berbew | 23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
Size

74KB
MD5

08095a6fb78a52888da5d3b01ea010bc
SHA1

470b8dadd2d38268f5a5b08f26e17653d18deb12
SHA256

23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d
SHA512

597f9d1cec515ea068aacb67bf28e5068b9dbdd28d6e86a08e3ed9ddbdbffbf83b4d22bd72088aec6bce4a66959ee5b02e5752bfd1cf79d48c46b590b91b8939
SSDEEP

1536:3GJ5/wEfJwSzj11Dm3WKgyqtoUO0lZzanjDws:3gwSXBKgyqtVOUZajss

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohiffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 63 IoCs

pid	Process
2460	Ohiffh32.exe
2016	Opqoge32.exe
2696	Plgolf32.exe
2704	Pbagipfi.exe
2584	Phnpagdp.exe
2824	Pmkhjncg.exe
2624	Phqmgg32.exe
1932	Pojecajj.exe
2768	Pplaki32.exe
1608	Phcilf32.exe
2304	Pmpbdm32.exe
608	Pdjjag32.exe
2932	Pkcbnanl.exe
2136	Pnbojmmp.exe
3068	Qcogbdkg.exe
448	Qkfocaki.exe
892	Qlgkki32.exe
952	Qcachc32.exe
1688	Qjklenpa.exe
868	Qnghel32.exe
1512	Apedah32.exe
2520	Accqnc32.exe
316	Ahpifj32.exe
1832	Apgagg32.exe
2188	Ajpepm32.exe
2340	Alnalh32.exe
2316	Aomnhd32.exe
2656	Ahebaiac.exe
3000	Abmgjo32.exe
2748	Adlcfjgh.exe
2560	Akfkbd32.exe
1944	Andgop32.exe
1732	Adnpkjde.exe
756	Bnfddp32.exe
2816	Bdqlajbb.exe
2300	Bkjdndjo.exe
1648	Bfdenafn.exe
1808	Bnknoogp.exe
1988	Bqijljfd.exe
2168	Bffbdadk.exe
2964	Bcjcme32.exe
1500	Bfioia32.exe
1336	Ccmpce32.exe
1684	Cbppnbhm.exe
3020	Cmedlk32.exe
1348	Cocphf32.exe
3056	Cepipm32.exe
3044	Cileqlmg.exe
692	Ckjamgmk.exe
1580	Cbdiia32.exe
2640	Cebeem32.exe
3008	Cinafkkd.exe
2852	Cjonncab.exe
2620	Cnkjnb32.exe
1220	Ceebklai.exe
2752	Cchbgi32.exe
1668	Cjakccop.exe
348	Calcpm32.exe
1888	Ccjoli32.exe
844	Cfhkhd32.exe
1952	Dnpciaef.exe
2004	Danpemej.exe
2940	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
2460	Ohiffh32.exe
2460	Ohiffh32.exe
2016	Opqoge32.exe
2016	Opqoge32.exe
2696	Plgolf32.exe
2696	Plgolf32.exe
2704	Pbagipfi.exe
2704	Pbagipfi.exe
2584	Phnpagdp.exe
2584	Phnpagdp.exe
2824	Pmkhjncg.exe
2824	Pmkhjncg.exe
2624	Phqmgg32.exe
2624	Phqmgg32.exe
1932	Pojecajj.exe
1932	Pojecajj.exe
2768	Pplaki32.exe
2768	Pplaki32.exe
1608	Phcilf32.exe
1608	Phcilf32.exe
2304	Pmpbdm32.exe
2304	Pmpbdm32.exe
608	Pdjjag32.exe
608	Pdjjag32.exe
2932	Pkcbnanl.exe
2932	Pkcbnanl.exe
2136	Pnbojmmp.exe
2136	Pnbojmmp.exe
3068	Qcogbdkg.exe
3068	Qcogbdkg.exe
448	Qkfocaki.exe
448	Qkfocaki.exe
892	Qlgkki32.exe
892	Qlgkki32.exe
952	Qcachc32.exe
952	Qcachc32.exe
1688	Qjklenpa.exe
1688	Qjklenpa.exe
868	Qnghel32.exe
868	Qnghel32.exe
1512	Apedah32.exe
1512	Apedah32.exe
2520	Accqnc32.exe
2520	Accqnc32.exe
316	Ahpifj32.exe
316	Ahpifj32.exe
1832	Apgagg32.exe
1832	Apgagg32.exe
2188	Ajpepm32.exe
2188	Ajpepm32.exe
2340	Alnalh32.exe
2340	Alnalh32.exe
2316	Aomnhd32.exe
2316	Aomnhd32.exe
2656	Ahebaiac.exe
2656	Ahebaiac.exe
3000	Abmgjo32.exe
3000	Abmgjo32.exe
2748	Adlcfjgh.exe
2748	Adlcfjgh.exe
2560	Akfkbd32.exe
2560	Akfkbd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmkhjncg.exe	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	Pmkhjncg.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Lkpidd32.dll	Opqoge32.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Ghfcobil.dll	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Olbkdn32.dll	Qjklenpa.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Pbagipfi.exe
File created	C:\Windows\SysWOW64\Aomnhd32.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Plgolf32.exe	Opqoge32.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Opqoge32.exe	Ohiffh32.exe
File created	C:\Windows\SysWOW64\Qnghel32.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Andgop32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2940	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohiffh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbagipfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phcilf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohiffh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbagipfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll"	Pbagipfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll"	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opqoge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2460	1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe	31
PID 1796 wrote to memory of 2460	1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe	31
PID 1796 wrote to memory of 2460	1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe	31
PID 1796 wrote to memory of 2460	1796	23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe	31
PID 2460 wrote to memory of 2016	2460	Ohiffh32.exe	32
PID 2460 wrote to memory of 2016	2460	Ohiffh32.exe	32
PID 2460 wrote to memory of 2016	2460	Ohiffh32.exe	32
PID 2460 wrote to memory of 2016	2460	Ohiffh32.exe	32
PID 2016 wrote to memory of 2696	2016	Opqoge32.exe	33
PID 2016 wrote to memory of 2696	2016	Opqoge32.exe	33
PID 2016 wrote to memory of 2696	2016	Opqoge32.exe	33
PID 2016 wrote to memory of 2696	2016	Opqoge32.exe	33
PID 2696 wrote to memory of 2704	2696	Plgolf32.exe	34
PID 2696 wrote to memory of 2704	2696	Plgolf32.exe	34
PID 2696 wrote to memory of 2704	2696	Plgolf32.exe	34
PID 2696 wrote to memory of 2704	2696	Plgolf32.exe	34
PID 2704 wrote to memory of 2584	2704	Pbagipfi.exe	35
PID 2704 wrote to memory of 2584	2704	Pbagipfi.exe	35
PID 2704 wrote to memory of 2584	2704	Pbagipfi.exe	35
PID 2704 wrote to memory of 2584	2704	Pbagipfi.exe	35
PID 2584 wrote to memory of 2824	2584	Phnpagdp.exe	36
PID 2584 wrote to memory of 2824	2584	Phnpagdp.exe	36
PID 2584 wrote to memory of 2824	2584	Phnpagdp.exe	36
PID 2584 wrote to memory of 2824	2584	Phnpagdp.exe	36
PID 2824 wrote to memory of 2624	2824	Pmkhjncg.exe	37
PID 2824 wrote to memory of 2624	2824	Pmkhjncg.exe	37
PID 2824 wrote to memory of 2624	2824	Pmkhjncg.exe	37
PID 2824 wrote to memory of 2624	2824	Pmkhjncg.exe	37
PID 2624 wrote to memory of 1932	2624	Phqmgg32.exe	38
PID 2624 wrote to memory of 1932	2624	Phqmgg32.exe	38
PID 2624 wrote to memory of 1932	2624	Phqmgg32.exe	38
PID 2624 wrote to memory of 1932	2624	Phqmgg32.exe	38
PID 1932 wrote to memory of 2768	1932	Pojecajj.exe	39
PID 1932 wrote to memory of 2768	1932	Pojecajj.exe	39
PID 1932 wrote to memory of 2768	1932	Pojecajj.exe	39
PID 1932 wrote to memory of 2768	1932	Pojecajj.exe	39
PID 2768 wrote to memory of 1608	2768	Pplaki32.exe	40
PID 2768 wrote to memory of 1608	2768	Pplaki32.exe	40
PID 2768 wrote to memory of 1608	2768	Pplaki32.exe	40
PID 2768 wrote to memory of 1608	2768	Pplaki32.exe	40
PID 1608 wrote to memory of 2304	1608	Phcilf32.exe	41
PID 1608 wrote to memory of 2304	1608	Phcilf32.exe	41
PID 1608 wrote to memory of 2304	1608	Phcilf32.exe	41
PID 1608 wrote to memory of 2304	1608	Phcilf32.exe	41
PID 2304 wrote to memory of 608	2304	Pmpbdm32.exe	42
PID 2304 wrote to memory of 608	2304	Pmpbdm32.exe	42
PID 2304 wrote to memory of 608	2304	Pmpbdm32.exe	42
PID 2304 wrote to memory of 608	2304	Pmpbdm32.exe	42
PID 608 wrote to memory of 2932	608	Pdjjag32.exe	43
PID 608 wrote to memory of 2932	608	Pdjjag32.exe	43
PID 608 wrote to memory of 2932	608	Pdjjag32.exe	43
PID 608 wrote to memory of 2932	608	Pdjjag32.exe	43
PID 2932 wrote to memory of 2136	2932	Pkcbnanl.exe	44
PID 2932 wrote to memory of 2136	2932	Pkcbnanl.exe	44
PID 2932 wrote to memory of 2136	2932	Pkcbnanl.exe	44
PID 2932 wrote to memory of 2136	2932	Pkcbnanl.exe	44
PID 2136 wrote to memory of 3068	2136	Pnbojmmp.exe	45
PID 2136 wrote to memory of 3068	2136	Pnbojmmp.exe	45
PID 2136 wrote to memory of 3068	2136	Pnbojmmp.exe	45
PID 2136 wrote to memory of 3068	2136	Pnbojmmp.exe	45
PID 3068 wrote to memory of 448	3068	Qcogbdkg.exe	46
PID 3068 wrote to memory of 448	3068	Qcogbdkg.exe	46
PID 3068 wrote to memory of 448	3068	Qcogbdkg.exe	46
PID 3068 wrote to memory of 448	3068	Qcogbdkg.exe	46

C:\Users\Admin\AppData\Local\Temp\23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe
"C:\Users\Admin\AppData\Local\Temp\23857fe694eb7aec6174af8db4d386f37dacb1ee4e3ad97ae2e35fafdc8ac39d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\Ohiffh32.exe
  C:\Windows\system32\Ohiffh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\Opqoge32.exe
    C:\Windows\system32\Opqoge32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Plgolf32.exe
      C:\Windows\system32\Plgolf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Pbagipfi.exe
        
        C:\Windows\system32\Pbagipfi.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Pplaki32.exe
        
        C:\Windows\system32\Pplaki32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 144
        65⤵
        Program crash
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
74KB

MD5
584098895420299cd48cca8a07c08fb0

SHA1
58846fb380a51ee8dce8057894b223eb55fa8792

SHA256
95b54077d3bb45afa40b801fac10aee5bc2b7ee920ba8318aab32fc5317acb26

SHA512
d1cabe214238ff35c063132e9ef64eaa27e943c2c6ac6525e0c967d02d40b483d415305db279089639e239101d72b8ef7432fa77a22bc844c1fa22165b707477

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
74KB

MD5
6f64be4a89a54d187ef5a70b90777b06

SHA1
e427278d0673852139884e7f9d0f119adebcbaff

SHA256
77c309e67a9e5b06209ddbf1021cbf268a67244adfad5b609fee6f07656b22b6

SHA512
43e8724ccd7ea14a0fa7bd2e70bde06c86001b4dd4b47606f2eabc91b358abbb8109f0f4f0195d15b39938d3a1ec9f9bf6eada37c20b1c1d559291a3c15dd20c

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
74KB

MD5
20c734f701d437f65dd5f18e4c32db83

SHA1
9c8471691ed76804bbf5d41dec3f67b0aa0ff160

SHA256
560a7fa35f6933795f481d49c3072dd57a3ccd307f02d0549d2a5d56065a55bc

SHA512
25d466a2a4dfec6ffdbfee5ff66bcfa669ac5e8b22f18c8ae16f0d463cd6c2aece837c62b9c53fb478599501ed583bd61e31b82b98cf1a4e8ff625fa30f5d8e4

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
74KB

MD5
79f5bd91a1b98596e3109886f07776bb

SHA1
462d150665aa75829338a74179748bfa6ed89504

SHA256
281e197ea4422c3947db2571ea76464d5439dba25b258833142fce11743ebbce

SHA512
0b2ce61981a1c4507ce344cdceb4eb4bd36d3570228d300829b755a93f771c10a7cee69a55714b526287185260639d3bab3c0dc4b5722aeb1104a3d75c591ba8

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
74KB

MD5
e93aade9a2fdf42ddd9c97397135cd2b

SHA1
49677301d7691e4d96b6f02fd75fadd99a6e14c8

SHA256
39a5aa4c66e8513fd9d77eed2ba297c5e6e0218e80ebe9b1470a95effef9df5f

SHA512
9ea176c195d741013a29fbecf4d8e3b62ef398f8b6329a7c008de9f32a68c96da4d5092e0bc633435a340b04dffdbbc373f0a2e56dbefd60f2d2a843e2e41318

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
74KB

MD5
74bfeddcf9bdd20d4b79d49ae0495b46

SHA1
5af56800b109814e07512d89f8e368226b95e314

SHA256
7714e6807333f47b418e6b32da6e460d502b7647bb6e4a8a3aa72878f7d502f4

SHA512
aae5fccd8687c89877b63e56e2d260fb90d122180db0636178d4ae5eef8700d2099ade21f5d74aed23b1980c1091ce3306a2514457a3570b62c48fc3f2aa208b

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
74KB

MD5
2754e6b160d30654aabfcf794b908604

SHA1
caaa7d501189f016ddc81e6a83a15ab77e9b4427

SHA256
31de52e747ce2d8c63f8618ccb6cf46840bb78cd5f53509359cd181f63905f7d

SHA512
b467354f923994fc41e8237901f5bb61a75ebbcf95ca83dbb032c1062ee89bc6800f10cee843a750f7d818ffc62bcf9c16ba8fdf923a67d18840106e04343d83

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
74KB

MD5
de5193a0f4f4eb1498ac31581381ea5f

SHA1
06aaee37ed4f3463d4135e1c24303879febf1601

SHA256
03a33e7d029dcbf90822caef8b1b00cb6b58f5e9cbf847862ac8c532a9f626c1

SHA512
aa14087e15fc8737c46a32d644f3172268f6843a76a0cfc8e00370aa387e7449b1851a3f59b82c65bf58c986421eec13b372d9cf906ece455534d0d7eed2d871

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
74KB

MD5
c790a477b3f1d6700cce752c8e994f6c

SHA1
44d4ca5e29b5f051eb5fc1796d40ddbd03488769

SHA256
a79ed16b3f240a80ae9cf4a16fc2c2c25b32633e6280cfb672b4f896564bb60a

SHA512
502248446e2e1e56284cd061b523cd6983ee13445f31fb12503d6b82b2973f9038f1371df03f8452b9fd10d9c2ca435bba5c4f87d3bc765dbc03b2488d37fdda

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
74KB

MD5
2c3f85e20e073669775a9658b432a508

SHA1
5e9076e9fe18fa2aa51edf699d3043fddc5c7a3e

SHA256
3455a6ab3f1c63846fa281522c62046b20569f4e8aadb2c548f046df3dd1901e

SHA512
30815d8ae1906418cd93e82866cf21e61ff6144e6eb8da2446ac84991c632294e454e794a39e0f3b501feb988bffa164cc76f49d78a732ad5b48d038422d518a

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
74KB

MD5
3c9bcfd4a151aef7ac6d1879cf77534f

SHA1
37caf0e7db6c8b470a8e3b67ea143d7e63d6fd48

SHA256
52c9a7af3652f32414b2490994fff58e5fe22c315f891acd7f8684565bc6e38f

SHA512
1d644bd8a63c17c116abd4371959b8f95f334572b654b3cd53bb38099bcfa6f2fa80e53e7cd51628facda06269175479a3b661469a87790f7d4e202257e20545

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
74KB

MD5
a24b7fb7d41957f69dccde9267bedf03

SHA1
01545006a34dce414aa13ba0d152aa9347d35470

SHA256
f5e809e03bdd6c833e0a0f8ad81d1f6476382b956174fe8be732e712ea76d151

SHA512
8612c6ea040ec47081a5029982987fd66b291f7eb735cd0156bd7222119c3007e1b0e81b782665327e711df5e946a53f4bce437415901fef1dfb35334cd81784

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
74KB

MD5
ff6c0be1cb389314af0052a133f3b660

SHA1
744dce10546a674fd89b0f6ff4ed76e56b80b074

SHA256
9d3e22cea567c82fc706db51b88278399bd0750f4f45cb5bff8c40719c1f9571

SHA512
978df51a93c0439a51c85ddb4bdf28c6cd309c0066098f02575737f2cf4e91c773abafa64d184c113f9bc533696c4fed6c15288589175a1d3d6723deadeb53e6

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
74KB

MD5
597ca3b93dc910fe21902d7c73efd7a9

SHA1
43b8195e99b8e4c474332540f023f9ec4296cdcb

SHA256
5920862a3ddf1b5d5f065b3872caaf8bbd133e6fe07353aaa4c9a503a9b8f63b

SHA512
5825a1a64bc1837551e12bb6eed5f4fc1eb625728f3b669a8b12342a626aad9632ef7f418cf8b2ca97b917ed3954a91b23ceba51f48a62abe57bdd2a46962aae

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
74KB

MD5
fb1cdc1423677d360cc16de1c3cf3b71

SHA1
45d6e2229578ff359387310127cf7e15eb12e8a6

SHA256
98b6cc8c3aa2955a36b057a08c6734fcc6a376874c145ccccb36b6bb98162419

SHA512
cc3aff1b80eb9d62b5b40a9576bc7e296b3466a7944df310db0d6b52b6e7b930601f331766f4b8b2b8cfad311ca86eb7bf33803d70a2df0f5de4135367efd168

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
74KB

MD5
579c4616b6ed6ee31e0aade449786e9d

SHA1
9a12c1b1061655e0c8937ee8b1780970b0766ccb

SHA256
4b459376d87148bffa969daf0be3fa82e61baa9a46f93037a4e2181b6f4e53ea

SHA512
d07f0bb0a4e31ef467a964a67cb514642d6a2e1acbe3370d95ef1b48b3f2c8b5724e55b881f8e50a7a90e3aa3a41fa1b882a493974fb0bd4aae4faaec2913846

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
74KB

MD5
e03c99f1b707cb9f3a767f62f732438b

SHA1
34032e8acb2c2e3fded10eef2e7423de97e9315f

SHA256
07896839124e17f9e5fb395f325d806920c49e910bee8aa81e2252f81e5bbe36

SHA512
d22e2a3e5f1af1750cbfe004c023ec984d78790d9861ef977bc706cdbaf656136bd2b478d4168a0f92d488bf3e1718b61e0298441d2893509179f143cb420d75

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
74KB

MD5
5ae4828ee277b1c91802acf7bb349ec3

SHA1
651384826fcd2cad92a8df72618d6d0e0f5c9fc1

SHA256
c39c0cfb95f3e7a9c50b1f74fdf27b2d91a6718dc50e85685ca2e548290ad413

SHA512
3af03a18d714b086b2cc1a92291ff92dc71988193e2ed1a7626736a3caf3953ff8a26d221d97c7c6d01fdd1744988861362636227599e9a7ce625dd62c504f3b

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
74KB

MD5
0cb04d3243b464b1c555c0aca1ad835c

SHA1
06a16ee946bed564d8e8df7b8424447209867329

SHA256
e6a0cd5ef8d11f8a3e6ba5852b7db4638d049333155fe2fc51d2fe6e8eb6824d

SHA512
01d5495bb9f50d48066234462233f1a90d45a1ce9770e498cb1261a8efc845660df97d1ddf592c55984cfd454497e524525c5c38c734d8a9696c974197666612

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
74KB

MD5
ae3763a0d1118744b19767ccb34e737f

SHA1
dfd6a5b32a6c733b81be052a6b91a127722dfa1a

SHA256
38e9ec30549a320a7dfbb8fc09633a8f50da4563644f7af9c19d056a8e57cd45

SHA512
7a939c087ac61babe42c8bed25279276d1f9fd670756050d5b49f78608fde47c9567fd42610989d432a46c426d82b95d19f662ccd48d390e4cef0e3e7dfa2206

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
74KB

MD5
9c094b2720dfe90f4a034a0d560cf886

SHA1
950a3e17ac65492924c4d42ce154017d04b055b9

SHA256
9f342a8e08292468d60b8be1478552b5ed1d92cee063ddfa4f0adea69f8757ae

SHA512
2b9f85bf01196ad19c212f3f8b3b15fe68d563b99edd19986d29b2de7e1942549ddbcb4594aece921e10636c80ee927964eb6e9abdf171e7da165bee9de0773b

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
74KB

MD5
3ff0aa9c96eced910218e10e3a27803d

SHA1
e2b954dff0aa8a092cb22d6a7046617244d4d703

SHA256
9fe111a3f4684ac20b0600b3da7dfca31f038fc698f6cfa64488675dafb63f65

SHA512
87aada9abb6c73d00558cd8da89f0b1122ed6c96448ef25f6b9bf2330e27874571da6b2993918251870bdc42c11a37e7b0222d6e9a9773d1d1144f354fa1e4b9

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
74KB

MD5
ad01b9bdf5ccfe137265e36917035678

SHA1
5669e6c26b9d15a263fa6e39fc21dabab7d08160

SHA256
9e1cc4fa166d3abe6bc665486ab91175f69e2fbc8db42c1f265fd4b4df005fe7

SHA512
473b883776dfcf9001a6ed85c12e54cf46cae9c985a54a18a32d0d594197f12617d4194042fed9d9203defd7337699fa610cd7848a61e503a6d9716b76270e98

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
74KB

MD5
b8fb7d9924458be4df2a6128cc19f1f1

SHA1
00516b65803fbddff65caa5d1e7ceaed6e00c5f4

SHA256
7c4a9a7eb774647a89f29f5e8e7a1ab5c422e61d92ed09067841f42879352ed7

SHA512
5d2b8149b84d7c35acfc48b992e5922d0b59c9e632ea996aed4c2cf06d67d90c8a1800bfe0dd440adadcf343ce65088bc3ee1ef9f2c2880cf9fac07885e2c645

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
74KB

MD5
7a795b9c15a89c5d9491e07d87d0be05

SHA1
5b6205af8cba29584a23770e338e30cfb48ee12f

SHA256
113383d91f0eba5b526fc6ba0848a2ff0f26d830272a0f08cafa8a2344bbb4b7

SHA512
b8a322724e21caf014d989983c8e1d2de9fec857c2a74b1c66ae5cdcf12f7859749af0ff46b59de37731a87974762184b8de4ff0d15b4f189b2d9e8387d3b006

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
74KB

MD5
26b75c0ac51bbe270bccb373cad23528

SHA1
b72bc66bb7574b9abe7be1a3cfb93a3dd723260c

SHA256
8dd01a1543c04fe7105d58d698e3fbeb2d0a1208f3361c6b5d36804f4cee8b1a

SHA512
3af3d6888654d32c0f83eb7a30decdb1cccb4ea5d871f2841006081a6d256f888085f987292588eb82d63c2eae48647d2de815606dd660f9cb4ea68af79504c5

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
74KB

MD5
dc722c4554e6efcfe6d24025d7905bff

SHA1
bffd6a589f7cdf7b1fdcf67ea57feff812ce7844

SHA256
1095b17de6ac8036af72e1ffb205f3dbf5c2420c3ef7f862ce12c0632dd7fa27

SHA512
d483104d3b13d4b090dac4279e1d96e9f0e382ec8969382a59b7783788d1e1406ee2d6b729d416172e56cc7bf81feb1f500aebcad38242e61783e98448ce3802

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
74KB

MD5
866f917c7f2ac4ee3a8a27e0622e71a6

SHA1
c19cccc4b4299170261a1830f18f7676545b2522

SHA256
ccf6d3f85c77ba7c25cb71806481a085ad1343c172c8523db6bc4883988615c1

SHA512
c6c095dba06bc9fdedc75129e4f0520a7d2c9ed00dcf6f7f556e2ebe2ec5dced0f5408beda927e7ffb909f1dba157ca69124d968aed51c8bf259e64d0bd8bdef

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
74KB

MD5
e5631189cfc5b3325c8321e85d4de388

SHA1
3c1397bbbfd7b0c86180bc66e18c281e0ed4f215

SHA256
32ec5daa3d7e6baff36f9fb7b1343acefcc035af4bee871a74fa4f3f39074b3f

SHA512
1c1779d48af7890c88c31aa87090087222576ee26ea1526f3784e7d2e04af40cfffbf4974d50e2aedc218d16f349f80c7255bb21f51675da5d83ee103f392aec

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
74KB

MD5
6cad4a112dbeb09e44e6cbf973ccf836

SHA1
40f48b8b8d1405f7204214b44f5fc49df824e409

SHA256
a7db384d78c73f9724e6da4c6e312ae6b071c769d54ff167c166fe408ea83eeb

SHA512
e1533d1eb4a29535081bba786ae19e7c287a31c7b3e8a99b16b433f13d7b471181cc2a342e66b97b557d430fb6197d86ffc4e379c9d7c589b1f8e7a61bb9b78c

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
74KB

MD5
7799b4aa8af0394df7bb293167bb756f

SHA1
ccaf41fcaa67635640642d72e0ef24486bcc95da

SHA256
f5123c219dbabee9511669e592627ce1304cde8c3371e91f6bc49cb68434a998

SHA512
78ba262894f18470e77807f455fd19e5811d3a821a56b49fd510099fc172214c5b6760c87edef9387a715852a96f14969418ae164b75bf75877e4230482fa468

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
74KB

MD5
ff692e1e35c7950ad2e4d990cc6b63b8

SHA1
8b84cab195cf20a13561b489b46c96c7d165b580

SHA256
beeb978df4010087f4e38c9902b3234163cbc3f4638537bbf7906d63b9b453d0

SHA512
1c2fc5cf8bf664bcaf5b07924229cdad741e70ee69e4f15f33c930b7a631d699e96fe850ff2bb80a5180a6e300630e73c095fadc8524da83c8c842850171f76f

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
74KB

MD5
59fa841e3dc76c4a921d3508c660706a

SHA1
f3758859010bffb867ef9843a29cee35234f9097

SHA256
b66da90e09b13f0edf66b2f57181262b48b46b5470b469cfe098afe28bd633c7

SHA512
99ed5889742e1f9f5b41318fc33150c5ac1180b485e6ebf04717dafef57b655f57810bec0d1973504609d4160c8384861fa87a6c3f4435674844c8cab43926a0

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
74KB

MD5
edb08e6e471f81f49bd3921206453a06

SHA1
8da446a389c517d00c72cb565b767d2711999e27

SHA256
07978a43ccc42410135a78c4447e7d767c95dbc9bfe6775e131a1f4a63101c54

SHA512
b3780ed19d636aab264182d2a5728a19d3bcaaa18b585f87353cff6b5393a4ed457606c306c4033396b7f0eaeaab17959ba32f79cb3ca3997b3e18de43acd426

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
74KB

MD5
43cdce8ef858ba79c1bbe0cdfc66a2af

SHA1
30e2a9dafae3d850f57995d11ffd3e381a20c294

SHA256
7ff64548b7c59a04eec483d36d0fab02fc0241ed13071b835cbc42fb7dca4645

SHA512
8bfa60aa8e58369a51c2a74e776b2ca4da1aa11553c7981e4b35ab9b40702c346345b19f67dead08a6700dd86f5cce70117ea11bb3e3c3c461f98d6cadc12eb9

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
74KB

MD5
c54d00327f6e88195973b36d9fbec7b8

SHA1
f851c2c8737afdbc9c165560032cf8494a5d2d7a

SHA256
c7bec550c2ff332919eb24d99712ecd25fe35463ba5452c1391a028627d8792a

SHA512
def203d46ee0dd0dcb1b2c8d12c6d1fdd8c79176f7c3bca8472f2670cddcfc08eb1eabdc471833803d3e565092a39dd0df073e6d5edf0ae92b14a2ecefbb223e

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
74KB

MD5
9a5d1d60adbedc6ffa3233bc2b0dea47

SHA1
ba915a481d0bc24616159f9c295c3ff313a01d17

SHA256
bc527d04e4fe9b1785e4ed6b38a8772655ebef59926d5f1ecfb22ac953b5eb4f

SHA512
b1c61f08fc9b950c2c70f56d8d5c54115f0a32e073354bf4dd5364e24cf98ae99ebbaeb6c3d8fbbb547320fab2df14f2b9ee366b93576ddd9768a2a3322ddc40

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
74KB

MD5
2a7758df82450d6ba3577cd56d6ebe4c

SHA1
feff5a272a89a7cb25aa9c4bb6ef04b253444c17

SHA256
b79a84ad279bbac0d1f744cd8b28fe8bdf5e3c95c05c5ae8f48dac96c8a31793

SHA512
0de96ed15c14b0afa91f8de69a785fb66208646caa66948528689178f278c2479d0a09329542f476b5ddd016b98133dd66159d0b73c2aa963b63c87b4fe3a882

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
74KB

MD5
56e1940803fbf90ea144b63dbe618a51

SHA1
9813bdbf3fddab12f66d29936bf1388a840e6725

SHA256
b1dc60c002e7192628cea151c2795402e9384c7ade4ac14c4bedae8842718fed

SHA512
00697d5137e6f55022c7bb2019275ad5fccd5854b27e1c5b0fa0006d2b1ff1a4e5124fbd13571556ba22569e911b593a36acf5eee4c677ebc4f67392ca0f3e11

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
74KB

MD5
1aa16f8034c61983af1c8bc1c983e683

SHA1
b3c34ffc0c606c5cdc701934ac63c6f3c63199d7

SHA256
19d08f6efaa673007815331bb6daf3fc652edf8a77ce30a4b67741f11c841c40

SHA512
56739928efb36675876f75cc1a077f7ab342f241a28ab6a1b1fcd652ef3acefc3ca47a1c83b47e8698dff69e44a23468c59694b357a236401646caf3a4e7c9e3

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
74KB

MD5
fa89bc7a8ecf59fe698ede1e7d855c94

SHA1
785cfd0304d9603a70223b0ddfbda6ee9bf30323

SHA256
901da877eee9f903653460b16ef2cc7851efb056fb6c132d20d9243ece1f9626

SHA512
fa9e5463abf145175b0aa1fa80f8c3023d70dffbb81e69b44213ccd820bb6383a5614827ae6b2476b62ff8477a478bd3ddb0af948a1c28e0fdfd080d365f002e

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
74KB

MD5
3f6eb361b01f742a4a4a496496fe1710

SHA1
16def704bc589579638ee0c5399ff8e7636d71a3

SHA256
e20b097049a712e07b2e44bc030441701f7d5ced5712ab204b865643cc0e0063

SHA512
af6fe4b9458a70c830cbc83b84e1f3beb01fd10776be1589b09ccdd814600791a5b59ea56a6500a12b24c048904e9b12069171a8713009cec53facb70ef8f66d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
5c15888d075cd1bd9530b2323832237e

SHA1
32bc54805d63bc5e1215ba1dadd68c881ef5b250

SHA256
b68c8e5be52822e0e0557d98ddcaf1a187048b87c90ab47dcc6e2c27fff1116c

SHA512
74f2c25ef87684bc60c27548542c8a4948a31a0ac00b30fe4cf6225ae17f21f20e7f4e8577ca48f66e2317a301b86a901ceae5981c816634f5718410e877dc85

Download Submit
C:\Windows\SysWOW64\Ecinnn32.dll

Filesize
7KB

MD5
dcc227c557b4a0356af3104bc885f59d

SHA1
de99ff94c5dca9d425e8b599e927d7943af37701

SHA256
21f50b7884b05590778a1464a1d363de056aab0eced6c9a74261906026266e28

SHA512
7544abbd0d25fb035fa01de8871603b7bb4fe2932e7d792a918b06d0108211aefff61b5f7890bc710e4c49428df10f293b1dcee089ef3dc31a6170e6df186a8f

Download Submit
C:\Windows\SysWOW64\Pbagipfi.exe

Filesize
74KB

MD5
44c348440b5fe7cf9266f3dbb4144594

SHA1
d5415052d0ab5654759aafb4a6fe844f2d04acab

SHA256
69dd0ea0cfe8ae0f329b992b46c6c0e1e1c95cbc081d720d886334035a8828db

SHA512
b0c07ef2f0c277a74cafc555e5cf1fff07ba0c432c3149da0462b32ec788cf4a2f0909aaaa6c1837ece66729e81604018287a7309f38a2ce41410bb8bd494eca

Download Submit
C:\Windows\SysWOW64\Pmkhjncg.exe

Filesize
74KB

MD5
3b705c4519e241380d3b11843d4245fa

SHA1
2c765c454d72cbea94d9702097095c1ed8820829

SHA256
6a76daf98b50154ce97462b478bb9753030efabcd0fa711ed91351f03f0a8589

SHA512
1f2a139ea7f241dc251d63eba7cfcb0e38e927f6b89a8a58d6d4f0bfed98b0ae93e2fd0551823822ff0d3d8d5bac9f9fcf87a6eeedc66264cb34e4d4890d35a3

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
74KB

MD5
f8b698ffb7a2ea5b36e0f8eba9721761

SHA1
a4ec0b62db22f6ee7fb037e89a08fb535b5fc6f7

SHA256
b1f347a625a8ecf6c44574ba992a6c8ec9b45ea3a198ca1e314e6f2bf9f4175b

SHA512
82deff1ac81885a9f171b9127ec6952cfd1c346b24a034dcd770e026685f26016c94ccf5ff32e5fc37aaa1d4adf76d3b808e35ab207323655ceff3e26ecac6ce

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
74KB

MD5
15017cd0359b49e0c4574d3ac40de0a1

SHA1
e9855326e9e77df677926db06b01649d2e735539

SHA256
abea88b62095d9d33570a6c90922c4ecf8fdb7a41bde808fb3590e57e4092a6c

SHA512
ab0854e97271a9991ff4f53c5e01bb9f39bbd08ea62767c6be4c72b92d090810b0a6472a84db373817e550653bfd0f938a74facebef2ea6ad7d93ce98eedc342

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
74KB

MD5
5e4b56e72c0a12644beb579d5df4a176

SHA1
c485ca9606708785feefb447ec9c85ed70a50a93

SHA256
31c97a60cb1a08c3651bb7da8ce6ed9cbd84cdab7e96453d787da109e00be10b

SHA512
0085b9a2201a450e26c801f8218881c0a48a8009d830063f1b55897e9a15647f8751904656e24aedaed34fa0f3664bd0bd8556b819ab5a27ae4aeb221e0be60f

Download Submit
C:\Windows\SysWOW64\Qlgkki32.exe

Filesize
74KB

MD5
657f7dec458e1a2757abf891cfbe1e6f

SHA1
74a457bb9b50487f0c9c861e8c61906268d819ff

SHA256
386247b67818259855179a5da2a00dd137553cc2111a23948361ecf756b7aa49

SHA512
16b31d00274374702dee162c2dd90122eef9e5e76299ea6e0418c8474dbe380e63c4d12a28ca9f2b15fcdb0c81197bc8c742b48e20c781592ced977fdc87b2fe

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
74KB

MD5
af51e85320ee034d4ab9f443b2d9878a

SHA1
93a222be5a3c59211eab01bd4b7d24e72aecd8d5

SHA256
c50fd907961ff77d4901740b247bb1a5e04007a7a0c91310e4dcc0ef1682581d

SHA512
753a53046eca069c3f894d158a272327908e9864250c6da15ebd354dc43e4f85ce5218356b1a066f74c0e0904159fd4c006e458115c36eb1cbbaf192c89cfcc9

Download Submit
\Windows\SysWOW64\Ohiffh32.exe

Filesize
74KB

MD5
bc25452c1402864d17273c73ac327f53

SHA1
46c7785be8f6f70e04f9394d98ed1f4549dc7beb

SHA256
f6c943261d6e6e879cacac2d8b383fc22bc4185835d6ec54259dd9a22540cd4f

SHA512
4e4a2a75f974475fef9bcf8ca18a0141a703e09d836cbe38fe2b1e6dc016a91252299829f8b4bc582c60552b9de604bf007e8f135c887fbe99b1290d1c224c10

Download Submit
\Windows\SysWOW64\Opqoge32.exe

Filesize
74KB

MD5
26382402088b6c0068bd6df33037bd24

SHA1
522276ea06793f5cafd836b16fa96ac0d1a49777

SHA256
cb05325247163db27db3e8d2a64459b47a92abedbdae782b0f49bb785e42be22

SHA512
14b87378a51e1f657a0ffb2b26b79e42638e74b8a2312b8fbb043e7794a708b038ba6d2e61384adb478c7ff2b6bfa10cedb39d8c8e9e3b57c1fae1f765af5f49

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
74KB

MD5
be4592466ac438c54c458c6bed26a07b

SHA1
fadebe6b398e78ce04a22fd511785da0b127a596

SHA256
d5930d4ec956f1883439d935aa200dd61ff102210b933fe1275ad6b28202b9a0

SHA512
5213a2dbc79e1cff2224120df705b9788bdbc54b68fd282ae3ac9f2cd902354310128f54105c9881378308a672dd32527ef15e94508dd411c0ffa32e0c784880

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
74KB

MD5
19d95ed27c9756e46c5fdb0a553e3411

SHA1
0471880ee464ad17ea2dd2c2f8339a2c37a9cbfc

SHA256
caed4d461327cbcad4bc19271cde09e7c892ea413df97e865d0a68304aa7b10f

SHA512
23dc747f680ff15779b10f913850fae13299cb9262e2391bfa0959ba4f8938fee685ce0b8a4542588195ef12e90c8301de791f0b745bc027206195b3f67cd35e

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
74KB

MD5
fee39ead141991e0b03a347407a04139

SHA1
9bdf92b8a717c2de62a6e49d3d3b7c4bb4142872

SHA256
a2ce54a10be038e718991f160f21d0405a1b7ff087ac713a35a8f6d9f0bc4119

SHA512
5f781538c6e17794030c7bd0cb6692aabb6b79962e5b9a2f0590a483bd24d64c035c8bc45c2483e0df0f035754c5b98698ddc0ce50926414dcfcbfdbcbb7991f

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
74KB

MD5
b10607403935317e6b4b49e0534d22a6

SHA1
a84a550ba84ff825e65c6228e1739725a21fd351

SHA256
40aad49a8fe200a9b5e13dea8e53ce90073a9aa4458bcc67e502c0484895b9a0

SHA512
9b801bcb48482dd2b873fdfaa1c0e00d135efd38c76c49fafab25186ea013315d6ae9ef7a3756dbcd815f329dc72478b609f72d76e81b6afbfbb8bb453302a0b

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
74KB

MD5
a115bcd67dc48f83585336a017721a35

SHA1
f3b62c0d3670ef8b9c9c08d45dac988ad32bb6af

SHA256
81d0e6689f261eedfa935adfbf38496780d2c11bc54f0fe68ed4027067eee200

SHA512
27f72928438bbaaaa9aeb4e5f1126f3fbffaa81102d102ee22d2ceb30628e13a18df84076314925bd3222e0eb3468f962526c1e97ddd8575fe694f9bcdc0cd92

Download Submit
\Windows\SysWOW64\Plgolf32.exe

Filesize
74KB

MD5
c2eb520a304b16ff07a26e5816de82d7

SHA1
2ce7e05aef150a4b11a0e49306d506314c45a183

SHA256
c25845d1fa9d1c2ce78da7151f0e2016614180f36e03d02dc5541c7cc392b9c3

SHA512
888ba4ab40c1dda61e366cf1ff49a821496fb380f1ed80437e465ede65e0f65a0889b245a1e6a4fcace445f89ac496d8e6518ef2ff607c7153dbe9b4f48c5cef

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
74KB

MD5
83805772caea2806796750433b141a7a

SHA1
5ecb25395b8e74a2a8e63d67b7916bc9c77eccfe

SHA256
ac819c1f2280f163a18ede61f35f5c2a3ee6f1cb30bac7f441f10739487b736b

SHA512
e92c9fef106ac7ff9ca7f67cc684f9ac638acd2d32a80c82eb0896126c16958b111d62dcfaa2b21388e8bd84e526e959c4abf1589bf3e7d0a9765cf8ea5fac8f

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
74KB

MD5
fbc854f3fdb1ea8aa3364c39449f0bd8

SHA1
c3d8d3d1c59cb38b927506fc87e1ce24206e266e

SHA256
143c45f26d2d05ecc176e71effa2e35efe1b9ae05caf909b2fad48faa891b273

SHA512
e42dbca9a24204bd75b0a5c65a10dbd14a16f54180395afcbec8853958f18b272daa224d0a5a81457a17ef845fc2c9af84a9bdf680b2231a00af2bd65c2d354e

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
74KB

MD5
887eba1a65b5832248961386f7690349

SHA1
6b3769b28e1d8c73ce1f85092bc04055e7575768

SHA256
20d4c739145acb01d8166662731d81021be91fa2c77a27d2153c45213ab69163

SHA512
460b42f683ea67ca1c4ba1a0f4a5716689e7207d440b38c0878baa4d47d91b83ef9d3237749aaa0ba49b40470733fe70e3f387e79199423778636796639e6694

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
74KB

MD5
669914c05d955dcc4a491123da5704b4

SHA1
90575978f921201746ae2de9d8e20db25d176be0

SHA256
3964a73c9563ae3278622cdbc133d6ac218e200537ba1e33dcbce21de93b19be

SHA512
3fc14b0f9739f6b245b5254c3a2da5dc25c5f98f1544a20f2b4a74f41cf87f682dc6fb77e3afdb1ff1e5af51fc52d21fa105b688bc0d996bd4d5cc00a1d140fe

Download Submit
\Windows\SysWOW64\Qkfocaki.exe

Filesize
74KB

MD5
850b1ea0c3f2fb2c57e41229128e0df8

SHA1
f069993a167371714cd7c73c8a906098818a8d00

SHA256
c2e05ffd2ed48ebe326eb6cda3cb770d0a305d9a3f5474a6ce3af2e16e3bcf24

SHA512
4d94a17d46cf7d5bfd62455bfe62e5282b04bd4f89bde147f2a41973de7c424fe5f6c7b44f5f33ce35e7663329160c44f37042e86416bd1c68f42b6cd6c4242b

Download Submit
memory/316-293-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/316-292-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/316-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/448-220-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/448-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/608-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/608-481-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/608-168-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/756-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/756-409-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/868-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/868-257-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/892-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/952-239-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/952-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1336-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1500-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1500-499-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1512-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1512-271-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1512-270-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1608-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-455-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1608-142-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1648-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-511-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-402-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1732-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-401-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1796-337-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1796-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1796-11-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1796-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1808-453-0x0000000000320000-0x0000000000356000-memory.dmp

Filesize
216KB

Download
memory/1808-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-300-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1832-304-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1932-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1988-456-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1988-465-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2016-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-36-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2136-186-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-501-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2136-194-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2168-476-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2168-467-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-310-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2188-314-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2300-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2304-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-335-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2316-334-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2340-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-325-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2340-321-0x0000000000310000-0x0000000000346000-memory.dmp

Filesize
216KB

Download
memory/2460-22-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2460-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-278-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2520-282-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/2560-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-380-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2584-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2584-68-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-347-0x0000000001FA0000-0x0000000001FD6000-memory.dmp

Filesize
216KB

Download
memory/2656-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2696-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-66-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2748-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2748-369-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2748-368-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2768-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-128-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2816-423-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2816-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2824-89-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2824-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2932-489-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2964-487-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2964-488-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2964-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-357-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/3000-358-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/3068-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads