berbew | 0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
Size

128KB
MD5

ce1db8844acbf2b2f6d34214c9d01a02
SHA1

6d9ecb22a3895c028bfa6a4dc7ed9cd6e810a3ae
SHA256

0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118
SHA512

a4ac1266f48ccae505cd260209cdbfbe7fb246e3eb5e6f46363046e006a6cd311d6c7db64cab2c4e5f7bbb4a3aa64d615236b061c872c5bbecbaaf762d1bacdd
SSDEEP

3072:6lqqIeREFGrKeqlj9pui6yYPaI7DehizrVtN:6Qz42pui6yYPaIGc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 60 IoCs

pid	Process
2892	Pokieo32.exe
2752	Pfdabino.exe
2660	Pmojocel.exe
2084	Pcibkm32.exe
1268	Piekcd32.exe
572	Poocpnbm.exe
2100	Pfikmh32.exe
2936	Pihgic32.exe
2604	Poapfn32.exe
2924	Qflhbhgg.exe
2996	Qijdocfj.exe
3056	Qkhpkoen.exe
2488	Qqeicede.exe
2476	Qiladcdh.exe
2188	Aniimjbo.exe
1340	Aaheie32.exe
3064	Aganeoip.exe
1208	Ajpjakhc.exe
1044	Anlfbi32.exe
1784	Aeenochi.exe
764	Afgkfl32.exe
2568	Annbhi32.exe
2428	Amqccfed.exe
848	Apoooa32.exe
1040	Agfgqo32.exe
1596	Aigchgkh.exe
2688	Aaolidlk.exe
536	Abphal32.exe
1496	Ajgpbj32.exe
1608	Apdhjq32.exe
2564	Aeqabgoj.exe
2952	Bmhideol.exe
2840	Bpfeppop.exe
1740	Biojif32.exe
1260	Bhajdblk.exe
1452	Bnkbam32.exe
2504	Bbgnak32.exe
2588	Blobjaba.exe
1652	Bjbcfn32.exe
444	Bbikgk32.exe
1380	Blaopqpo.exe
1664	Boplllob.exe
2216	Baohhgnf.exe
3060	Bdmddc32.exe
1680	Bfkpqn32.exe
2392	Bobhal32.exe
2912	Bmeimhdj.exe
2668	Cpceidcn.exe
2620	Chkmkacq.exe
1156	Ckiigmcd.exe
2060	Cmgechbh.exe
2408	Cpfaocal.exe
1300	Cdanpb32.exe
2520	Cbdnko32.exe
2044	Cgpjlnhh.exe
2192	Cinfhigl.exe
2440	Cmjbhh32.exe
1940	Cddjebgb.exe
1316	Cbgjqo32.exe
1760	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
2892	Pokieo32.exe
2892	Pokieo32.exe
2752	Pfdabino.exe
2752	Pfdabino.exe
2660	Pmojocel.exe
2660	Pmojocel.exe
2084	Pcibkm32.exe
2084	Pcibkm32.exe
1268	Piekcd32.exe
1268	Piekcd32.exe
572	Poocpnbm.exe
572	Poocpnbm.exe
2100	Pfikmh32.exe
2100	Pfikmh32.exe
2936	Pihgic32.exe
2936	Pihgic32.exe
2604	Poapfn32.exe
2604	Poapfn32.exe
2924	Qflhbhgg.exe
2924	Qflhbhgg.exe
2996	Qijdocfj.exe
2996	Qijdocfj.exe
3056	Qkhpkoen.exe
3056	Qkhpkoen.exe
2488	Qqeicede.exe
2488	Qqeicede.exe
2476	Qiladcdh.exe
2476	Qiladcdh.exe
2188	Aniimjbo.exe
2188	Aniimjbo.exe
1340	Aaheie32.exe
1340	Aaheie32.exe
3064	Aganeoip.exe
3064	Aganeoip.exe
1208	Ajpjakhc.exe
1208	Ajpjakhc.exe
1044	Anlfbi32.exe
1044	Anlfbi32.exe
1784	Aeenochi.exe
1784	Aeenochi.exe
764	Afgkfl32.exe
764	Afgkfl32.exe
2568	Annbhi32.exe
2568	Annbhi32.exe
2428	Amqccfed.exe
2428	Amqccfed.exe
848	Apoooa32.exe
848	Apoooa32.exe
1040	Agfgqo32.exe
1040	Agfgqo32.exe
1596	Aigchgkh.exe
1596	Aigchgkh.exe
2688	Aaolidlk.exe
2688	Aaolidlk.exe
536	Abphal32.exe
536	Abphal32.exe
1496	Ajgpbj32.exe
1496	Ajgpbj32.exe
1608	Apdhjq32.exe
1608	Apdhjq32.exe
2564	Aeqabgoj.exe
2564	Aeqabgoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pokieo32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Lbbjgn32.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Qflhbhgg.exe
File opened for modification	C:\Windows\SysWOW64\Afgkfl32.exe	Aeenochi.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Aeenochi.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pfdabino.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Poapfn32.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Afgkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	Cmjbhh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	1760	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeenochi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Poapfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfikmh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2892	2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe	30
PID 2756 wrote to memory of 2892	2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe	30
PID 2756 wrote to memory of 2892	2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe	30
PID 2756 wrote to memory of 2892	2756	0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe	30
PID 2892 wrote to memory of 2752	2892	Pokieo32.exe	31
PID 2892 wrote to memory of 2752	2892	Pokieo32.exe	31
PID 2892 wrote to memory of 2752	2892	Pokieo32.exe	31
PID 2892 wrote to memory of 2752	2892	Pokieo32.exe	31
PID 2752 wrote to memory of 2660	2752	Pfdabino.exe	32
PID 2752 wrote to memory of 2660	2752	Pfdabino.exe	32
PID 2752 wrote to memory of 2660	2752	Pfdabino.exe	32
PID 2752 wrote to memory of 2660	2752	Pfdabino.exe	32
PID 2660 wrote to memory of 2084	2660	Pmojocel.exe	33
PID 2660 wrote to memory of 2084	2660	Pmojocel.exe	33
PID 2660 wrote to memory of 2084	2660	Pmojocel.exe	33
PID 2660 wrote to memory of 2084	2660	Pmojocel.exe	33
PID 2084 wrote to memory of 1268	2084	Pcibkm32.exe	34
PID 2084 wrote to memory of 1268	2084	Pcibkm32.exe	34
PID 2084 wrote to memory of 1268	2084	Pcibkm32.exe	34
PID 2084 wrote to memory of 1268	2084	Pcibkm32.exe	34
PID 1268 wrote to memory of 572	1268	Piekcd32.exe	35
PID 1268 wrote to memory of 572	1268	Piekcd32.exe	35
PID 1268 wrote to memory of 572	1268	Piekcd32.exe	35
PID 1268 wrote to memory of 572	1268	Piekcd32.exe	35
PID 572 wrote to memory of 2100	572	Poocpnbm.exe	36
PID 572 wrote to memory of 2100	572	Poocpnbm.exe	36
PID 572 wrote to memory of 2100	572	Poocpnbm.exe	36
PID 572 wrote to memory of 2100	572	Poocpnbm.exe	36
PID 2100 wrote to memory of 2936	2100	Pfikmh32.exe	37
PID 2100 wrote to memory of 2936	2100	Pfikmh32.exe	37
PID 2100 wrote to memory of 2936	2100	Pfikmh32.exe	37
PID 2100 wrote to memory of 2936	2100	Pfikmh32.exe	37
PID 2936 wrote to memory of 2604	2936	Pihgic32.exe	38
PID 2936 wrote to memory of 2604	2936	Pihgic32.exe	38
PID 2936 wrote to memory of 2604	2936	Pihgic32.exe	38
PID 2936 wrote to memory of 2604	2936	Pihgic32.exe	38
PID 2604 wrote to memory of 2924	2604	Poapfn32.exe	39
PID 2604 wrote to memory of 2924	2604	Poapfn32.exe	39
PID 2604 wrote to memory of 2924	2604	Poapfn32.exe	39
PID 2604 wrote to memory of 2924	2604	Poapfn32.exe	39
PID 2924 wrote to memory of 2996	2924	Qflhbhgg.exe	40
PID 2924 wrote to memory of 2996	2924	Qflhbhgg.exe	40
PID 2924 wrote to memory of 2996	2924	Qflhbhgg.exe	40
PID 2924 wrote to memory of 2996	2924	Qflhbhgg.exe	40
PID 2996 wrote to memory of 3056	2996	Qijdocfj.exe	41
PID 2996 wrote to memory of 3056	2996	Qijdocfj.exe	41
PID 2996 wrote to memory of 3056	2996	Qijdocfj.exe	41
PID 2996 wrote to memory of 3056	2996	Qijdocfj.exe	41
PID 3056 wrote to memory of 2488	3056	Qkhpkoen.exe	42
PID 3056 wrote to memory of 2488	3056	Qkhpkoen.exe	42
PID 3056 wrote to memory of 2488	3056	Qkhpkoen.exe	42
PID 3056 wrote to memory of 2488	3056	Qkhpkoen.exe	42
PID 2488 wrote to memory of 2476	2488	Qqeicede.exe	43
PID 2488 wrote to memory of 2476	2488	Qqeicede.exe	43
PID 2488 wrote to memory of 2476	2488	Qqeicede.exe	43
PID 2488 wrote to memory of 2476	2488	Qqeicede.exe	43
PID 2476 wrote to memory of 2188	2476	Qiladcdh.exe	44
PID 2476 wrote to memory of 2188	2476	Qiladcdh.exe	44
PID 2476 wrote to memory of 2188	2476	Qiladcdh.exe	44
PID 2476 wrote to memory of 2188	2476	Qiladcdh.exe	44
PID 2188 wrote to memory of 1340	2188	Aniimjbo.exe	45
PID 2188 wrote to memory of 1340	2188	Aniimjbo.exe	45
PID 2188 wrote to memory of 1340	2188	Aniimjbo.exe	45
PID 2188 wrote to memory of 1340	2188	Aniimjbo.exe	45

C:\Users\Admin\AppData\Local\Temp\0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe
"C:\Users\Admin\AppData\Local\Temp\0109424d6eb034d5e7601651ff4c5b2cb634caf618e326d8706271c98a2ad118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Pokieo32.exe
  C:\Windows\system32\Pokieo32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Pfdabino.exe
    C:\Windows\system32\Pfdabino.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\Pmojocel.exe
      C:\Windows\system32\Pmojocel.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 140
        62⤵
        Program crash
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
128KB

MD5
888b3a3d7bfd16aafc802c30f04c64bf

SHA1
4a08e8449b280025ab824e72b409d2a66f4180df

SHA256
6c3471fe10c0f73b0fa1cdeb90e74c97e9d336ebafbfd4cda6389d07e61fb1ec

SHA512
a2ec2d4937cba9c61696f81a8380a7aa77d6b00a4998371edd6d55adc72e4455a9fd368dfb165ae4cd3b8c3f94e53efe12aedaa5974504b87164923f46b5e8e9

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
128KB

MD5
910a15c18f548ddff5c5495a8a51642e

SHA1
0d467886a76d80cfb90cf80ce8d3d497879bc83f

SHA256
7383e08a6e81015afc95811d8058b2cf7f784771b570110dc362f40d9939270c

SHA512
8c1acbaf1dc31cf7b037b2512350f5ff87a6b6b434331a55e111e168ebca24dd61bdab6d329800685ce573ae3d6eea5b9bfdf4e0d077d4de5c8cc42df590cfc1

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
128KB

MD5
1a85a06a9b09b1e83bba15b16896401d

SHA1
45eb91a827d6369d58689d75bc884af71a4a35cc

SHA256
92699813f3307aa412e9c716f6c57d1d980f6c91407309531870ebc57f4a7577

SHA512
8be7e3f402629896422bc4f3ab5cbefb3fe1d8cb8bd5e33979ebee47e0e957e8722895938a0255e700d99a61fdd1b5377333176d5a36d1a16361ed5cbf458a1d

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
128KB

MD5
bf0962b0a33831b0ca008a0f3712b019

SHA1
5d6925e648a3893c90de54eb5f9e455fc6ca2303

SHA256
0f66a2f871f90c5a80593441a98ef252cfe2c31a2d8205a8a4deac7b79434bb5

SHA512
bb2b89d657adca4d7d0ee5dbb7c6fea6ff186738805827f9e7eedbdb274ecfd45a8d88614a11b9f20451e8c78fdda2cd39148233a40898a2d8d8af2fa4544f95

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
128KB

MD5
041b2791363e20d9e7cafdad83dfcbb6

SHA1
a8001a5940a92e782967c62c8fd349d613bf570b

SHA256
1ac3d4449557ec99f30135a948ca7f49324526796ac26ae5b9996a7f3ff9a525

SHA512
e56f1b587f4b55eb6f08dd2d00ca661bfa8c871f4d50f7ec260ed29058321f6a01180f1335cab6e016e10e4756478f42a5e314107f3c6a80ae47eab22a0d43f0

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
128KB

MD5
ad35cb963224b7aa3f715c8b56e8ed07

SHA1
705606b5003f60411756d52d9c66cc3b8cacff90

SHA256
eb083d2948d7c8a1b625bf5453ab32a78146cd23aca03b04583f1c07160459f2

SHA512
6b34007ce5803346918b39c668a9eeba007974e783f54f56cb6c92fb27022111a09991d6a6897ef24b338ec5275c6ac66e33f6da60d3d809afeffa7b28fbcd7b

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
128KB

MD5
a25b8ce2db4dbf8fbd4667f922eafb6f

SHA1
985788a1737da9029c58a8f79b7f65fdff10ec3e

SHA256
b10a4c25ed8d32173b92218a860071baec09a52b7f7b2fea666f5f9cc8a0a6e3

SHA512
a7cc3457ef418440375dee43ea9b813711fd5829c27a0a8121b3ecb0f10d562fcdba081be2d8d1be4cf67c93f0c230d0f79016c8ae8458c09bb35733700c87f5

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
128KB

MD5
bc3bc07999104efcc5ec1c333d7d27d7

SHA1
445c1b164458b1e00ccebe1027772614e3de93d7

SHA256
aea1ae8d3b932b3fcafb4bf4c69aed8dd9c5dd20f6d8d2619f33bc3ba061ecf9

SHA512
cf7b9568614b91e95c4d202acb110595a59d9d930eb4a96cd5e96419088edbbc85158abadeb668a724194a52360a5a4bcdbd3255fc017db0479f5a52eb7cd9a9

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
128KB

MD5
e399ba6395859d3628f87657b543fc98

SHA1
1418a0b35f9e5a63c36f4e5a6e9a77418a4be5be

SHA256
87cc5361ff69fe23414831f78d15d3fc3373048ca57287492db6976e2b026ed6

SHA512
8f41693ab2ed1acc008e05f091ba6ad406f44c5ff67e073b3958a3a862bc3c56a3923f8b09b51d9618df055ac81b22c1c7fef075715a2264073020564a18dbc6

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
128KB

MD5
aed9e119064030360dee22d96cc216f0

SHA1
335c4686e0ea5749de0235f3d111396c1f528eee

SHA256
471d1962b7030aa0bc78836e054b7e06d510502fbd7884988afb8699277b69fc

SHA512
83d701d53e3d04dc89c473bef45344297d9313363c9cfc7461b2692c1becd9244b49c52194fb00d67913ce21616e5502fe6072aeb723a6d5a3ffc0c71b7a90f2

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
128KB

MD5
bcdb27ff070ab91fb70e37f890e7ea19

SHA1
21c630e3bcdd7d1f6136116a4d671f1486803dc8

SHA256
7d5854853ab1dba8b503f6e26a6e4e90b778205c3db550286284af49e204c693

SHA512
14b7094b5a85ae4df50160d248d35fc27ebc1fcb1158c47f79cf8e28dd0787b78667009da9cf12f2ed216ae754b73da79b8140e75e221ee6e8eefd8be6f95419

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
128KB

MD5
48b9a4e3a01534175ec980a1fd932ea7

SHA1
90001d5a78e0aec3ca16e7340467fb0818e2443f

SHA256
d6f400aa6adae0e02bbcfd71d7cecf21e873b8b8c2d279e0e77335351d3d3161

SHA512
a3cb60fe7716e7f4f1b1f7258d8a138110d3fa53da6792339c40ddfc42c475b9e04dda7c32b9591f57c60ff2fd1a50b90c62362b33af28fe59951e7ceaf718c1

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
128KB

MD5
84c575a3e81839c3abfe59bf433dc869

SHA1
e03229563787517dc3e9b1b79e60149824988e0c

SHA256
c0faef522fe6b833a76a82aad29f95bd465057e14a7a352147425b80e22fd505

SHA512
ebf097fee902df67f67df7ec5bdd68e5c6e9931b51e3bac2258f6fd44bd6c50c1ac4e71622c454fffa20e93b0b74b31ea17b0dc798e800c09e49abfe3d8bb81c

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
128KB

MD5
477eb0079525373cab78a31ae97a1f73

SHA1
bb3ccd2842e4dede10dce8e96692348cc52f2831

SHA256
ada52abe69f6cbee92f35859003bd3177e3843a366aa7aaf380168d5e5d3a651

SHA512
dfe78adb46d564c4ff958ab2c0e3b45ea6ac36fc9607da76ec3d3469997a2c60f59ab12fcbe8816432dd42e9c64033cadc7b8005741fb5af1e1122e7dd684deb

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
128KB

MD5
cbde087abc301753c74d5505c71d2213

SHA1
d30ba1257dc4400be03acae77486e3ad0ab9c3dd

SHA256
c023e7a559fbc6bc8f75df7cdac58cc095253ce9f39013fba3d4d9c070ae7a83

SHA512
4a142a6b6883e63125ed13678101d2e9643b8da428e4dbfba05621faf2334120497f27b31e605b9030ef929424b04f48ae3f3bec71d8ee8ed2c868b5bb8431f4

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
128KB

MD5
26eb335a2e23f3d16459b60a0ee1a7b2

SHA1
f053c15271eeb81fbe92ad6344e74c7e96a88381

SHA256
a7937c3891e9ad69894f21feb02dc0c6ad19346b4b39b55e19b509eafa247006

SHA512
a4fa195fcd49879a77596925111c26fccd4895ca8dd265cc806ff1de5117b28a3949cca4954d5a3f735721cac75c689e4e3601668e498fbd3c6c2c5b0a334a11

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
128KB

MD5
520d0147c729b19ec270b8800fd725c1

SHA1
25dbb1ad0007a16089bf418ab9737b83308699a4

SHA256
da6e7d3063fe087c07c2d951df96110d20b10e2c03197ed814550055eb6fe30a

SHA512
e579dd86932fbfc6d6d45c6ded62e24799171d9ac7a5e742b454b5039f11e7c7c4501b25465035a178529cc19be29bc9a1df84835f69363c3a1bee44c166bff1

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
128KB

MD5
76925b765a57f4478b2d5b758da7f112

SHA1
63a35369a95204751477ef249cf7146ff3fdbd3e

SHA256
0cb3a1ab67c51b71169a75a4e4fe5ee1464909bc5fb2bbf4054d07c939d23a04

SHA512
d22f6f8137eb63dc5b81221722a1dda63bb5eb6048055c3fa0d7bfffc41d5c3f9e6aca93581b1827ac3eb8c53ce25d80b2a45098c75399a81ac16ea83f15d561

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
128KB

MD5
1d47276a1de2acabb25837cad6e995f8

SHA1
20784d360c8e7bee72a9abd03c53a069444aa874

SHA256
93674f6a6bdce47303ee22e419e8484e79b85c77f28040d53e2b6043c8609137

SHA512
fe337e6d9e39417cb8f8db31cd5c730341e53b1d20d66724f7da2257e727ad6bff272986edb8b17697213b97823e5f24f1e04dd35a304e0b6a81a0f4faf8afef

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
128KB

MD5
c3183ec38e07f7d1ccc4ec161d4ce653

SHA1
9ca0d5664736ff0ea5d3139c3bf852d3c1d8efec

SHA256
e854f09dc14a635ca485cdf07fcf06a5cbf863ff0313a93e63f2e9ba6c286363

SHA512
2252567cf32ed595cb1db89c4faa6469cdbaaf3dc1910aea2eb517ac9b87f58bdd02abf164b0e6cf031b4d64ef657d4e4f5b9ae47f33e23fd7b957059e733de5

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
128KB

MD5
42fd3652ff3b98ed14a532cb305c173a

SHA1
519f5eae3903618655a813a1e90d51d543250635

SHA256
f0b53e62dea9ca0988b8625520e02ffc4279603fb8ea8763586ee426aa7e5c07

SHA512
bf26e766ed0346683d917bbd95ae1e3293353bb20cce6d1a2c3c37eea4308e6b7c35f0fe5d3da7bf78e875137860fca5b342d28c90e8585d264451af6c351ceb

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
128KB

MD5
36590a9286130e9a5b5587ca7d8cc89d

SHA1
1385d8ff1042a9fb566e9ecbaade81d9f40dd7b0

SHA256
a0e0dc33f7eeec169a35e8693f551170e528702b81a656ecdd65cbe60c9de2f0

SHA512
41956fdb6c60bce0384728c046098df1e6300a9a043a3fedfde9b6b82650c09b656db9a7066a4e48cdbb25602d7e211d68bbaf0e962a385d5669d42db3c12531

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
128KB

MD5
fb0d29dd49dcf7feb3c4b70e60dc3261

SHA1
f25d9a35bafba933c16d3073b165737af722ea52

SHA256
71c6f15f9098b91b1a1d3a479a6a051c6282776fb38a733938d2822f79a61f52

SHA512
338998afccbf909719f211bb29f6ce1b6231260e4adf71c5623efd932f64bc5e597052d8f3aaaccb390cdd00a29c7f4569fecdcd614749436581943bba4829a9

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
128KB

MD5
faec3b60c57a1153aab1a55b8de7d0a2

SHA1
ef929a4234daff0d589c83fea171d5a5331f6c67

SHA256
77ac19785127f4b349960758869fe41360e36c124373473c2d6720554fd814d7

SHA512
04479e6f7052061d2dd248e610b1bebfd5739e900ee18c77bd8b5f820bb3842cc2a94b7d86bbd495ade9bb8cd03ba5159705c6574f658fad415b3f9b9c908b53

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
128KB

MD5
73a570d630f2643d3c1d1155689fdfd3

SHA1
c116ce86de911da8f0d8094e3a05b2bae5fd959f

SHA256
1dd3da2142342fd63a7d8a036151b164a5ccaf0ebc649756a957c74fed10dc46

SHA512
b45c5fd70fce9c08e0b7a8f6ef01faface6cffb4987cf759d00cb30640c85ac81fa590687c7c75d499415c8515537ed42b685c8b6d1199c1580fa76f440abcb8

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
128KB

MD5
1b955d38334692727626f0e800162f27

SHA1
ae2579cc86eb88fa0b24019b1b7d0bcdab1629ad

SHA256
619e5563acc8db21e217a398a1a48a884d96764b5b276ce5e78bbc0373aa054b

SHA512
e00ebff22a017b529a697ce45230d8ab5e129dac35231c212c85532f9ec2166f38edaa1d8b8c7f87c07a82fee05798c42e6f8bd4e61611507e2c4eb8ddaa10a4

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
128KB

MD5
b7acf0d9418991d9fb6e8a94069841c5

SHA1
2047f3d290cbed93ecd46ee69ef750d30f41ed7e

SHA256
246536972e97a98725b070483cf8114ff2683253416f57e92aec53a65972d284

SHA512
ef1ea3b2408dcb8216a476e98c96050c9031f37533047e5b5dad3a7e8036a445a258f79d9d6478aa507ce121a134ed16f2a495a2f284beb933096407f81fa35c

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
128KB

MD5
80b107417c1a011b64ff9d35a2e99de4

SHA1
6a09246ced301a9b24c659c573debe1f6616d292

SHA256
aa774a3e2fac00a686232c36f9dd5c07eb99515f5b25242c97b88969a836d7f9

SHA512
45915a1986310ba314c4c431ba85705e2c8be02e3b2019fc43063bb9b9103e9eb3c281865bbab17a1dadbbbe32cff5cd058cfbf20134aace13c38c926f8dee51

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
128KB

MD5
eaeeaa554c5e94ae1d78c1c2dfb800f8

SHA1
19796e0587abd0a7a372ecef5038abfbaf22f398

SHA256
47f9e928792806de7babf8554c755569045314b63f38e27252091b3a100cd760

SHA512
4afc5ef882247f6c2fc8c921615c7bb9ed1e7ffaae0b0c1dfb86b442ac9a6e82d86ed138c43edfb961ea5cbe2b0acfb8ad70221324a45d9074ffb198efd9e7ef

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
128KB

MD5
aad663fb345353443b6a3ce9ba57fd3e

SHA1
22ba69d732b66d485d1cd8e0ced58ef2d5ac0e75

SHA256
cf88b095d560f77e33b170510fa7dcdb76134522c1622eb66d2bbc5393bbd3a3

SHA512
7ad34e01147bb50c36d3a87873a477513d087d98a6f5664e878f90c7f5be8cead912f4d48bd6210c89efd79228a67fdfa45cf7a92bd5e286f39073b99d28ab38

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
128KB

MD5
12e08e1864ca6f886b0552fc8803b0ae

SHA1
86b5621798722b89aeeb8d13919f2e32995e4246

SHA256
74d16c36f8d702f6529b81214651bfd16bec020f8ef83c83fa900e26defe0e31

SHA512
8bcb00061e151ab4b0969b2882e6d5b8cf8f7bc85ca2dbbe10e8aaeef87ac711cbd1b89685042b3d105ebe16f76d8a26862c0669a62156b8bb5d7fe11f0c8fef

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
128KB

MD5
ce47de81066fe1aa262a17747636c5f3

SHA1
d74d23abe24c6a0b84236145785f205d7de5248c

SHA256
3729dd0489acab35152c754e22686bd68aea6e7730df29668d90d68be00ee817

SHA512
ae34fa90d8a2077ec9ac8a36162e1d12fe5aee564bfd5f2efb3bf26049d80cbc29a74f7e8ca27db223e71d1f8e7df760121cc5f5ad031c1a3115bfd0b5b75cc3

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
128KB

MD5
a798d3b3e4fd1525839a3611051f5def

SHA1
5358f1d0b61233ebfe089bbc2bb654a4ea5b2d62

SHA256
6c8ebb78d90cbd47a9fdd88937641da1aadebc2499fddabbb93cb2b817e4c144

SHA512
1f24ecb681a6aef765338030b50bdd2314e0fa81542ebdad5c46a512f3ea6d231c596d5289e9efbb82d6988402d8fa9ca9718fb3eed4226774192ebbb68de4eb

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
128KB

MD5
197c7731e9bf962e1e47c379d7ef67e8

SHA1
2a931d9b03fd36b7e82562f692366add6d814c8a

SHA256
d6a9adc6217cafcae2259d9967dd328d194ae01fc3a72eb471f708fe854f8b03

SHA512
b94b5db3c9fe211dbe99172910574454b286dfa9604fe63f5f9b60892833e947a3b6720a0830003360bc28e307fd9713275fe9c658f92ffcfbc213e1fa706484

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
128KB

MD5
6ad04f36b62a3c62db8a2c6f52fe3f25

SHA1
85f2e91410fdff220438647d7b903a31f32e43ad

SHA256
0f1542ba2f0c27b8db87f918f3e6cac35c38e69b45e30663a7b498ffd397e0e9

SHA512
6786aab01241de0acbe12bc81a55428e23c9620b19821db5558fad91f80ca12f0aefbcc864078be775fb6a6d627510ab82ba61acee2f33d42269a279559f9c4a

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
128KB

MD5
12b1919cbb11ddc5cdb074dfa47480d1

SHA1
92577dfd53303f8063be46304175c34e19f250df

SHA256
b69439ddf3a60c105a21b2ce611554b75656d3139cb08287f50c3163196a1ad1

SHA512
a46495901a263fee8c47546405871914d9cc4d12dba8e6d31df0885a9299bf632011478f989bfedf447d00f95c1b557c0f4184cabfea75bb39b2d46da585f13d

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
128KB

MD5
f117ddc392c75efeceba858fc4910cd9

SHA1
79757ba13360ebc64b3c9e6e866c83e5624b7264

SHA256
cbe0ab3e037b1d2019be328815cca05ad133407dc8b3e2c26bf82cdccd2fe7ed

SHA512
6a74622af895b7dc30e5ccffe375659ac71ed7c684fc77d5e2650c2b0b58e2f44b8b1bf9852ac6bd201c18a1f3010df257ddb135c07c74c9f97c80e0ff4b42d2

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
128KB

MD5
9216b303f2c921f2b4d1645022f248d7

SHA1
a9f83038bfb0d8a5e777febd9a1c5305af98370e

SHA256
33319411885d37a8e2530fdebe36b986de4b30f7c54c22b0301c32dfb2a40470

SHA512
683ef0af9da0b56e6dda8f993dc8e83d2b33b7c7b25127a6fcf73c4c573bbbf0440f2d835176bf652020ccc7cb5b8aa55161d7a2c6869d3b6e9e1bb3f21352cf

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
128KB

MD5
66681e7992d46b20c991441c6078506b

SHA1
db7e3f97402ebf2bd87ca927bea479c676c8ac36

SHA256
36062addb98950939e993bf8dab167d8dcc4c9d221c75c82ca1768ff955357a2

SHA512
67289e6f69dd3f3b7c2bb4a3b7ac878aca99be9aa9e6b2ab8699521480b6d24fee076d3fbb2de2a0a99afcc901a99c483aa3625230027b0e1c2a08b6ff27dfab

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
128KB

MD5
b2254430ceb097396a2d64bea8772f10

SHA1
d49184487cbe23dd9e0698d7a20e295898f71de0

SHA256
15583efaad1601377d79041a60b63c37d7b5fca6d76df096a74ca758c3282dfe

SHA512
aa00e32e5df631c2e5235864f52da198821c1c0b64737135c55e84fc17a898075ce73b4e1fc7bddc05d4338b41012e2e362f6dbc2636b6a1e72dd0bc3e0af008

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
128KB

MD5
adc34f89e326c91e9cf4e19083ab6d54

SHA1
d2ec969b5490ebece4c0697aa8634c6caf4a0ad7

SHA256
f585da68fe976e2df682bda5722d80117b57fee522c9b9de0fc1d2dc7b32c28c

SHA512
268982633df67719601e6d61ee342ff229ca3f3db65773d9125a275af7ad67a9c4b098bae72ef89f67730688f10a4807cf66de913084d645d12d3752ed646494

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
128KB

MD5
696fd9ea78f1bd17d72b3b3971496243

SHA1
182e8ac96d465ccb4a7c431a4ca67a98c92ae81a

SHA256
156727e4886da9124f9ee8f2d751b0e5a941e31b4ac2db83c5937f3701b84502

SHA512
8fd471f67dd0edbbb67dae0fa3e9ff49017133f0a4398d56c9de9afa820a499d915b07ee22d9f94b339be26ab3741500181874ce0903f61e9c2c55e9eebd3c78

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
128KB

MD5
327bc04da83732d3b15a887efaafef8a

SHA1
ce2247819d0d2a9d1b21d9e779c8ee89ea9c2ccd

SHA256
d2e14de9671580ced7934c07a87940305d754e04b5021adcf1eec2b8f7c9f62e

SHA512
46e406a97171d0ac7960758686e4e4149e4659cab54b7d7486a18632ce89fb2db0da212c467957093158366c57979870e9db7fe9f6f94593425c1edbb6bfc21d

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
128KB

MD5
b9c84b46615286387204733241dbc72d

SHA1
f224341a8e6359489c8b0f07d09942684126a992

SHA256
58de0da5c08d12e1b78a44508a177fc2f0466caace5a59ca06a5d989296d2694

SHA512
abfe74c0696c902b87760440b5400699ebacbfcdd3e81cbd86486cca27a3ac7e4acf1982f97b2254d41c58f77f5e54483e510f6d9a7f572412ebd9d79af1596a

Download Submit
C:\Windows\SysWOW64\Lapefgai.dll

Filesize
7KB

MD5
58cf5f1905cea2aa021816216eabf0a4

SHA1
37139e8857eb669190ceaf238e5a6739df060190

SHA256
b10ddf51e419aa8210483dd1232c260f667838b274ccf01265e3ad396ee28d80

SHA512
180d783c8266ca1c9f20b5552d960d4b6f75f65fa074f068c4f4409b4c101756a6d3f72a084a3309a4825da55d3db45ca90761b9b6f3ebe655fb99000cf626dd

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
128KB

MD5
7728eea8b20b9312368a8feee5905c31

SHA1
0f0366854e0494aa8e9bf5a9aa9132a2cec7ef3d

SHA256
124e20a74a3404eb762127ab54f31b527ed57f1fdca1d7412ac73a851a5c45d2

SHA512
02596d22f99e7352989e68d92f60524ec2b13333b223ed41f494c8de2e3891aba1154a7125a5012664f4cdfd602b1e0119260f5643db32a2fcffbea34eb2b875

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
128KB

MD5
101ddc7569e80120c8345499fa8a0d2f

SHA1
98eabc36c99920c46d7a3ad720c9dbb31ab87325

SHA256
03503821a8d17aa093a3bad74789edf19f42a16a58db6b82627fcc62969c73d3

SHA512
85a67e84594f04b8f5663cc16df4e877abd8a7514be14de8e2402db38c7ec6003d412c7880b3df4d9234afcdf7d269886ecbcc38d44e4cc9b66ca778e815dbe9

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
128KB

MD5
2302b4acc1dc3e47bacaf6ecd073bbb4

SHA1
7b4649a8f9b2718f51878485410a0306ffe7235a

SHA256
78e856933eb5ef792adfdac2deed0a99b447c37206982751890a015ff87672bb

SHA512
de64bd3752ffa1c487699e030acfed475a99fd2a8638e94cbc99ce8d4903c0bbf4d7f0e7d6cc3306f42d1695fe8dc80d129225a19f7f10ce827ddfdf2927d7c1

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
128KB

MD5
a4b80104d03c1aedc889073b6c4c213f

SHA1
c0d8acae01b6282e91ff3656c96f802a3570f6c3

SHA256
bc2d935b5d0f5c5f5ebf4fc4abcda8438fc0051815841264cc68784fdca8cbba

SHA512
2b520d943739896c59636c9e2772f5756d938ec5d2e0dcd27c231d1df43a0d6a040536b892becfe83a2b22840e32af3ebaa151988c74f5f50948a4c6d7ad8215

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
128KB

MD5
8237761662b306b8a6400f9e58850ac0

SHA1
f69451e4988a3cbb2fc52b25c872582d3b4f3870

SHA256
122b9369ff036fec38635e76a1a19029dd4cdc58c88bdc74c9f2f031a0efe055

SHA512
74be0538b09eb78ee386ba31808ca2481ca58ced9fdf43dc8fa17e70b8438b9318b1be8825a04492686ab519e08a854a2585dfd6381a292dd2f1c76db22cdf48

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
128KB

MD5
c8ae34ddd696f68b91c3e0fd63d2a723

SHA1
f607a0af432b059bf0bd3e674ddb1d4204ab2b40

SHA256
eae90f5b9db7900e6f34ad6a425dd7b6e80c940982533b734d2c076f4cbf4efe

SHA512
098aa026be3a39f1ef5f96809dbb2cc5ed452fdb92804f7ebd997dc670352763927630b6d41288717d1f4ec52f14bed851f16f60233d79f459d8ec1e6f7064ff

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
128KB

MD5
ab25534d4ff22a19b1759ce9ccfbaae5

SHA1
2551609f5fc76ba311ec1d62816c068d3a63cc7b

SHA256
53d9072d4a61d4370c67e6a449c545ad4c81fb2b77a1f49023e64cf572268f35

SHA512
52c26c63931d70442d3d1f5d4949717a0c525affa9d46e531d2060d456a0fbcb1ec8d042e4d4eb4ceeb6f29f70f053783117ef175f03273f191e92229d964cd0

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
128KB

MD5
a5602bbdd9ddcd05f8183fd513904afe

SHA1
1e9dedd2183f7293f8168b96b9a8c524aafd64e1

SHA256
1e8dc22f57fea13beeb4e0c4778b6c8c7f01d8ceb40150abd15d46b611260e28

SHA512
d0094d371d39f82e78c131b395872e69edbe644fbcaa50e342ca05e9f86c1eaa58f1eb129ad5c97a9eca25f81b8e21b6cb37a9626712e003e53e161b6d71dca4

Download Submit
\Windows\SysWOW64\Pihgic32.exe

Filesize
128KB

MD5
844d3df187d6cdb7eee1402d8003a0f4

SHA1
8048106d24a28689ac6072151f42c53077b2df2e

SHA256
6076089c03884f5f48fce08d39d7ba2bbd64ea942f52995b22d5717ab4e13de9

SHA512
40c43c87acab3c52b8bfa4f191f1baf5a9ef11791bbf8fe2c9e57fdfabb19bd69386a6dc11cba1f27970d45725edab13b357fdf191e88eb9458e37b40af2c20d

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
128KB

MD5
c1689b268a7a45e43d2f21b4c51a7aa1

SHA1
7e779b6d6694d53a9ba45d9f316c2895e6977ee6

SHA256
1a5cc8d0f8689d21d73a447e506621a65de57e2de05ba06f6f4367206602805d

SHA512
dce7562b962cc415386b6ed255db4c79da498321732008a904af1fbb232c1786449c685c869ff2a866438557c5a6c6a0ecd39d9ed91085499a3e1f5e168911e3

Download Submit
\Windows\SysWOW64\Poapfn32.exe

Filesize
128KB

MD5
99871dc5f8cfa26f9d186b58f55dee80

SHA1
c4fdf63646668c53ff6aadc55c667e728f7ad378

SHA256
9dcb52c19d2e2e346710837ed9e72f7ee0cf1cd07f0d7324e3ab97d3567659e0

SHA512
8d78fe1ab751fa18caa5d16d6ca720c941620f609f2963dc4e9793487f1ca274398df1b1293217bc1b210f6b69d0b5c530ecaec8dd81b01b19892ffa2cf78aa4

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
128KB

MD5
377870aa5b6960a2be99b93b0865667b

SHA1
ffa0239d64dec808abab454ed2b7c9139a2b6859

SHA256
e61da4908cb7793d93180f582f95f2ab4bbc5d309ecf9675e43420b7cec58085

SHA512
fc5aa839c5ca001e5b8ba7eff26ab16f209c5457d2cdc269c309840edc8034e9a3f922f70e9fcd5af678bc0d56909411030a8d728dd375d882754ce9202f8c12

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
128KB

MD5
936830f3e7596a6ec34143f922dee85a

SHA1
1f4b8dc41508ac9fc729e2ba4d71e2b4a57cd47a

SHA256
4e66c1970377c1c66f8cbec46239fe9bf379b4f31442871d0a63462262b80f50

SHA512
52886aa7040cbd62551919852d12fee3e2fa84dac278b89f8f242aede113340c97747455af0589dc6274e1951432c6b640474d59334a82d10b104b23dd351d6e

Download Submit
\Windows\SysWOW64\Qiladcdh.exe

Filesize
128KB

MD5
bb7e78f88ff6ebd0896846f48f1427aa

SHA1
55930737a78891923e1c8f26c4a78ab144ff85ca

SHA256
560465627bb7be8e63e6113faf2ad8f424e67355aded589c383e1d43ab1fa472

SHA512
6b4735152510f6ae159425f6d47b7dca5f8e96bf96220b73a12fc29ccde37b17b269904943f2a9032e3ae7c658ff38a8679ae3267aa707cacd28206011d89708

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
128KB

MD5
9bb796962f8ff34c3c429eedbec42c75

SHA1
9b8e2d03ca36ede0f15a3608de99c4cb9225e163

SHA256
6d099422a39f02fce0148522cc78ec257d7511fc815d31e8262e7c663146d321

SHA512
54b86fd53080e7ca3491f5200a84feb6166a0060a5d76bbb5bdc9106cbd761028d71ec6297e99b0469ea672280eeb5596448e536c13f1b513283d8d44f4db3cf

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
128KB

MD5
3f72404e8a6e5e8820d85ea19c138c3a

SHA1
ce4daed0c12d110fa8c8d65a560291e2cd6e55e5

SHA256
a1ea54e9daec7f4bf9104521d7197f996073cb0fe52a1158146c3d1d6b1b7f7c

SHA512
92b4e4952d8c0ca45f6078e07b4225661abb0c1819ca0cdc7b4528ff91d4d1897a61d727c16e7e02d88a42a1971e4cca504742594c56568f8303d6b53c340cd9

Download Submit
memory/444-486-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/444-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-345-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/536-346-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/572-86-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/572-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/572-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-270-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/764-269-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/848-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/848-298-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/848-302-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/1040-312-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1040-313-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1040-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1044-247-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1208-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1208-237-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1260-426-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/1260-427-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/1260-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1268-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-211-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-221-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1452-439-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1452-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-434-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1496-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-357-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1596-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-323-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1596-324-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/1608-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-474-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1652-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-415-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1740-414-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1784-256-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2084-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-403-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2084-60-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2084-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2100-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2188-205-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2428-291-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2428-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-290-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2488-179-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2504-450-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2504-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-449-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2564-380-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2564-376-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2564-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-280-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2568-279-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2588-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-462-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2588-458-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2604-464-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2604-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-335-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2688-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-334-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2752-33-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2752-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-6-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2756-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2756-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-402-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2840-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-364-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2892-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-475-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-476-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/2924-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-112-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2936-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-391-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2952-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-487-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-165-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/3064-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads