berbew | 1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Size

77KB
MD5

43d2158625aa3430d1800cb212165b60
SHA1

ab9ab9beabcdcf522c12af336167f14fd210dae1
SHA256

1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4
SHA512

b9ff88ef7841a69d37ec4b8c65a79ed1ad7657b723a586e9ff81c5ed5a212bf09be35f44ac69ae31156fa56f238522a119a16b66356bf68db71afb3253a4f9e1
SSDEEP

1536:PBwG20NNXrRJD2NqIV2taBBF2LtdNwfi+TjRC/:PeGTBt92NzVUhzNwf1TjY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odoloalf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2708	Oancnfoe.exe
2856	Ohhkjp32.exe
2772	Onecbg32.exe
2676	Odoloalf.exe
320	Pkidlk32.exe
1472	Pngphgbf.exe
2108	Pcdipnqn.exe
2088	Pfbelipa.exe
2796	Pmlmic32.exe
2972	Pcfefmnk.exe
2372	Pfdabino.exe
1036	Picnndmb.exe
1276	Pqjfoa32.exe
3036	Pfgngh32.exe
2460	Pmagdbci.exe
284	Pbnoliap.exe
1556	Pdlkiepd.exe
2284	Pmccjbaf.exe
1328	Pndpajgd.exe
684	Qbplbi32.exe
1288	Qgmdjp32.exe
876	Qodlkm32.exe
1716	Qeaedd32.exe
2564	Qgoapp32.exe
784	Qkkmqnck.exe
1592	Aaheie32.exe
2716	Acfaeq32.exe
2620	Anlfbi32.exe
2644	Aajbne32.exe
1476	Agdjkogm.exe
2064	Ajbggjfq.exe
2116	Annbhi32.exe
2960	Aaloddnn.exe
2904	Afiglkle.exe
1936	Ajecmj32.exe
1848	Aigchgkh.exe
1320	Aaolidlk.exe
2148	Abphal32.exe
2436	Afkdakjb.exe
2224	Alhmjbhj.exe
752	Apdhjq32.exe
2340	Acpdko32.exe
2500	Afnagk32.exe
1616	Bmhideol.exe
1856	Bpfeppop.exe
1684	Bbdallnd.exe
2892	Bhajdblk.exe
2516	Bbgnak32.exe
1788	Beejng32.exe
2768	Bhdgjb32.exe
2680	Blobjaba.exe
572	Bonoflae.exe
2820	Bbikgk32.exe
848	Behgcf32.exe
2816	Bdkgocpm.exe
2288	Bhfcpb32.exe
1584	Blaopqpo.exe
296	Bmclhi32.exe
1996	Baohhgnf.exe
2472	Bejdiffp.exe
1952	Bhhpeafc.exe
840	Bfkpqn32.exe
1368	Bobhal32.exe
1560	Baadng32.exe

Loads dropped DLL 64 IoCs

pid	Process
2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
2708	Oancnfoe.exe
2708	Oancnfoe.exe
2856	Ohhkjp32.exe
2856	Ohhkjp32.exe
2772	Onecbg32.exe
2772	Onecbg32.exe
2676	Odoloalf.exe
2676	Odoloalf.exe
320	Pkidlk32.exe
320	Pkidlk32.exe
1472	Pngphgbf.exe
1472	Pngphgbf.exe
2108	Pcdipnqn.exe
2108	Pcdipnqn.exe
2088	Pfbelipa.exe
2088	Pfbelipa.exe
2796	Pmlmic32.exe
2796	Pmlmic32.exe
2972	Pcfefmnk.exe
2972	Pcfefmnk.exe
2372	Pfdabino.exe
2372	Pfdabino.exe
1036	Picnndmb.exe
1036	Picnndmb.exe
1276	Pqjfoa32.exe
1276	Pqjfoa32.exe
3036	Pfgngh32.exe
3036	Pfgngh32.exe
2460	Pmagdbci.exe
2460	Pmagdbci.exe
284	Pbnoliap.exe
284	Pbnoliap.exe
1556	Pdlkiepd.exe
1556	Pdlkiepd.exe
2284	Pmccjbaf.exe
2284	Pmccjbaf.exe
1328	Pndpajgd.exe
1328	Pndpajgd.exe
684	Qbplbi32.exe
684	Qbplbi32.exe
1288	Qgmdjp32.exe
1288	Qgmdjp32.exe
876	Qodlkm32.exe
876	Qodlkm32.exe
1716	Qeaedd32.exe
1716	Qeaedd32.exe
2564	Qgoapp32.exe
2564	Qgoapp32.exe
784	Qkkmqnck.exe
784	Qkkmqnck.exe
1592	Aaheie32.exe
1592	Aaheie32.exe
2716	Acfaeq32.exe
2716	Acfaeq32.exe
2620	Anlfbi32.exe
2620	Anlfbi32.exe
2644	Aajbne32.exe
2644	Aajbne32.exe
1476	Agdjkogm.exe
1476	Agdjkogm.exe
2064	Ajbggjfq.exe
2064	Ajbggjfq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qodlkm32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Afiglkle.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Oancnfoe.exe	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qgmdjp32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Afiglkle.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Kjcceqko.dll	Pcdipnqn.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Picnndmb.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Jjmoilnn.dll	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pcfefmnk.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Pcdipnqn.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bhhpeafc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	2076	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoloalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2708	2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe	30
PID 2880 wrote to memory of 2708	2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe	30
PID 2880 wrote to memory of 2708	2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe	30
PID 2880 wrote to memory of 2708	2880	1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe	30
PID 2708 wrote to memory of 2856	2708	Oancnfoe.exe	31
PID 2708 wrote to memory of 2856	2708	Oancnfoe.exe	31
PID 2708 wrote to memory of 2856	2708	Oancnfoe.exe	31
PID 2708 wrote to memory of 2856	2708	Oancnfoe.exe	31
PID 2856 wrote to memory of 2772	2856	Ohhkjp32.exe	32
PID 2856 wrote to memory of 2772	2856	Ohhkjp32.exe	32
PID 2856 wrote to memory of 2772	2856	Ohhkjp32.exe	32
PID 2856 wrote to memory of 2772	2856	Ohhkjp32.exe	32
PID 2772 wrote to memory of 2676	2772	Onecbg32.exe	33
PID 2772 wrote to memory of 2676	2772	Onecbg32.exe	33
PID 2772 wrote to memory of 2676	2772	Onecbg32.exe	33
PID 2772 wrote to memory of 2676	2772	Onecbg32.exe	33
PID 2676 wrote to memory of 320	2676	Odoloalf.exe	34
PID 2676 wrote to memory of 320	2676	Odoloalf.exe	34
PID 2676 wrote to memory of 320	2676	Odoloalf.exe	34
PID 2676 wrote to memory of 320	2676	Odoloalf.exe	34
PID 320 wrote to memory of 1472	320	Pkidlk32.exe	35
PID 320 wrote to memory of 1472	320	Pkidlk32.exe	35
PID 320 wrote to memory of 1472	320	Pkidlk32.exe	35
PID 320 wrote to memory of 1472	320	Pkidlk32.exe	35
PID 1472 wrote to memory of 2108	1472	Pngphgbf.exe	36
PID 1472 wrote to memory of 2108	1472	Pngphgbf.exe	36
PID 1472 wrote to memory of 2108	1472	Pngphgbf.exe	36
PID 1472 wrote to memory of 2108	1472	Pngphgbf.exe	36
PID 2108 wrote to memory of 2088	2108	Pcdipnqn.exe	37
PID 2108 wrote to memory of 2088	2108	Pcdipnqn.exe	37
PID 2108 wrote to memory of 2088	2108	Pcdipnqn.exe	37
PID 2108 wrote to memory of 2088	2108	Pcdipnqn.exe	37
PID 2088 wrote to memory of 2796	2088	Pfbelipa.exe	38
PID 2088 wrote to memory of 2796	2088	Pfbelipa.exe	38
PID 2088 wrote to memory of 2796	2088	Pfbelipa.exe	38
PID 2088 wrote to memory of 2796	2088	Pfbelipa.exe	38
PID 2796 wrote to memory of 2972	2796	Pmlmic32.exe	39
PID 2796 wrote to memory of 2972	2796	Pmlmic32.exe	39
PID 2796 wrote to memory of 2972	2796	Pmlmic32.exe	39
PID 2796 wrote to memory of 2972	2796	Pmlmic32.exe	39
PID 2972 wrote to memory of 2372	2972	Pcfefmnk.exe	40
PID 2972 wrote to memory of 2372	2972	Pcfefmnk.exe	40
PID 2972 wrote to memory of 2372	2972	Pcfefmnk.exe	40
PID 2972 wrote to memory of 2372	2972	Pcfefmnk.exe	40
PID 2372 wrote to memory of 1036	2372	Pfdabino.exe	41
PID 2372 wrote to memory of 1036	2372	Pfdabino.exe	41
PID 2372 wrote to memory of 1036	2372	Pfdabino.exe	41
PID 2372 wrote to memory of 1036	2372	Pfdabino.exe	41
PID 1036 wrote to memory of 1276	1036	Picnndmb.exe	42
PID 1036 wrote to memory of 1276	1036	Picnndmb.exe	42
PID 1036 wrote to memory of 1276	1036	Picnndmb.exe	42
PID 1036 wrote to memory of 1276	1036	Picnndmb.exe	42
PID 1276 wrote to memory of 3036	1276	Pqjfoa32.exe	43
PID 1276 wrote to memory of 3036	1276	Pqjfoa32.exe	43
PID 1276 wrote to memory of 3036	1276	Pqjfoa32.exe	43
PID 1276 wrote to memory of 3036	1276	Pqjfoa32.exe	43
PID 3036 wrote to memory of 2460	3036	Pfgngh32.exe	44
PID 3036 wrote to memory of 2460	3036	Pfgngh32.exe	44
PID 3036 wrote to memory of 2460	3036	Pfgngh32.exe	44
PID 3036 wrote to memory of 2460	3036	Pfgngh32.exe	44
PID 2460 wrote to memory of 284	2460	Pmagdbci.exe	45
PID 2460 wrote to memory of 284	2460	Pmagdbci.exe	45
PID 2460 wrote to memory of 284	2460	Pmagdbci.exe	45
PID 2460 wrote to memory of 284	2460	Pmagdbci.exe	45

C:\Users\Admin\AppData\Local\Temp\1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe
"C:\Users\Admin\AppData\Local\Temp\1b4ceac743af9eb72d0c6eec6b0a1e36acc0bf22563cb6d910e4b72a57305fb4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Oancnfoe.exe
  C:\Windows\system32\Oancnfoe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Ohhkjp32.exe
    C:\Windows\system32\Ohhkjp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\Onecbg32.exe
      C:\Windows\system32\Onecbg32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:284
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1328
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:296
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 140
        71⤵
        Program crash
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
77KB

MD5
8c4f41dbfaa1ed13b9792f6329850433

SHA1
30ce7ca8e330f6f05339a9d0038fadeffdbed66f

SHA256
1f8d0634582d4fd47da5622c43f735cfd7f069342732bcefc81b93ca3a39a393

SHA512
08e518679c9b2b58181c8676d04195de2e5b67d5b8e7fe248e578f9b1fd033a9208ab62403340e46373c68b5fc759dd421cebca1fc8807b1b486e8c245ac2037

Download Submit
C:\Windows\SysWOW64\Aajbne32.exe

Filesize
77KB

MD5
ee37da9015b7da4f12e53a3906a65e4a

SHA1
ed9abca0455529943eaa3c6a876c24a7ee4af02e

SHA256
7f5b41c2fbda61e1deee6effb1d11ccfc3cf2c0960a7a558b7dae00efacf775b

SHA512
e765ad9315d6d8c56914698d5b3b58185cf9cb3b1424c8ed4efb4369b007295f92fb8b5c75e075983d07200b1332f14314edfa0af62c6b8e1851e50e40c6d3e5

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
77KB

MD5
6e1e40e9dfc46ea529c70daf8e6bf36a

SHA1
dcad0058ea1e38dcf8a8ba67468e0b2dcb6ee57c

SHA256
a72084650edd90733abdf00156503a7b0bdcf2d26201dfa171174e6c687ecc78

SHA512
ab1fb733b6e8a8b39313d3d33b60311c1d54502120b31f9f2bd257bf52762e94420b8f3bc8d75b52bfc6af7891afdccdad940ecaacca24716747f6e9d20a1664

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
77KB

MD5
a8148c8e55cf46dfb6680aac3b98aa6a

SHA1
3d683ea7aafb526bac0977462e33e7a1583c8e55

SHA256
056d6968a47642345881a82694af7b6427c97ac712a2eef04634ceb5b4a460d5

SHA512
02a0f0d72000a9859e135c078d87edd09e14a8e80e0c360d884acc80c6a38b01cbd2475c992fd2b56e268feba8e122a28930d6324ffa4fde9a4447cc5f895fc8

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
77KB

MD5
6979bb23e964fb47bebaf19838eda981

SHA1
fbb985bade011fcb9dc01ddb00d681944c106b56

SHA256
69f744f23a4bddc01576624d1a771075bef1d838fc5e118ce080914e68038103

SHA512
3da431c7a6a767ef5ce5bd11a7c4e42ec4cfbff88d5834ddaa79729342983d7a8157bf55c3f77daf0e399fb0d0a5909e57b523a19cc23771a9378cd9dd0c8fb6

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
77KB

MD5
950aa664728ec03018b9dc0b94168810

SHA1
1cb0c3893e731f920a141557366ddd3ee7622c51

SHA256
b57c476133044fad381e2f54c6552833e71bfcdcaeae5c828de2b9ea00546932

SHA512
015b2a27f48a05dd1aefc14a30f03854fd2998af37dc453259af485c028ae06b69dcf965e589c3c362bb212c971c669cde3135134d82e02a5b4b24d5e8130b0e

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
77KB

MD5
80725f2e5b1cec58df31b1feb43db3db

SHA1
840964a962400e3121e5304ddd457edb1872010a

SHA256
46256abac73a17e3ecca68b346d2506f1b6f199435befcecdc9bedbd1eadd89d

SHA512
e4ff4f5919e706864426f97da210958f0673d8fbab3096cc0f4821d745410982b1c2ddae14ebd38afb8f6723987b84419843528416957cebd14de1d1bc4ec877

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
77KB

MD5
27ee270688b9fc975084bbc047f3ff57

SHA1
313a1f4d3cf771bb76f035913437a4bdeb6ea219

SHA256
d563cf109ee797fd98048c581fc4ac418c65d54943a6a5bbb2cee2fcb8e1412b

SHA512
6495c00e53cad736816d0ccdff2202e6618fcef82507bd430f19342eb8e2ac21bc8db5bc9f129e5e5062473e0cbe9da243610f984e1e2e2e46ba399713e452cc

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
77KB

MD5
29d407b069d2c7bb2a47f4b5d4ada850

SHA1
1c13b9b3e3ed1757eba47482893ab1daba924e71

SHA256
390f46084b65c9cc96c60e95e37339db801211a9f7ca6633d8995a4543977b6f

SHA512
dbf7cb31fadaf36266839ec43d2309e9ee818ba8a393eff4b808c1613ebefcb8be2673f06bcdefac0859ea91f5f437ae940bf5e0d647c45760999390a57673aa

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
77KB

MD5
a4c38c2fb8fd233b92c4ea0512e73a77

SHA1
a41820291bf2b1eec0d7404d716932f13d25d811

SHA256
932c259cb3c7afebd6c1ac05eadccda0f54b4f8c59ff548ed66e620da9a96e1b

SHA512
79be350cf95ace59b0062ecce612c4c5c6a92832fff36585ed8374a63e20b29732414bc5a3fa30243178c433d5ef5c2a09aceb90a242c66c2c4117663abf2500

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
77KB

MD5
8a97549101f600f86dbd7cf3f8b4eeb4

SHA1
4619d42ed1282c41cbdba915ac82e21135aa33a8

SHA256
0ea8d79372a7131d64a0ceb8a57cf016f86dd3bb2bf36c4a47901a0ae86ac78a

SHA512
c98f33d3567740581bc3e554d2f1995c1493b3ac12f7cf8c894611ade7223ed189f09a4742be2050c77179e4c26874290b93cb1b02c0a058ee92d7c82097e16b

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
77KB

MD5
e4d04ae55a78b5e13590ae99de66b085

SHA1
20ea3f7e9297512590970a17ef5fa8c50f607366

SHA256
2f44233695cc95e5bb03496de1f162ea0bdafbe6fec9dc8370c6a57d44bdc9e7

SHA512
27e36894cf5af09f5427fbe619812ce6960dfed6c1a6fb7625c7cc2aaddcaa032ddb75dc8f2b029fa4be6574bcdf6703a9567a497360d1a2a3bb636c79123d77

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
77KB

MD5
863a6f203629f6c345defbd466f73c50

SHA1
39470106f77d1b632f103eedbb5477001ae44170

SHA256
fc0dbdf6304ac3e32cfcc3abfd30a171010510e164bfb0eb18006aea8054a4ea

SHA512
70c470f071a0d277978e192b16d1225b17f195dbc8fd58e03e85a596a0b7e23b25036da4eff4ace173f41c3a58b39efd7455cea6cded7dada76960a101f75cc9

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
77KB

MD5
28c72b3f861b2e18335e2864d13994c3

SHA1
f209dd100739862d1f1d70afb3693197aee2cc5c

SHA256
7776c37d7d7cc713ba1533aecf66c8f365829f90e82a320e7cd57c3dcfd08bc7

SHA512
2d69c47390f2b7d6d5d3347d8bb9fda3bcc94e79a29653869e139cdaacc90182428b05a87132d91cd5881f52930a424c26f5472b807c327c41f067cfc7a70952

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
77KB

MD5
19ce7247f37b18c02d9f298c506d3fa7

SHA1
54e4c252fe2321e742ebfe8555191c1d7a376c15

SHA256
2e7a2096b9c015b88ade3d5c20bb61d4da218b3c72399f708a9ddbc1ab828908

SHA512
5bfb1359a72a649f5412db5d8319cbcb4a7c1f28585d10df5f6cf7b345eed9e768bb99eb2af2c8af9aad5dcd1b24bbcb9ec97dd4f24c8ccb7d2abe3c412c6053

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
77KB

MD5
6170f7451e5aeaed4f67f6b4ac0c1b14

SHA1
ecef3bf8145b9b92f1b6677fc75d5ca6a7a4ee23

SHA256
5d2638bae7aa6400109f38cbe56a2d7b73291ff388cf0db233fa0f297dd679b9

SHA512
259b55c790d4a1712d7d0b74c6054eb6657915b08c664180e1e11e3602765a5b53916aaa8c3cda469919cc3de15ecfe7c1f2743afdf1badc413649272455cec8

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
77KB

MD5
b58a58357667cf80448cc74fe71b375d

SHA1
02364e8f9b39c020a42987b7b472937ec3e15163

SHA256
1462abff036e1dccd4629831a2ae140e05b92b0c0e4f37b5590252bb96534dc9

SHA512
62a61c9059225354e39c8264fc567a79360c51472a21bb7b86b3a8bfd79e7bd68d25c743599d10ab23e25172c8de4a07b54ac25076bbf80800d4c9e6cccbe8e1

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
77KB

MD5
833c772de71c864eb276c80c61dc3e89

SHA1
0e7f3010ab0a57b60eab0203998ddfa2e7e525bf

SHA256
37e146609000bab663767fa82c5d7673808975349a15b47126df1d76436f2e34

SHA512
8ec58ca47832d19661a1c4d3b3d91e46ed9cd1b690e7603fe1c34cca3590ad706389bc61c33fff7a1c83cab026764af2991d9078858856481490ea227c19451b

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
77KB

MD5
8fafc80bbeb9ce5efa51fbfed5a8d850

SHA1
94e163a1f7cb7cbbf80982af7ba69364fd1a5df0

SHA256
e549ba219de99b8596aa07a9d62f64037b8441e0e0f75822a94136f6c23a6181

SHA512
67ffc1738c30a233a3119e3d3319980566d5e98aa053c4263ba3912795cdadc8b46af00a0e881029dfb44011d4ec87d97da4f3577a2865724fbe384417a089c8

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
77KB

MD5
1ab75dcc3880d65b5fdd0812cbb66325

SHA1
4cc87a9efcfdbd16ebe0e42df51b35616403bddc

SHA256
716ea4aac236481259c99b4597490c55271e8d8074c2734e2449f31c8d948b92

SHA512
e356c8ecf32dfeabfefc0c3d4df4a6898f5b25eb6fd240d26b1895321643e35010306b28eb4b6130aff535eeec069259703f14699d27448400a3ff982f721b1f

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
77KB

MD5
1b52d015e312498665f4cfaff1aa56f4

SHA1
de1ef870720422041733344e3e9d8a9a6a9b9c87

SHA256
51ee090c088adadea273b8fc37ba363ab2fc3a6bc821d14958032bd209267c8d

SHA512
e45f2bf5b27dc41b3c44d4e60275fe7302ff23d2900c264ff1464970825bcd1099b9b2290e54c9ba439f464a34942bcd84af0fbb28d8fa3531168355c464fd42

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
77KB

MD5
6f83f37c7da1113c98e2e3122380801b

SHA1
1dac1dd7b4f76fe8fbc7bf00ca5103d1a0c95eb3

SHA256
3920fc69ccf0e0454f9edc24a512a644dc645c98ebb6722417196f250c4124a1

SHA512
5e92589a2db6cd815cdf37380608c219a0438650722e27fbc6ccf6f0c827f59db2b196e93e108e7aeec5d4176a6173db1af6e716d5fba96329b97cd32b51a398

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
77KB

MD5
a4763d78140338bd6fdbf74b1b2f59c0

SHA1
30aa7aff14f0255da313f4e2c0073baf823e88bb

SHA256
5b8ff3420d039d6d8257cae6227ff89c5da2aea1e1beba6c7020b7c169951134

SHA512
e44805767df008858b7e2deb0e51ce34e1be43e51c305b0eb943f925f6ec604fb7ec8686b3ea71a0d3ab1d5193962a818b3321cbc7d8796a7fd87ee7b44abe39

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
77KB

MD5
88a464d44304315f3ea7f31c197b1ae6

SHA1
67fa0997b630362e43ca1d5f3b7638ac3fea23d2

SHA256
fefbed0c591462fd03d8e43b756a2c8882329f0ce2aaab2dd8d475594d25290f

SHA512
8090d361d30534aeba3dd401a392f0b9ead3e3e34dfea11543dea87558dfa6ad8908b10390aaf7e8f6c6db8e5030f75b6312851f492850ddd9d9e2b2de5b8855

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
77KB

MD5
5c0af8ee0c30c5641b1efab6cd2de2a0

SHA1
d7aae0eb271313b3a124c2b7706f817e1b8142b8

SHA256
454ca8b7e9813aae308cccdc07742abc10145a1b42daa3d7956fa6a3dce7ec24

SHA512
1f631cd004ce25558220559c4f0a97a08b85155d0f776a996b7ef60dd36242b6c518d872033dd8408036b0513915956c5f6206810588c7b1bc957fb028629a0a

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
77KB

MD5
a97390cd1da888f43b1d980567e6630d

SHA1
9149ed47d2bb54de2f1884dec21c83151f48591e

SHA256
07bb4f8acb7fa2cb19356684a15523e139b14516c614d8165c219c438442ecdb

SHA512
2274b297d0552f87004584fd9a870121b1ccd7ee52e37723e317af3bad3cd2911b0c80a643e64ebbd33956aaf13606c10c426c4e3f06b39129568d88143fc86c

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
77KB

MD5
ce92c0a3c0ac404e31ce2e191de28e3c

SHA1
e27168122427506ee541744aa1bce4f069a2a254

SHA256
128f4fdb21f44acef893b560917291f3cbd3787a89b0c8975d355baa7dca637f

SHA512
bc2dd1e76a708b5059f6c2e327b084d6a9a5c7b5a788dda0b515ee45b4cff5d60b7c0896ee7c61fc7cf09d68ca536d453bd849252e8be2ebf1edfd033e126b9d

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
77KB

MD5
219d388d11a7e68a2f64aee105876e8d

SHA1
9c9ae42fbccc8e6950933e50f37d75605fccebb3

SHA256
30648ae7a35bf5aa45c5b4ccf08034fccf6d62e84a6ff443794321f40990b524

SHA512
9a3480125cd385d760a746a108de69b7d0cc945766fd94fa9062f4755f3f1be40a34d7faad1abba47711b1e52be17c028150fe6040a9698e72fbdfa6a036b7b5

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
77KB

MD5
fac97a31dc74f0565e4dad3531e02260

SHA1
b2eb115703eef90c1d502173c51e02fedb65b56a

SHA256
67fc9d8af78f000ce6a0360c2f7cb1c1c9e5f4b9adf36a50761bd9b871386943

SHA512
10753d79873c0faaccb49e518d8a458951a422b408a955b17a7038fbcfa85575a95c89b92eb70359403320148e33d61f4a023c62afb47c2ddf31b544c4715691

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
77KB

MD5
dc5234da36e698af4d6d0a2cede231a7

SHA1
101a6308808c8c45be493ea194fe9e152cfdfd4b

SHA256
3e21dc0fb490a761216733996868ed18791ae1cc14eadded023fe4187f8ac114

SHA512
cd46c85529ba7e020181d933eceb960710e81a9c90126ee7131e3476e45628f3a46b34e44fec81b7bc9adffc50d2ad603de3cb62409d5a07cd68a75855242d2b

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
77KB

MD5
f051b456387743b5a0c1467809114c42

SHA1
7a6812500dafed4c73030f5eedac209766003110

SHA256
4f06ff29e85dc77ebb0ea77a6a336e6b287ecb098a0488470599f413fff17658

SHA512
1baac3f49cae27409c31d735b5e2dce2c7dc0b28754c19203902ba083e5b54a6bc6b010ff6219be6aff2b138a6f54bcee20238a391e55057b057fba4a8d313c0

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
77KB

MD5
6309b63879bfb08db9429ea8c5366689

SHA1
98a5ad801f8b9031a79cfc2866c9104b80cf7922

SHA256
afe7c3c4016d2dd8f9e7c1be91ee0931ce2aa158da9c6b947c4c908f58fdb1e8

SHA512
24e9e3da0c9f8c75819c5cd0234a89b03db9a453290168b8180b2cbfddcb51cb4e6068fe52010274085de0b0085639f6daf3e08f75fd46dabe1ce95d94ea7e6f

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
77KB

MD5
0c9164eba18f47b9a8f445637b575a82

SHA1
2aba53928d66b695264e71c606641b5ab2d39fa8

SHA256
cde5b46adaa4750044da50f3f939dd6697ef33fde40a8e5456cfb2bb4ed1e38f

SHA512
abba612bdc4f6589b05ab0391131a31209ff409f358ec1863201e8326788e23b86831f684c42b02fe9114d075122b12a4aee1d619b983a637c00bbd6c7df5473

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
77KB

MD5
3355e6cfc57cb0221f6be2d3342c66df

SHA1
0d0caa82046fed6996b5ef2a6dda9fb0b8aad3a3

SHA256
6f08b9f269d33351fab62c16fc79c75308fba72e89bb90e2e9080a089207deaf

SHA512
7f6fb82a92b1e2d4a1affd09002db38b0c22c851b36ca6cd22c2c4705494490b7f0ad131581441353ce39148c391d6159000def1375a9e602ff07c11669e8569

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
77KB

MD5
8d3ea4c680993ddbd0171fb1f507847f

SHA1
b5b219dd3ae06bde404ab45640962389d73234a1

SHA256
973096d15436f4f4aefa9a8d822ec12fa2f991da1c73d47ad9275e79e65b8abf

SHA512
8d22f26e1b3af6b26410d943b3a4abdb9313862720c931f8c6af12f2f1bf3b0106113708abd3b4229074aaec0afdb6e1c53f8b25a50e862a4f4914500a2607bd

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
77KB

MD5
66418c80a7abc2c76cef0ecbbc94905a

SHA1
9a548db3bc323a0696a4c94c25837a2e256fb3b0

SHA256
327e6fa81c730fffd47cce4b810d62700a3a7ed12d9e0e2c74d72999c885abac

SHA512
459eca71cd443ac00bb728cbe8fac41aaad3fcaeda3afae67726f89b2669e49522f5069f5459193785954b372dc41564ca354d603358fcc85ea8f42a000c37e0

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
77KB

MD5
eb752dabf3c4cd590e7e51061dc0a339

SHA1
89895885517ddfe13a49a1aba830f4e08f8e2fa2

SHA256
c57bdf4cce6f121edb1b6b952e392ce57dbe8715bd476f3aa7e0f79adfb4ab14

SHA512
cc725fbe8564d60bf9104e03b7f72e12bb9e361abb6ff0e4a3b2ca6ceeace8f1e99467ff1ebeb9017dc87023f31dd87883b273e5f5d5654c5353e12e18a9436a

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
77KB

MD5
5dea35b99270ce1c5bfbae1c5a500f16

SHA1
345b2c02a0369237ffd36a32d0d60a611f2e030d

SHA256
f5dc789f792eec139d10c5ae916eb46325664352208fb05ec6c7d5770c466f9a

SHA512
dbd5fb836ff54a11fb37d4ee8be56d4597822eeaa80457f8d7a2d43f3e499439d99b020c7e1f24c53ec8c574355a7e26d3ad6026192d358316cabeabb153f101

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
77KB

MD5
7766c05bbc4a0afcadaf61b2eb8fa178

SHA1
16613dc6e2d728bf132066f02c655bdef779c546

SHA256
55eb139e36cb76b9c78cfb7c8f1fd59bd0a416525645ab86157f1e94476bedf7

SHA512
e7fbfaee6ffb98b965b5be6727568a40609c6c1b4bd9312bc12fde5d3c84a0da990251c4c1c465572f59be68b8a932014dd06d6fbce86b3c409c6b69c4440097

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
77KB

MD5
c0dd09588888bbbe1339edb7847bee23

SHA1
dceaef8c2ff9c8d5e6255123cb48b57d1eb8ee20

SHA256
2ba9b5f620fb0bda7ed595461ad43f319a4c428f1fa148388f70300827f3cba2

SHA512
6a94ebea671670aee34c5b6016d35033cd97320257b2c8e6e8fb59778e61d81fcc56dbcc771cb17ff125a2a165941e38d3116c786bb5ea6c290bf29b63f8ca6e

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
77KB

MD5
7444be8f6bdef02236bbde41d78353ad

SHA1
cc416c265a5edac2103b30c01d4e8de81f37b839

SHA256
82d4c49bb6b2c0a2cc1673482fd22ada964e2ad2d5efda670b2867fcca552811

SHA512
456938188ef82258feeee7cfc2f8c2195e3e4b24718259fc04430b66d569444342d456f7e01350b6b15a04117aa11126767a06afae5b1e90b889188d06fb2312

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
77KB

MD5
3d1f6c2acf70476b6d3acddffd481bb9

SHA1
da601cffb665d66a9b4160d6a9a8aa65563cd978

SHA256
e21d14958b91c38a284a38b94d4653fb26f214c906ba9cd9fb3ff7a5a83eb363

SHA512
de77ae4686c999fbb4d2780dbc6f098ce76f4cd69c1e22bc04fe92190c26910649af4aec19015d06aa985f973aabd13311e2810b4c0c9a6d8227ba7b49f4aebe

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
77KB

MD5
f596227ac33bfd6064debeb3c6d78a45

SHA1
e049e9fd6226af377d81f7c96e17930e7e100d3d

SHA256
5716f2c5ba81c81c307307a3a0b41bae2d4962064d4a64f25572514815ad1d05

SHA512
d9165fecf3629f2624043e562506acb91979dae164ea57a2503168b79412aa7c4b129603a1545522222cfc3d10c621f8bf17c954ca9d10ea982a9180cff49243

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
77KB

MD5
bfe1226a636c80585d9267ad024b862e

SHA1
7e73086ea56803bd0ef4984c234a86a2c53ed17c

SHA256
78e4af348670baf512506332e41a66ad2852b9f65591036cc96d3c71493ff14f

SHA512
ef7f8fca5b0571af5a6977544caa495ddb65282c74e785e5dd2fb2276bcedda014b45a9e3c2814e4196d3cee49466b356e4f001da60e3accc0b9e32d31df6d61

Download Submit
C:\Windows\SysWOW64\Odoloalf.exe

Filesize
77KB

MD5
d4c25aa43a6962a794ca24bf97e1e19f

SHA1
90ac31fc070d4feada0babb0651086bebcbd5e20

SHA256
13a5dd930bf62c544522ced7b6afa99c5761a89d73f5a1ff35c11ce492cde530

SHA512
377df799f5c6eefbc1b655cf98aeaf769ae58b214472214e6d2a1aa10ebbf9c11c35837454d1489a94645922f2578c8c3456323cfb4257d1f572929d8d50e54c

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
77KB

MD5
310778938922bc9d84dea7f566decc6e

SHA1
d7a1f890124b6ed1d9354f7381c4846e69935620

SHA256
afd18810e928381736ca21c94799a77edc276edc5a809b4f1c481b748198b780

SHA512
d0a1305aaa4c488747a88270b4d0a251c23a1c0c7c7853897e5495ba5c1e9f882742459a723c86084db11209f49d23d28333416c678ec4e2a786dbc9ba7a0624

Download Submit
C:\Windows\SysWOW64\Pbnoliap.exe

Filesize
77KB

MD5
f87206aef8a2f7200f6066c78ed1450a

SHA1
b4a53904aad6ad9d32bbf2bb4efbe6e21bc1dc60

SHA256
280a6f9bc0576f5c009b9df73701a820a2c591e9cdaa2634db27d4a4bfe03da9

SHA512
b777a72a4aa9d0423961b49142fe2e3a316a7d5b645215f0597298d5e6e3fb5f59c6d4728cfccb32f41be84f89a033882eacc4db1f32a41b7580670a8cd72079

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
77KB

MD5
6e752782eff8d39348b4aa589cee1bca

SHA1
aaa902afb9b7d9465aede288629be37782a7a2ee

SHA256
6b97f3e5e9ab2ca2cd43a2f78c96defce5db58c59ca828845f2ce8fc73f34a2b

SHA512
4112ffdbf38424da17aab791bc03c9be6ac6a32a08693fcd0bc556234b03e99f1d0f0df0e8c3dd99c308e4859e9c498d71c5b746ba7ae6f2ee5b982fab064b0e

Download Submit
C:\Windows\SysWOW64\Pfbelipa.exe

Filesize
77KB

MD5
6e0be02add4a6b7085b080ce97276528

SHA1
7729eb30b155b6387d6d638070bee4415361cc28

SHA256
8ec98925b2caf18bfa02973a15ad1d69e7c49c2585183879a476b69a69343884

SHA512
f3fd8e3fd8ee2715aba5d0af9dce212ca9d29a2451bc86ebb98ad5e18b37ecd7123275cb12b836dca4ade2f8e25f7bb19186c1865bd1e5caaf4b75b084d95234

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
77KB

MD5
7ed1024d193eac36730ec4870eb2561d

SHA1
60d82f0944ee2af09e00df0d89b1bbd94f21f92e

SHA256
488fa6622a983fce04c21331d4192c5d221813a12c4eaf45b4e4e096c65d8ddd

SHA512
6f1440d3487d3360602f26b176709502073491ebcc5e2062ed70a8e595a41c0f721b142fb1a938b6d6b6613f243bfd224af42363ed6b15ae3d03826a8f628cea

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
77KB

MD5
7bbfc1b58665b449e8485664b5ae395c

SHA1
3ca340e8461a6d25725e1804be4391967faac0e6

SHA256
a09897ff50c0ade209c4baa47fa955d21d34b4064b626d65540af564a052dfab

SHA512
69df0afa979bc653e5d4248a6249538a2f2ca703abc6db82d8c10d821c1c5a1eeea2a79320f5c99b2f93d00b1177c5a9aefe6a8814513009eec9a8de37f2a003

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
77KB

MD5
774b398b2743a6f22c59d199fb078dfe

SHA1
1adfe1b5b455fbb0893022882c8af15fa801a846

SHA256
21a0a7006a229e91de635ace898deba472f2d2c8029064f3bff737d238dcdb7d

SHA512
2cd4112f160927ab1ec2fc6dfa2e612b4f762a39320d89d6c0d5263d870a9ff6febef3c5e31c82657a470ededbe7f5401b70e15740bc64db105b32afe0c87af0

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
77KB

MD5
648ce34d2df91d295741c89d529a0ab6

SHA1
2f1ffd7918233698cc18fccc56ca510880a0bd1a

SHA256
382d3a05bf73a2d360a350c715b8cd8052ec7f79c0ac30ce7333aaef7edf0c40

SHA512
2100d23af1a8e5a8b77aada0976de21ff999dd8981843f831cab9c51fd7ce0952481fe7179c4da86f8d6cdbba1507911deb6c5287c63b07c5569f1ec86a3e549

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
77KB

MD5
17232432f343c4bad6224fb07e706d75

SHA1
3559ca04407c578f9fdb574616f1ca345d442ed5

SHA256
2c096bc8cebe1291cd0c43239c221564e847eee7ff781caf35f7c5d3e8167a15

SHA512
790914f9e8da373320290c415b6127a09c04c87255dbdb377721f8f6d0224951e758521bebefe014ea96e3441d42305b6c184a9095b69a3024439ba0659021f5

Download Submit
C:\Windows\SysWOW64\Qeaedd32.exe

Filesize
77KB

MD5
2dca5ab5f5ee1c5747af7af62f7d2f20

SHA1
7de56115af55c289066d37bcaf60d16f40ecfa39

SHA256
4b9d0c01a89703a78f0be7075b3ef37781cc5d465efe7ea6becf2778536ab2a6

SHA512
a547697d473fb0a27d2013de4578e51c8d425fa6667d9035c5397652f46267bba8ab277fcdc85235dc787b87803038aeb50cb33b9d09b4b6a2a5470973255bb1

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
77KB

MD5
106e512e319bb3e3a691237d4c5d8309

SHA1
258bf00473b9937fff42cf025d1b9112190c9f0c

SHA256
98634aef930a7d9938fee8d605ca614b4dc4a84a3942af2ec8d53b44a971dcc2

SHA512
5309ca4a312944401a16f05f80b80e8993dd662809bb1af3fd56ef1994edf98ba10133490edf32709e6044c9c13739fe32575c2ab877613f06a5af9631f29b12

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
77KB

MD5
03fecb5e8711a3ce479fd15768b9f378

SHA1
238692cd95be6cc9f910f0415ea5962b22eac145

SHA256
52aba4c55927844e4c56472e03d67fa3fe6a72dd86d41feeaf6a8c80c679f57b

SHA512
45f36f3ebc808486acc8e63f6d14f14e0f6b3d3133c5295f69ddf836151e23a810f9991b0d30d435dd49b42b8b1089b5cc218dc997dca80bfdd01fa3bea97062

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
77KB

MD5
e18d8bffa6cc7add950402755410ca23

SHA1
2884cd3cef04e9447bdc7dad30002a93e25d018b

SHA256
5336e54c1b913a6fe92f535869eb8297b3b998962751fd54061abcc8df0b73cf

SHA512
5ce6172c4f9f4d94f5fe7442a3a0670c322b1ce57b28b18d59ef0ec399bd2a27371ae7d295e0abca88a6f1edaa591eea7f3b6e8f6281c6ce67dbd82b123a6bd7

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
77KB

MD5
63fcc9080962c5e5fa39c68e7c4af715

SHA1
4dcfeb6d0115c30ae73f4088ddfb8fb0197af02f

SHA256
5798668ea08c0c094f65d490c571ce6f6284141c60a6a04e19d33762735dbf2a

SHA512
c6e30ab4389e358b16e4a990f1889d09aa8d4f10e3050a5c99082b5d889cd90d04737d34dede19fdca47078f8d4a8321ddbccd3a1fa2827f64174ac573f748c0

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
77KB

MD5
d205a1d6c20aa9be42e8bf05c9afdbe9

SHA1
2682aaaef166d6e2bef4364988df5f35ab9ac85c

SHA256
1b83c0f1f1f4cb3e61d55e5f15508d300e82aadd7736c08eb0d6cb97e17e3f8b

SHA512
9b472bde5f6c005a22b5118d708aeab5e82a6539b350c3241a6fbc75b36bdab034fe206f3968cca3d858b86b87c74e5e6a1752ad8636f2c4cab955ca3698a706

Download Submit
\Windows\SysWOW64\Onecbg32.exe

Filesize
77KB

MD5
0eaa28db334b05947d5b73d76a607752

SHA1
2046ceab37001e0ffd876f2e2b22a9f75b4729cc

SHA256
e582a27460134430b85b9ba2dad0c60d99a5e046f7d175850d0fa0e11ee3ce84

SHA512
e5f940b12c09bfdd283d3c5c1afaa569a8135c5d26cfc1ff3d6a4cf9458d64519e9152f9ed488520fa6d7309138eb19fe1d38e80ffb264fb730c91adcec1044f

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
77KB

MD5
a487554e298561c48c66eb5c10a74f49

SHA1
cfdb54613f17bffe5ec29cc5a807412800878627

SHA256
9e5aaabaa013894b3385efc69a206b29961847599ef9e5fb6d50ed7262f9a419

SHA512
a377383028586c0442c09b04745ace161ddb1ad9bd5d3b350475f88516795e69193bbe0b757aa7765b379d02a46bcff454abca5ee5e7a7491048760e08f5fc85

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
77KB

MD5
715ae61dc4c6f13d786eb9d3a4f42e96

SHA1
b3da5e598e7938431be4480b8027302adac4fe4d

SHA256
53b054070260885f93a8bb843d144afc195804083c865275c8e46b328cab9d5e

SHA512
bfc4c3a05fc9f02e689d43a0f81ce2d2a868df8395adc7cfd9a268306637b5434156683bab613e0e245d82394b3f253eb3e33159e018b217702cb77a0f3e7342

Download Submit
\Windows\SysWOW64\Picnndmb.exe

Filesize
77KB

MD5
f3b4929123bdd1649bca6ff2edef1c3c

SHA1
1287d33655504f2befce564eba4e16f9e4962727

SHA256
25608beb145455a394afd2939282a0245f3977bc36ad563d1f34ddbdb9184eb1

SHA512
fed501c5cd0531f83df3566a8a397fea91bce644000e15b3844774add7ae3bf66319f081d0772fda693ec871379d8a9a6351d027c2c95a771b7aaa98fcddb076

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
77KB

MD5
fdd8ce0ba77374a91dd5e0c55ddef140

SHA1
4320a26afd5e8a6269ba3ae441f6340cfa8134f2

SHA256
9c5d185afbca1580390dbb9f46f4b7951e4e4c41f6d0b352cd94af4d698d5213

SHA512
80386678f0b4bb4ddf28c5947f114a3c0f6ea7774328ea7cf84898bc3e702da9a9ae1d557e643c14c3a5dce5c938229d71715e4d2f76256310decfd7ef561231

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
77KB

MD5
b0f3f211ac859e015adebcb8e87c59d9

SHA1
a0ccf4364409f7df7cbb5530f004f74c80da5e16

SHA256
2d78aa3eae6983f714f5633cb72a8a9df25285269cc93821fb381985c2e643ed

SHA512
c44b1e1a6f807d5a8b618523065e2f5aa34b330408b2059db0574e83a1e04aaffcd75a3f84a71d8c884ae366052dfe9d3d9250223ca533ab26aec255b5f7ccaa

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
77KB

MD5
21549e868ccf7bf222d892741dbcb97b

SHA1
ab45f37e3dc0e80bcbe527925c9172063b2fd96b

SHA256
68b2c6adfd7b9672641677ec2374983340a17e890eb64da3b3a36eafee29b2cb

SHA512
84e9cbbc70ed7d0b0fa532e9eb9fd5102b9005d549c7e26e7e185774a1860cf96e26996a16f45c8aedb6e3766791f9f73c253d741f8212f7a6c0e2ee18dc7709

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
77KB

MD5
819a3c38b87710f0c9fe734e71fb7b00

SHA1
929f8ab8517e80cc5817b51d9aba2ec3c7266958

SHA256
4e9c84b8da8b5b3bcfb88a86d28ca45bcadc13b0cd0b90ada42d7cd17753a64d

SHA512
ef2e30dd8e8344b60162d6db4e06493c3a9848949dec79c444637287dd332bf2c3be22c80f530226fef5b0f369d0391787ba0673516b0b10c8e69be9a8f21a2d

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
77KB

MD5
4881e8973527823275571b80b290b8dd

SHA1
fffb66d5286d4328295673bdd7216a28af21b33c

SHA256
950a5a7db572687605ad1f2155c5c53362628aa484320961a8cf978efa13e995

SHA512
633725cb605037d170643773b2f7b5e423205d4be9e77b43f91fce2cee17b10dc8de30da1c136b5a011b6aade0c03761d5dc95cea407e1e4e17a10d062a7a445

Download Submit
memory/284-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/284-221-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/320-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/684-266-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/684-262-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/684-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/752-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/784-319-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/784-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-288-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/876-284-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/876-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-167-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1036-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-185-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1276-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-277-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1288-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-273-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1320-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-254-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1328-255-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1472-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-87-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1472-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-370-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1556-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1556-231-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1592-326-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1592-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-330-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1616-517-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1616-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-298-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1716-297-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1848-434-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1848-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-518-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-383-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2064-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-114-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2088-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2224-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-244-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2284-242-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2340-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-494-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2340-495-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2372-159-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2372-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-509-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2500-512-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2564-308-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2564-309-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2564-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-366-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2644-361-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2644-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-61-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2676-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-340-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2716-336-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2772-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-33-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2856-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-369-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2880-17-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2880-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-140-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2972-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-455-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/3036-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3036-194-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads