

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
90KB

MD5
48b5ddc7463905b121fffa678e8cac37

SHA1
cba617b00b36184d412d3a6097f8b060187e4873

SHA256
6bfda1633d8a06822a74b7b9cd7d54779456933741a7c32eab0b9adf9b023521

SHA512
db7201230d9c727493cc2a263132f41a7dabe7d9b2a4209f2b1bc1490cfaf5aa37d838c691cb44c7e291a2271a4f327306a3291041874bb31b1a325604ad8352

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
90KB

MD5
32623a43ba437ee1909ce44376d69f27

SHA1
6cf5565ccd3ba670a4128edeb95ba4dc3a24d494

SHA256
c89369fe10f99410ee6bb223c67a2989eae2cf94724f5f861e5c1f498967ff04

SHA512
8d792a5fc127d1cc6131e15d6d87544a7bad076f2a33e28bfda975012fe95292f0025d00beaf4c6dfa4afdc4e7c19db6c142c33d94d39263d756937c6bddf805

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
90KB

MD5
0cc1723365e556b6dbd739133d074e9b

SHA1
efa43e1d4a5d8f8df3ae87d481d88c0017471c03

SHA256
65e68955a2954bb71ce4cf09959a329ece7b713d50c742bc7da8fe491edc7b77

SHA512
1222bf20a61133cd55c23aecbe877193cf5eeff84972fbd1a82be42136f9262a67d78163ce1f45e9b634753dc19bba73073de7d7478be7533edc196f9e93862a

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
90KB

MD5
2e118c0b12615e4353f8e933dd1f2c23

SHA1
e7101ed4fa1029c87cec790785d3135c83281f40

SHA256
449c6da5e57929a4277cade5b3a0ecb1e86f4c67bdec24829e9e901aaa1baee9

SHA512
012c660f42a80d8e2fde02aaed6d2c99626182685ae2df7578475731c87b6e1ebb8b9e23f6f588db630bb1423bea2a1c9e2ddf5ee5b738e6e581637a77d337df

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
90KB

MD5
32b0eed5d4efd314ed1c4e56a15cd918

SHA1
4ad5e1fdbed7616d72f5384fd89d461389c369e6

SHA256
7f2870c3b704cd6d1d8c8b2b162b8b227f46dd11495b9c6941f0b9b453afc0d6

SHA512
edf41f796d745fefb781d47ba05ed98ee32d088faa0966df94aa999eece70f12e4cf99a05aefaf13298a84a55a8746709c26a504f5b4d28093932a0abd5074d5

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
90KB

MD5
309e1a88631f4683916761556b0e1eb4

SHA1
f730b7545af45304a21125bf5654e25058567aa3

SHA256
c6497ea9c4142b2f72187cbb71c3d5f70d6393e1c158d36bb87e01d4b4f4ae9e

SHA512
dd812d28416154a9534634598b697fd0cbf1f9ed97c0da071565d85861f3b331063b8f3d61af2a89a5a90043bd2068f0bb01c48cbde4729d0b54c388048469b1

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
90KB

MD5
931e0ebcae12e9abe90cfba0de04213b

SHA1
7e1407ecc1decee9f15e47e8f305dd57f1556cf6

SHA256
adff4a1543ee5fbb9bf9b97778fd5e602c522d0302a4c6c2eadb2312a7809f83

SHA512
62a198df97a1aacd3f81183ab98e5e307aee06e95b871e15bba80e0257054a2ac96f710211044eb9564d8af25339e14d02aa7ddfad94166cbc3c3c4eecc5a6fe

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
90KB

MD5
98f754e5b9044a8946683a8b28427629

SHA1
314ac8c1aa190e9da9ab7265aad583529a97657d

SHA256
6c6ebc39dd81d65ea409ddbfe853a61869d2458307dacc38f3fe82e09dbb3793

SHA512
04eb9bad8b7a7368b4fb8152fcb9f6fb515da59120dfdbcde43b5ceeeae5066b7ee1da25e53e793e7384d5305cdb98c6adebe9d7a1e6e9642d8c5e6758ae17ad

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
90KB

MD5
62fa7872df976458e2254e13980ed73c

SHA1
48ba0922722e566d97930e6c139eabfdb19a6064

SHA256
71f1972d2e8f1044bbec3ef7592a27cd58d863718387103f09058a63d99da2c6

SHA512
e9fc92d52e48a3829135ceafc241f867b97ca509245a79a00442e74aff7b00d9bb68a012e870209793e6d90421cce7ff84731d03a20799516fbdf8ea524c316e

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
90KB

MD5
fd0c81c710835b30e0f063be0e79c428

SHA1
977f41db83a4e66a8b85775208a6546c0d05a057

SHA256
a360d6b83b4b18262dd0bc50d4304ee0dd99379b88570b98810e8c1e1c7dae15

SHA512
585808467593e220b52f370bc2cb93c2b67318f956e0b8ea5b7267fa346129f117c0dcef5eda225179fd48658321ae8ef01f3c3cd3dfd39d10ced8c929a501db

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
90KB

MD5
0ee34673e0ce4f5bf3585316446472e8

SHA1
69f82954de3acc8bbedcb89aac4c81b58a86ce05

SHA256
bb8c599157ea1b64e41218b3bf79fcdb94bd7e6c1cf55dd77878a825a0fcc3c5

SHA512
d52ff4016d97cd486866ee10fe9173d56fb602984281719b67068529a8a14a61b9a10b98f123b551dee660f5c21bdff236f5652485f07391d17a5dd14aaec328

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
90KB

MD5
2bb096d831284e575db26d321d042008

SHA1
352d14efd6800568004acfb22f0cbfe9e88406f2

SHA256
04947867f985d277fea063a57b3376eea2021c467fa9ae0a42b99611aab6da5e

SHA512
339921a0139efb0a57f5b58e11a7e9875db2fbf047d8cc0c77862e85f8ac19891b5b25bf9160acdecdfa2bb00175b2f3d614f6f0414057cacc40fa218fb60cde

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
90KB

MD5
e0d5cbd2ca1c341079c56c79d47063b4

SHA1
8cf01c35977671b917c969248e320a10a1b927b8

SHA256
6ea21f799ea0916d26de6d6ddabc602e6deb354e7ca491802cf06da7f5f74681

SHA512
f6a26b2087e4781423125959c3193ac455c423a177c153ced414351d4bf46349a781039f0955515e7093c16d4276a49b7ea70dabf54ec8fc57a650f66ba750f7

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
90KB

MD5
fc3ee82a45bec1dca7ff3f60dc0f94f6

SHA1
b14ce1eeae6d63ac9b7327c73f724483b67bd71d

SHA256
8e242c0cb0ca239b0fb831c10d4d3a65024cec7d97d9a96a7b733af7e40f9988

SHA512
c9263ade4f4175922f066d47fe1c82b20772f225d7cf240df536e23b187de223037fc9896ddda99a052c20ff87c30d054f210660789318ea0d3dc7c15d4bca76

Download Submit
\Windows\SysWOW64\Pgbafl32.exe

Filesize
90KB

MD5
c35c3503ac2d86532b3b9dff308c0551

SHA1
ad64c90e7354963ebf9a3a13092371846e63453e

SHA256
6a1ad8e16881720fbb4d2fb193eb87a30b858390d800746c71eca3a59a50e486

SHA512
db445235320cae68805e1a34c68958388ccabe11c59700db739947e58fd17d135074d1d56ced53e43cf2af90693ed500909344079b3fc5068d0fd5cb296c3087

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
90KB

MD5
70067d0ba5eae9727f16fef27f57cfc8

SHA1
57348574882bef9978c32de7a89e512304fe81a7

SHA256
c7caf6a340f7bf48609a3470ce58d12fbb0cadb5fd33979932e1d57e361421f4

SHA512
c626422c9aee4a305b100313b86ef9af246a293916e6d891ae1394636244f33f719a97d2490721c059a299d50dd78b924c814b420bb2513d782d728faa26e867

Download Submit
\Windows\SysWOW64\Pjldghjm.exe

Filesize
90KB

MD5
0ef3bbf4b888a7674a8034f47977760e

SHA1
811ed0862a905acd9e9041842dbb038f8dea9a93

SHA256
8c243d628ceb51982b54212f2a3d0b9b94785f7f8bb7769f05e263bf6c9c8d40

SHA512
fb4415424094cdc1fbcf6f323c7cc7bb2b37c9bc3f7b24fdda343d61951b85bb83457b839369413241c4c9db25f016935add619b191d3aa75c44888d747466d0

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
90KB

MD5
954b3c9c7b2500327bfa967bb5344e55

SHA1
e6d48d5cc05687b43fec12d954820a3318ad103e

SHA256
5fe7eaa4ae988c10dc128c16c571c82960e473eae22d268b42f65906745cf7df

SHA512
04efef848475272610f3f66f2c2f3709accec20e212239c3fbda6d52d7b4a47f74aac818b4e90b787ea916d078e15db248010b37500be5517a2567f0cb7bbbe5

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
90KB

MD5
d60de9b1bbce877c444c9f548726ce2b

SHA1
d047aa2ca2f123e138e21bcdbc7ca275c4e95dd3

SHA256
e350ca9f3ef8f776e33aecf223f00a4a156d47776c4c839e2d662a093a874384

SHA512
3893f185605048b1c0e34cb17ae8f8c7d78d91cf15888c9937141fce77add6c1f3a7f5da6c833e30464c4d113fd1a515574526f2023480e6aafb33a563106ede

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
90KB

MD5
f903c8d7ad28535e49daa5fc3d31edc6

SHA1
886de6dcc6953233e91e58e3fa196162f4091ea5

SHA256
e1aa5a5866d8065804839ff49f4973f096a77d6f4db6d22085cca54625d7fb51

SHA512
5d7a59c6d6336660a1538e01dda437c9c43fdc14b18f8812e9869dd504ed139eaa37f67bdf98db96b19cbac65684e769992ffbba84d8477537d5c7075bf1bdf4

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
90KB

MD5
3108f04a19884b64a5b1a768a8ff0269

SHA1
99d888c8ef2f2f2bca171697fa1b0e11c5270e09

SHA256
250f81881ada2d59e17fb5dc2abf81ce0efd96b2e69b87ad64bc4557bb672dbd

SHA512
353821cf5d46a5fdf3c2fcb40d19a18b06f8c5a9078d1b9a911f2d1dd2ec6d67e875212d8b79e2404e3d2a86aa7eeb1e9f40d49ec6eb74dbd1462d28ebad68b2

Download Submit
\Windows\SysWOW64\Pqhijbog.exe

Filesize
90KB

MD5
9e219f6129dcde47e7a0a6bb788471f6

SHA1
9a4dda2adea04b8d9f6cb57eb9a8e334f281d51a

SHA256
9ee5dc731700dfe76f1ab405a7e9820c7f764c638fafaa7e38c677879c74c1ce

SHA512
517f3ceee36f9c637e933d04c0990905e487ef3e94309201ab904799435014b09633768bbceee5c9bd271526cbcc2c66262e922e4c7ab7dab5f991ba50bb76ad

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
90KB

MD5
ccb2a3710488559865fa0c7a73a8d027

SHA1
cbe82fcf97ca0278c61420247beccb3f46dc3bb9

SHA256
719a9835fe914972166f15e6e2b38f75a335347b0fa88db80b2aee90741f4b35

SHA512
546f3c2a7afbe1793ccf2dfcf9bbe3c9749bd43a2bb5033dda719c7a598df2889e974685e31534ba1a942835b3cc32843f1b9da1f0b56ef603493bd1e816b672

Download Submit
memory/400-106-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/400-461-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/400-114-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/536-417-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/552-454-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/552-449-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/552-444-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/596-361-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/596-357-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/596-362-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/768-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/844-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/844-230-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/928-285-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/928-284-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/928-275-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-86-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/956-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/996-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/996-317-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/996-318-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1048-368-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1064-173-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1076-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-468-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-472-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/1292-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1292-296-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1292-295-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1308-253-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-259-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1308-263-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1324-252-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/1324-243-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1364-500-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1364-494-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-274-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/1696-273-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/1864-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1864-306-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1864-307-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1984-350-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1984-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1984-351-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2052-457-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2052-466-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2052-450-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2080-383-0x0000000001F80000-0x0000000001FBD000-memory.dmp

Filesize
244KB

Download
memory/2080-378-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2132-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2140-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2140-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2172-220-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2176-186-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2176-194-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2280-432-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2280-438-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2392-239-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2508-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-402-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-403-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2644-341-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2644-339-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/2644-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-405-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2664-53-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-60-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2664-404-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-51-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/2700-390-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-329-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2720-319-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-328-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2768-166-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2812-34-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/2812-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-373-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-17-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/2840-363-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2920-422-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2920-426-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2920-431-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2968-473-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3008-140-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/3008-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3008-483-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-146-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-154-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/3016-493-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-415-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3028-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3060-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads