berbew | 20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
Size

96KB
MD5

d6cde6c507acacf2a78b3a744fc8db30
SHA1

cb51063b2c3e9c258a1af38a7421db59a368a6a4
SHA256

20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2c
SHA512

57ab03641f408d6d000e58f177e461080842b5f8797583cef2794a7fbf7332d8c2e3294d575617fa143ce13e8efcf87c7d63210f0ca2e16bd79a4dccffeb8587
SSDEEP

1536:L2B9N8CdTScoznxt2LL7RZObZUUWaegPYA:L2BLScoQLClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piicpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooabmbbe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2468	Ooabmbbe.exe
2016	Oekjjl32.exe
2692	Oococb32.exe
2704	Piicpk32.exe
2584	Pofkha32.exe
2824	Phnpagdp.exe
2624	Pohhna32.exe
1696	Pafdjmkq.exe
2768	Pgcmbcih.exe
1616	Pmmeon32.exe
2440	Pdgmlhha.exe
2028	Pkaehb32.exe
2924	Paknelgk.exe
3052	Pcljmdmj.exe
2972	Pnbojmmp.exe
448	Qdlggg32.exe
892	Qkfocaki.exe
1672	Qndkpmkm.exe
1720	Qpbglhjq.exe
868	Qcachc32.exe
1512	Qjklenpa.exe
2520	Alihaioe.exe
768	Apedah32.exe
2424	Agolnbok.exe
1144	Allefimb.exe
1560	Aojabdlf.exe
2764	Ajpepm32.exe
2780	Aomnhd32.exe
2476	Ahebaiac.exe
2848	Anbkipok.exe
2548	Ahgofi32.exe
2092	Andgop32.exe
2800	Bgllgedi.exe
1608	Bjkhdacm.exe
1668	Bqeqqk32.exe
2052	Bkjdndjo.exe
1416	Bqgmfkhg.exe
2960	Bgaebe32.exe
2156	Bfdenafn.exe
2232	Boljgg32.exe
1984	Bffbdadk.exe
688	Bjbndpmd.exe
1700	Bqlfaj32.exe
848	Bcjcme32.exe
1352	Bmbgfkje.exe
980	Cbppnbhm.exe
1088	Cfkloq32.exe
2188	Ciihklpj.exe
2340	Ckhdggom.exe
2996	Cnfqccna.exe
2672	Cbblda32.exe
2596	Cileqlmg.exe
2404	Cgoelh32.exe
1916	Cnimiblo.exe
340	Cbdiia32.exe
1784	Cagienkb.exe
1600	Cgaaah32.exe
2068	Cjonncab.exe
2064	Caifjn32.exe
1692	Cchbgi32.exe
2004	Clojhf32.exe
1596	Cnmfdb32.exe
1684	Cegoqlof.exe
1524	Cgfkmgnj.exe

Loads dropped DLL 64 IoCs

pid	Process
1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
2468	Ooabmbbe.exe
2468	Ooabmbbe.exe
2016	Oekjjl32.exe
2016	Oekjjl32.exe
2692	Oococb32.exe
2692	Oococb32.exe
2704	Piicpk32.exe
2704	Piicpk32.exe
2584	Pofkha32.exe
2584	Pofkha32.exe
2824	Phnpagdp.exe
2824	Phnpagdp.exe
2624	Pohhna32.exe
2624	Pohhna32.exe
1696	Pafdjmkq.exe
1696	Pafdjmkq.exe
2768	Pgcmbcih.exe
2768	Pgcmbcih.exe
1616	Pmmeon32.exe
1616	Pmmeon32.exe
2440	Pdgmlhha.exe
2440	Pdgmlhha.exe
2028	Pkaehb32.exe
2028	Pkaehb32.exe
2924	Paknelgk.exe
2924	Paknelgk.exe
3052	Pcljmdmj.exe
3052	Pcljmdmj.exe
2972	Pnbojmmp.exe
2972	Pnbojmmp.exe
448	Qdlggg32.exe
448	Qdlggg32.exe
892	Qkfocaki.exe
892	Qkfocaki.exe
1672	Qndkpmkm.exe
1672	Qndkpmkm.exe
1720	Qpbglhjq.exe
1720	Qpbglhjq.exe
868	Qcachc32.exe
868	Qcachc32.exe
1512	Qjklenpa.exe
1512	Qjklenpa.exe
2520	Alihaioe.exe
2520	Alihaioe.exe
768	Apedah32.exe
768	Apedah32.exe
2424	Agolnbok.exe
2424	Agolnbok.exe
1144	Allefimb.exe
1144	Allefimb.exe
1560	Aojabdlf.exe
1560	Aojabdlf.exe
2764	Ajpepm32.exe
2764	Ajpepm32.exe
2780	Aomnhd32.exe
2780	Aomnhd32.exe
2476	Ahebaiac.exe
2476	Ahebaiac.exe
2848	Anbkipok.exe
2848	Anbkipok.exe
2548	Ahgofi32.exe
2548	Ahgofi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oococb32.exe	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Agolnbok.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Khoqme32.dll	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Ooabmbbe.exe	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
File opened for modification	C:\Windows\SysWOW64\Oococb32.exe	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Paknelgk.exe	Pkaehb32.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qcachc32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pcljmdmj.exe
File opened for modification	C:\Windows\SysWOW64\Agolnbok.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Enemcbio.dll	Oekjjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pnbojmmp.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Piicpk32.exe
File created	C:\Windows\SysWOW64\Mlbakl32.dll	Phnpagdp.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Pdgmlhha.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Hopbda32.dll	Oococb32.exe
File created	C:\Windows\SysWOW64\Pmmeon32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ooabmbbe.exe	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Oekjjl32.exe	Ooabmbbe.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Boljgg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	1908	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oococb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piicpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooabmbbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piicpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll"	Oococb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooabmbbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oococb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Piicpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aojabdlf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2468	1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe	31
PID 1404 wrote to memory of 2468	1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe	31
PID 1404 wrote to memory of 2468	1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe	31
PID 1404 wrote to memory of 2468	1404	20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe	31
PID 2468 wrote to memory of 2016	2468	Ooabmbbe.exe	32
PID 2468 wrote to memory of 2016	2468	Ooabmbbe.exe	32
PID 2468 wrote to memory of 2016	2468	Ooabmbbe.exe	32
PID 2468 wrote to memory of 2016	2468	Ooabmbbe.exe	32
PID 2016 wrote to memory of 2692	2016	Oekjjl32.exe	33
PID 2016 wrote to memory of 2692	2016	Oekjjl32.exe	33
PID 2016 wrote to memory of 2692	2016	Oekjjl32.exe	33
PID 2016 wrote to memory of 2692	2016	Oekjjl32.exe	33
PID 2692 wrote to memory of 2704	2692	Oococb32.exe	34
PID 2692 wrote to memory of 2704	2692	Oococb32.exe	34
PID 2692 wrote to memory of 2704	2692	Oococb32.exe	34
PID 2692 wrote to memory of 2704	2692	Oococb32.exe	34
PID 2704 wrote to memory of 2584	2704	Piicpk32.exe	35
PID 2704 wrote to memory of 2584	2704	Piicpk32.exe	35
PID 2704 wrote to memory of 2584	2704	Piicpk32.exe	35
PID 2704 wrote to memory of 2584	2704	Piicpk32.exe	35
PID 2584 wrote to memory of 2824	2584	Pofkha32.exe	36
PID 2584 wrote to memory of 2824	2584	Pofkha32.exe	36
PID 2584 wrote to memory of 2824	2584	Pofkha32.exe	36
PID 2584 wrote to memory of 2824	2584	Pofkha32.exe	36
PID 2824 wrote to memory of 2624	2824	Phnpagdp.exe	37
PID 2824 wrote to memory of 2624	2824	Phnpagdp.exe	37
PID 2824 wrote to memory of 2624	2824	Phnpagdp.exe	37
PID 2824 wrote to memory of 2624	2824	Phnpagdp.exe	37
PID 2624 wrote to memory of 1696	2624	Pohhna32.exe	38
PID 2624 wrote to memory of 1696	2624	Pohhna32.exe	38
PID 2624 wrote to memory of 1696	2624	Pohhna32.exe	38
PID 2624 wrote to memory of 1696	2624	Pohhna32.exe	38
PID 1696 wrote to memory of 2768	1696	Pafdjmkq.exe	39
PID 1696 wrote to memory of 2768	1696	Pafdjmkq.exe	39
PID 1696 wrote to memory of 2768	1696	Pafdjmkq.exe	39
PID 1696 wrote to memory of 2768	1696	Pafdjmkq.exe	39
PID 2768 wrote to memory of 1616	2768	Pgcmbcih.exe	40
PID 2768 wrote to memory of 1616	2768	Pgcmbcih.exe	40
PID 2768 wrote to memory of 1616	2768	Pgcmbcih.exe	40
PID 2768 wrote to memory of 1616	2768	Pgcmbcih.exe	40
PID 1616 wrote to memory of 2440	1616	Pmmeon32.exe	41
PID 1616 wrote to memory of 2440	1616	Pmmeon32.exe	41
PID 1616 wrote to memory of 2440	1616	Pmmeon32.exe	41
PID 1616 wrote to memory of 2440	1616	Pmmeon32.exe	41
PID 2440 wrote to memory of 2028	2440	Pdgmlhha.exe	42
PID 2440 wrote to memory of 2028	2440	Pdgmlhha.exe	42
PID 2440 wrote to memory of 2028	2440	Pdgmlhha.exe	42
PID 2440 wrote to memory of 2028	2440	Pdgmlhha.exe	42
PID 2028 wrote to memory of 2924	2028	Pkaehb32.exe	43
PID 2028 wrote to memory of 2924	2028	Pkaehb32.exe	43
PID 2028 wrote to memory of 2924	2028	Pkaehb32.exe	43
PID 2028 wrote to memory of 2924	2028	Pkaehb32.exe	43
PID 2924 wrote to memory of 3052	2924	Paknelgk.exe	44
PID 2924 wrote to memory of 3052	2924	Paknelgk.exe	44
PID 2924 wrote to memory of 3052	2924	Paknelgk.exe	44
PID 2924 wrote to memory of 3052	2924	Paknelgk.exe	44
PID 3052 wrote to memory of 2972	3052	Pcljmdmj.exe	45
PID 3052 wrote to memory of 2972	3052	Pcljmdmj.exe	45
PID 3052 wrote to memory of 2972	3052	Pcljmdmj.exe	45
PID 3052 wrote to memory of 2972	3052	Pcljmdmj.exe	45
PID 2972 wrote to memory of 448	2972	Pnbojmmp.exe	46
PID 2972 wrote to memory of 448	2972	Pnbojmmp.exe	46
PID 2972 wrote to memory of 448	2972	Pnbojmmp.exe	46
PID 2972 wrote to memory of 448	2972	Pnbojmmp.exe	46

C:\Users\Admin\AppData\Local\Temp\20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe
"C:\Users\Admin\AppData\Local\Temp\20bb2f8630c0fa2777f5a9324daff2df6fcba06a407d31882176122beee28c2cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\Ooabmbbe.exe
  C:\Windows\system32\Ooabmbbe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\Oekjjl32.exe
    C:\Windows\system32\Oekjjl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Oococb32.exe
      C:\Windows\system32\Oococb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\Piicpk32.exe
        
        C:\Windows\system32\Piicpk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Pohhna32.exe
        
        C:\Windows\system32\Pohhna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Pgcmbcih.exe
        
        C:\Windows\system32\Pgcmbcih.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 144
        69⤵
        Program crash
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agolnbok.exe

Filesize
96KB

MD5
28c285f3e9f0d0ba5ed59a87c038fe29

SHA1
e199bafc2290a8dac8cffd4ae0a09b725f93cc9e

SHA256
5861ef957fbaec1aff78a1c517374cb13c74bc4d779a1a28537c46e2763fd738

SHA512
26e8743ec7d9db090bcb33c51030d54a5135c4ed54a035b76544afdff3e0629c9b49812ae0e6f927316f65a2198b3bff41722a740806b11702f300cd1f125885

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
1bde9aa1a61958397ed41704319af286

SHA1
1d27872af3a4dd1bd59c75930c2010687453afbd

SHA256
79fb45e1b33aa0c6ec66cf6bdbc9bca10451adfc824c8e62d338d660652fee25

SHA512
1e558d24c92e40bc1a8a4ff473eab4db3cc99be7ebbd51b9ffe27df5e7e497e9fecd18e1e8d1cf6a3d6d37606f18b07cef387b14e650e8b6bda53a4364fa6e49

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
96KB

MD5
077ce63d223e803f09c82e54a047d005

SHA1
a805d00e18d9b150129e5fb33a49b27bda4dd37f

SHA256
4bcd5901a7f38038dfda23b95e04073dd6b76664a45aed8848c4485ff269e410

SHA512
d0fe46d624f9e0b58dfc283802ee8a31b3391021c06ece2a15d1c0ccbb895f9e50400eb90353e60f64806b2f9f60e784b62eba9d93367191cf8c9165b0ecc3ad

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
96KB

MD5
dee757f7f0f21c3e49c12d554d48ad2f

SHA1
84f9e2a877c4d6181eb24008a6a4528973d78834

SHA256
4f1b3d50d1a471eb5dedaf33ab2ecc6c603361a9fa81685a530f9d8fe5a89e21

SHA512
b1b0bdbd6e58425ed540a95c239c0de5dfe359af89383839f6a4e0670771e61c73e7e01d09ad3815df137fd1beed0d86008a59b145edf32e5921a26cb027024d

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
96KB

MD5
d6438237ae49983c29e094383513ee4a

SHA1
cef3f86ca92762619e9a5ec3ad8cf4743769a3ec

SHA256
70ddc6a62c22ecb5823a9e2d70da48fdfeae2fbb30129c6c7a27441384776d45

SHA512
eb0ea4ab89337d6e723bfb6ee024839e551578c87df978392ae10d3e86c49cd94f42b369ba8124deb17df5f62d981b64269dbad30af0e934fe15676bf1ee052d

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
96KB

MD5
e7b9365a1f43782434fe4ff3d2d46573

SHA1
0e13120f03a87353c6f311fc907c3e1109cff523

SHA256
6283d67e181d86d30b4a5ad4a491cf4d429c02571f52e9445049961ee5c31b8c

SHA512
9ac69c9fec72f9423506ea813bb045f1a4a22d5a4ab4f07b100b466653b1a9a1c48ecd6e5e9da91f234a45f3ea73446779e75266ab68930712f4d7c2a6d89fe3

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
5f2e238d52d582d241af89954d90e3e1

SHA1
d4ae3abcc836a494a56e86399bfeb8c2f502ab43

SHA256
11282b84db967adffafc12f3bbbe147edaa55c98783746db4c4f70f3e8a41ab7

SHA512
be27fd55ff13048eb9f7a62096dae29f85629ab7ebfa2c2bf58f67ab301e0235c1903a350c1d3a2c98adb0435a88139d398742d74441e2e9a1afbd3d074ca2a9

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
8db113968e4496ffaf70395b64659827

SHA1
00883c53cb87a6a71928b2b4d8bdc7b0bebdb59e

SHA256
5ab2a454bb9110196912b82f22adf8ca7504ebb2e68d0b26e25ac0fd1b25c396

SHA512
31b472b7a30962a6d5e057bcacdd27878c9957e1300ecff2aa795bead751e7031d933b7e4b12f51611818dbb7753129efa463a995a51c363d6aaacb854adc0d2

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
96KB

MD5
8c9b629a239611b0b634eb499e84a8ae

SHA1
51746c1a9126d99ce066c2c38ccf872592a3eb64

SHA256
87122f1c9f694856dfb21cef08603aecc9c854e84bde3ab69cc94b936ba844a0

SHA512
190cab7ff1e506dab5c1b6247ef480d8e1e4348a632e0e8ddb1ea2e9b673025c8afec3693839b3823a818e3705b7ec2620165fd9486d4819a8dfa3f4c781b983

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
96KB

MD5
75a37c0106c1ffe18bae04aff5fe57e5

SHA1
ea377fd3a133fde43ef4f438759499fdfbdd097c

SHA256
597261a8d5951a5f2e77df341ecb30b3f47662776ac4b68e7258dc56ff53f263

SHA512
7ac4ddd336eed29c1945d994c5ed499005965cf72fcb36d701e93e0134d00b7485f49f56f0fb96873a5fb90659bb34c10f0d197795c1a926f1d30edddb8b856b

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
96KB

MD5
49ac597e8f28cd7de714d9953250d2cc

SHA1
c72c561e669cf8a07ba0b0b2edc122ae32bf006a

SHA256
1baebc4027f6c2c0b18f61f55cb8af394e6c1933998515516a967627bf58e2d6

SHA512
02249b03ef9568c9a597317279367f8937f6d7c9c6389f3aaae751cc00009a4c20669e8bda4b98937babfd869888616d341f4008541ef5e28d38dbb274008349

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
c92de67d9fe429ec1a46b31407b1362c

SHA1
622080864bbcc17bd288033f87a79a901fbe3616

SHA256
19ce230ae28c95cde1f4cce7e802aa99f02bd4bb745c31de3790bbe441a85dc8

SHA512
843dae401a42c6fc8c346522f43373d1eef35a721e73fa53a50d0b9caebc4f31005edd07a8ad36d1290e285c8ca72527034e3313d873a600094b4df0c52103a0

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
e101db9d3d31a01c62e79950ae50a012

SHA1
2ba5b25ff38d744ae0ffca060122461250c087ac

SHA256
2e10eec57ff60da4c28795104fce6a0695480dfe8b49336e4e604275f6fbaf90

SHA512
f8abf16b62a4dd418977e09deae0246b5ba000845479c8757d1b36435da4079a5b6308af9692a57024040f185bdf1c6e40f9a0343eaf9a919d5e842931cc1fbe

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
96KB

MD5
0aa0baf977b20bb23a0d5d8490c89621

SHA1
46f45d938d88981b9237c0282fa727150b52a2e4

SHA256
ae2dfa7032d47856f65d8458730ac2614fe34314fdaebcb58c3ab58ca2470a6e

SHA512
d3d3100f8eb2f1f4a98b0bad65b8bd35260d561105111e1464ca5f39f089b5270137d529caf6354ee500c2f65605ecba5bc3aa40faed60356e5508be847862b8

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
153c9e76b8aa9647b0a097f6b97a9b3a

SHA1
24fcbedd14e2e3b324dbf5364a491f55e52c320e

SHA256
c9d82918cc124fd17debfdb76e066bce74647a5e7ebfaad8247bccfb9ed2934b

SHA512
9b7499f96d8b0cfe67db860c997c629eb055140fce6ce3fe1936fca87a03039fbc6e7a16cb96f564efd4ee461d53834ba90250ac521d570a2b2f0990e5c6a5fd

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
96KB

MD5
1086df66b6567bb2a01144cf96f6ad61

SHA1
5028c5cbf285a1f188dbcd61fb1b2385c414023e

SHA256
15b7fb7b0df5f4b23ed41a2a65fbc49f8c832c0e31ed3064f9c151e5cb04b737

SHA512
e2e4015514ebbf48dee850ac4064984308cb723f2d3fd4d159c902a0fc42abf9a7fe12b33c5a7a98fbf9afd5bdcf6d6785e5e05cba2282651247b4cb92f955a7

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
2aa5b8f8232fe94ef4ad8379217a3024

SHA1
47a6ab06f0390d5a68ae0d3dd7287e420c02f7a1

SHA256
cf860a081fdf934b7c0bd8905563b38adaa1235492e83632c4c1e128584e9b28

SHA512
ae9e66ca47d143cb065a6d9a5b64f9d31b7d3212bff9bc571fca644422dfb27bbfdeea9b28fb0cf229fbc5e23add33e4bcda7ddd032cd728bba6ed20f373179d

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
96KB

MD5
0ea84039b701b32a043e8164d79b5dcb

SHA1
75c213121e95d063ca6d8c07c48d44db991553ca

SHA256
08815c88ec7da333fb4f2da62114c6ab1eb10110c7d97eb855fdd81222bcb8c5

SHA512
fced3ced95d5327352f2b6b789919356c762e0a636e73adb9d84ecc9ffa840a1454cc2d529edf9c43335b366de29c2919b8a6dd4cc8aa4e8134f61f79e44b21c

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
ffe98b98da46c6a819e93946b6abfdb9

SHA1
2204392fdb7ffe8a2c0404e166b60c9a4880f17f

SHA256
03fff713f869dd1a190469be40a3dc4ec5f33c65d7355b15aecd45d385756d1e

SHA512
a676f9c4d6319fa587750871ae1f7ffc26ff3ceffb8edd3b3988e64d8bfccb85a0b18aad50eab08a814eda8e8ceba449821fe9d597fae74ebd46a1f398e71576

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
1845da8fd14b79821fb0de073776499c

SHA1
a25b115b4421c6f9d5c50ca37ca8ec434634f84d

SHA256
8c9d2e5f9954f75403d808b984008e93a7434158811195cb1fcefc7f28454b4c

SHA512
5b8978144cb9009a51c695dab6378ca8a9d478e3f577bcf56620456aceaa7669c765c8de8300278ca90f45474fdeff53ce43b960e0bd023c0ec2289e10cfd325

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
6afc8d335a3d8b2a706e84b4a0b7f655

SHA1
2d93613974be3c292a998179bfaa22006e92d0a6

SHA256
204d74631cc74c2acb7211b8e0880e70f88f24a827365324f39430c1293fe071

SHA512
3791ad881f4d4794d57bb07f59346765198be269c06fd769dc5ee2bc1bab0fe53874bec251eacbfa74955373b535638558dd3cbfaf4f3d498f8922254d220100

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
ce56ab2ee5d36d94cdcc3c0677477602

SHA1
53e136008dd2799abc74132e54c6b4136f85c4ff

SHA256
1c51561d452031e3ff3da0aa69f9acbd1053e327a3a125a9c139338dfca421b9

SHA512
6cd7098135308a1bd6521b2ed0d41923a7dd02ee491fb01178e2aead9d44093dfa101fa8045b15dbb5722b90df75ecf4af60f18dc73d349298821fdc9760acd5

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
53c6c2c06e0a8b475d50ff84d1046e26

SHA1
65d5b54c7d253d07d0683f9911bb5f6f52582ba5

SHA256
cc7f65121cbf748e909dab2dbd50a5080ecd59f8e1e9543798a95325e42aa909

SHA512
7db21d2f28e967fcbfc038a10ae459ce332c4e297c3e216e8731af7e86c87f04a08c751eb6a9be9abdbc6395eb2325a0bee6af2295533c41f3c0031475ea3e8e

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
96KB

MD5
5d27e3925a4c8a1dcc43c9df9b43459d

SHA1
7e23a5b729cbbf503ce2a7af0f48d609cad803bb

SHA256
6b5db5025df28e898e8af2e740a90d896beced9f176f76f1fc3bd4c3981abcff

SHA512
e7dcc896c1979eb3f80c2ca9a82cb648f60e54f6b1813e3f1bc23448b3d34be0b8bd3cd729aee290470fd99b7d3841bea604c1b7b24c41ae448a758f06ff1bf6

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
600bcbb5de9ae95ee346dfaa0280c4e4

SHA1
f01d649924303ea8ef05e42f2aface75bb8d16aa

SHA256
e475e31e45b17d3fb95ce80f6903df9c1753c00772c7a8341f9c1767c625c1cf

SHA512
43ae8eeaed09b64c9063b151188d395f07036ee73203009edba5680260b5f417bb12a72be8e9c3e29e38381bd96cd4f101af71f7ead3ea2009eb2561d0e37018

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
1032c83de794c7280b7b97f8a97fcfc8

SHA1
85ef63549f3ec1c6c02fb06dab150c33c0df6966

SHA256
74bc6a1fb6c32f5720a85a614c2e885bd597b78fab0aeab3ff7360d40f8eec09

SHA512
7301662bfef59d5f19cb2498b379f9cab2d6fcf98406018cc1d6394ae63fca6b19c31495fd21eb00b9f5ed6d8dbecc9aa752db87e733d032ab8d8ce22c6f00bd

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
96KB

MD5
0bfe666c8eb5d919ae80eb465ae926ec

SHA1
631a41add6b732295c9ca7d4e7848462b8057f3a

SHA256
c2d3b93b98d7f5dce527ca2051cf67f3d6e32b12ac9cea4703bb7a9751cb7b2d

SHA512
c835b5c7f514451cae5afb2f8e42deb80fb6f190b67c17ae781b60ce806c49ec4123002c118839e8047228923ac291c0c878402789e7d0c6b44c4d03431eb515

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
db62222d9f07d519f203d478c343b3a9

SHA1
f58ff35d98706b343dc9e23984bb03a0888e0d6e

SHA256
a6217683f07be21542ee960bd92a9766f645243d8d83c26ae5d74cf06b0d14c3

SHA512
7e6c9221f315d490311ce7c4dc5d6dd42f39db3e06d9238e6dd2e62037eb27210fba0c29580665b7602c0f14be3a2d3e9c59e71db602d68d7114ec2bff98370e

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
96KB

MD5
08c745e030f20b1f6fc3549f5996d163

SHA1
ac59a906a4d7b4885ffaa0cf720e5e12e6da80b1

SHA256
d98640378116153e8b1272735fc2559f031664eb5ce858c3c74b760c261228f0

SHA512
a5c7d25b4c1c593c02349237118975c2ad69aaa3c8b34c192f9591896b85f581f38300927ca3c294dd28dcd0f661f54c2eb947b47104eebb119020f1fd684815

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
1ef920f219cfd23b1a0258024012f5ba

SHA1
547e5d158fd305f422eceff5d181d2b2e4168a8d

SHA256
003c6230597f389a95c76ecbdc4b972701053db08991f9b6b4c435f7750ad239

SHA512
f27acd79f4beb19ce102d23c2a5b6f18883c6237a5799b89c9fb7ec5e21065f39c5ac9a92443b2d3223d714415aeca69aa56a1808f348faa9caa3237418781dc

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
a622a9134b7ab385a86481316bcb3dfe

SHA1
1d6ecc3f244163b91007c67b0036e064879aaee5

SHA256
32ce2dfed03dcb462c285e4b80a99170de333b9b998525f23361d114448a4069

SHA512
b5a7df0b69592cbb2e981456cdc98a9e3be6149642f8190c31bcb4b439bfa0449bfb2f1e0b7554753023ee0b62668210d8e83febaf8de838d7fe017ea082f318

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
ab3b34570feff869f761002624414611

SHA1
6451366eca8769a351c272e6010026101c4d2343

SHA256
c0630f4945da57ccec25a7513b8aa5b31f04038c6f32d0315eb661542d7803d7

SHA512
6784f68a29dd0b3ad90b1dbc6f29cb096c8ab4c3b4286dfb39ed6097eccc459c59ba3228a530c7bfc6f4cce456f071217df529c25efaf3b6bb12af2f63116c67

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
cbb5ef64bf59dae60eb9f282404b3dd9

SHA1
b8382e0fad4d74bbc4a57ee7143faaa1c42ca78c

SHA256
13176619b88e1f9f1517b9d04bbdd50ed2a1db6930f9a426fff8e175408fefc0

SHA512
c42cdbd625e1819895a31793de5e38ea7d35e76307a692cc876558bcd06f4476449230a13b11522ba775c7e656162c31375b72a5b2e87f08e68bb3b98f5cbdfe

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
8014d90470de127b12debe313956e066

SHA1
f75080b7b67483deab3b55fb86c2e11e774aad7b

SHA256
7dae24547552dd6dec9823eae52e2ec618e644a1e926cd1723ec8c2eb0f4695b

SHA512
b6bcf8770b9de602303770cca58de686954462170b73120f57c6e20098a6934810f766de0a9467fb9749379154c3c8d4ca9db7050a6de2fad6269b16c6bed907

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
1e1b352b1f936fba1862160206ecaa5d

SHA1
a7998626410c845ea5676890198050b0993a3b3f

SHA256
0c40f99e63b49247c8339db25d7716e95d27616569feea5931568e8f12e0252c

SHA512
54dcfe7d1fca30a4569db3a0d5f3043cb51f5844f7222908942f2e7234974e4ebb6a46cb943ebf3ad1b4e0e67940d84ad6bd560db9ef607a3ff3496590b8deec

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
9c44c1dbce295b86d6665833b9ed629b

SHA1
8f080063bada90d24c97e31c51d8a4c15410d01a

SHA256
0888a633cc641d38f587f1187a9dbbdbc85590d74c862304bad5c03708b610e1

SHA512
114c220863fc8aa42f85f7e4dbdb767a324cb1940542a8fbbb88e59018aca463fe3ebfa954ac15bf682c993163f7fbdf8d2eac99247e0cb59c30bc062dc95b12

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
17d25157c73200bdffe04497480501cf

SHA1
bfe75a926133c8515a0f6b50728ea83abac16c16

SHA256
f28d932d6ac76a0fb562d448c6d020839d054fe23456e8fef76705b363bfc375

SHA512
a2e5b346f1697ae1cd15585f3c54e14d768db09f6614d246867fe015c8e86c894d5b2f11825ff882bd3949b3cb6e616733395249f2335599b9e3b3ddc4b87d4f

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
2cd860f767d49319cf46735455f63c9f

SHA1
51eca025d2b079407d12f8d0e7df37c2fbeb0c4d

SHA256
93752f72694f12bd8fe1e3c3a4d2fc3a4ba1bf4414c9d57b327b8d971953c191

SHA512
6bfd2631ccd87578aa79958b3077d960c2e40c681fa792ff10da479cb5edacc581edeb463f59712085b252bb9269f2a04c2bd07cbab1f0fed60aa452ae387e72

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
96KB

MD5
9ec7323c8a960b5580473da3f952e231

SHA1
7fc1041ef33e680d0e3b0c4fdb5e8e6f45520b3a

SHA256
67ac58c30f6802e9e4ea763aef318633a3ec1a770239810e418d26731f747164

SHA512
14f8476f8fa3990272464234789d21dc0ba87f2b79473c35f85a800d9c5b74805723dd07f8e07b0192ba91a6396a795a78e7cb834b08b94e1a0fb3a6b218eb13

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
96KB

MD5
53a86c60482be1f1ad65c8fc07a26f5b

SHA1
a02172630849759dd09bb875df5678d86842ac8d

SHA256
1ee7ac7f992ee64984777f7e74ccfbdc9e4741b3db5d8a3026ed8fbd836fcaa8

SHA512
f5a90b627d2a629958e36df990178f8011721e18a7ff3d5fbce4761a888bce09845c6819cc16c76d30e6bbba059bcf2c986d08a3b44675ae84b24902228e5e1f

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
75ddc1edd1b5415fe0093c4821f92122

SHA1
41d71015563e2980bcf8a06bab34422dc371af97

SHA256
6f4cda5078ae0c57ae24d7ab12ddd4a7d1b57f4ed1ad3e31251826af36f050c8

SHA512
d0a127e1d099300fe35ec6d217fb729aa7c72bd4f122a2371907c05b0ef55d99e0c750fbc42d6fbda942d33bb1fa15443258b96aaf2c32dd6f556919f9f8a93b

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
5454f98c335b1528b3542aa16e311f28

SHA1
a26130e3af723c297387c54d368e5387b79a5871

SHA256
65689c590c9ae5a030ecd233d179e5b79b8082ae29ecc4d362931a797b94cbee

SHA512
00611fc5ede946d7064871d2215767c5208d0bce94be1301e5c214011e16bc0efc8e324594e9d5fc84b3160faea5c4a067538e5eb0a143574204f9ce78164cd9

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
ea0599553d50fbb74d7a0545e12c147c

SHA1
ae2e70dde1ab4a8c28ccb2ecabf1e9926576f0a3

SHA256
7b0bf0665710194c4b3386d9d887144071896a53a6c5ca4e1e94f50a1ce62435

SHA512
dc08a7b777606ea9e891832f0180f34a80e97fa69c7ed671061ba9a94dbc429e3282b66af2f5c3ab376958d3ee4c00328a98c388de2b7fd1acf2cd6d7515a0e4

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
bfe8722025db91bc14b8140def2d5cf4

SHA1
f4f0ed6b8ee102fd2176c58073361de2fa4e04f0

SHA256
46c2bdf5a82079f2cc4480ae76d37a369b8214fa96517dc8766ff6ae046e1df9

SHA512
b6ab1d4d420f40264a4d30190fe9b9c0ecdf662747156bf224190c45e6758535db6c18bebfbebedd9be9a7cbaddbd4c65c49284f7b5578305cb2feafac3f34ff

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
96KB

MD5
e9eb658b1b1a4bc92dae3bd178ac6690

SHA1
c32082a885554dd9ddf9cc3babafceee1463c87d

SHA256
06bd1ee81008115d13e78ef514ffc2d5ba062e6803c39131ffadd475bffbd943

SHA512
3980c0c2e9b431d244fe4f943df60842600b8d858087496ae6dcf97494321682e90a3b29bdc85100dc7c6bb5b22eb3cae2d0daf759075b5ddc40312ea3777f00

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
2a5e4c1f3bcf0fa194d37d63b9168ffa

SHA1
d914d7e35ce2c223e8227c9c824bc9fdfadff629

SHA256
10843e283574b1cc468f3365f0b1a89df65c5c06c9488e7b9cf579d5b6038876

SHA512
8c98cd7868f39c6abcc36269f8df6131187339beff34d80a542353e2765700c99a2e3c4b97f4000eb890c847b78ceaaa06667de4f32eb2f3021c41ce7e30c35a

Download Submit
C:\Windows\SysWOW64\Pafdjmkq.exe

Filesize
96KB

MD5
c2778b7797e619d0d7373ca72ca1971f

SHA1
aef95e38638f98b218026a941e20f4b218c3528f

SHA256
cb5e63384c94d76a1f402bb859d5d73d24bd6f3a532ff8db305301bc66316ad6

SHA512
9160cf977c00bc5e2a66669cf8c4832d5922537f5cf8a865908388ceef65f0c756a4d5d718de82358fb168fcd67745855907471ebb89cf6b83dd3fa0e774e769

Download Submit
C:\Windows\SysWOW64\Pcljmdmj.exe

Filesize
96KB

MD5
0951209d9f43b95449ddd02dbf1b9a44

SHA1
7eeced184c32835ee8c6a5ac8c942916d2db2a40

SHA256
6e181c23a90a8b370dcb1b1fb643b18b03d51917f4a74f7d68abb181a66ff444

SHA512
587104063b8894297ac00f77cb156572e0c875c22c399e17cb89e8d6468edb9f9eaa49f9f451c0f75b56981f461fe487456b5610ffabb8be84201dd1011777e5

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
96KB

MD5
46e8b105b1e09608fd0d94e2683f002b

SHA1
bed10dd777e4c4b1e696a4e790b3f0d5d76c3144

SHA256
947fe2cd5cb7df5baa017d0dd79f383af8a00743107bcde100568543d56e14be

SHA512
9f75983c1c42d1c3b2f1997d012624751192d8b3f2000d5a28586a9e5e3b5c3cabc0b9fa8cfb7d66d205140b02bf33249f0d0415878d90afba5e225c419b3615

Download Submit
C:\Windows\SysWOW64\Qjklenpa.exe

Filesize
96KB

MD5
d4b6434b6c889658db586f804e66c2bf

SHA1
51b5ecacb6e692715b2499570fcdba94b38d8db9

SHA256
d84beaaecc93b3f448d5170f9efabc5e48293c132419013ea3c213be4fbfe2a7

SHA512
a5b1495ec076787f23f979341fb0083d85b880bd14994f80e8ad16c10d4ac5b2d704e6ed6506b89f559eb7a3982ac15325c9344c7a770a486c83b38e772b1ca1

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
96KB

MD5
773b6f15f59e0383fefc4f8e016e772e

SHA1
0409e5f9c8d3be1dc3c48113fbcb4c9e712a8b63

SHA256
65fa33a9c55abccd9e8d52994b6936d6f914732febab05e77b8922d2491120cd

SHA512
502261939c538e46248998f18c763f88beba522d9bf31af93fc5595cb740091b785e18b04a4ee5bcb0b6e6eb7a070ca799f0afb73131088d3f599480627b53d6

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
96KB

MD5
f3f6449d80a767ffa51e8e2729037d31

SHA1
78cefbe95e27ba85d0a41d96b714afb7981599a3

SHA256
1e0e5b43f26dcb88d84975700d34901599e4ff34d8450a2c578148d7a11d6456

SHA512
15fa29277c493bdb9bad1ed79776564c350a364c76690d317d970a89c3d0d85d912afe365ebe0fb62ef1d6678311e541487067d1d7a0b53992d7c4054bed8671

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
96KB

MD5
d7f58e6f143e3cf5ce36b59e266bb5f8

SHA1
aee788435fb3a7699caf869e2017f2e37e2fa49c

SHA256
c1bd286aac37d2028c760b73b98d1f80b4263affed0d6b6f4bec5a88995cf06b

SHA512
15dbf0a84d1c22f8b0a6eab33f91ff0d9f85d7d59e4768356951c1bfa16afc2bec9ce3591e103fe1b560cc800689910b0fccd5941d29d6e480f39470b97cc39b

Download Submit
\Windows\SysWOW64\Oekjjl32.exe

Filesize
96KB

MD5
ee38daa096fa9cf4e682c0001a510c1c

SHA1
339ca8d9119ca2c2f803a903cdaf5f7586b725b5

SHA256
5875d008ec764c5bdcb5137788ab6553cabfeb34204475d33d85ee22384d0ed6

SHA512
5fe5b393daa1cd4507a8963e2a6812c17f6f660525e0cef1bdc68c5e7325557d8a6316b72651a0bf1c7321a61873a71db925cffaf2660890c3e0fd6e775dc038

Download Submit
\Windows\SysWOW64\Ooabmbbe.exe

Filesize
96KB

MD5
5288a8391fa44e47530bc9851a596454

SHA1
8072c0fca6ba83c35090ba24deb1bf6d3ec0d04f

SHA256
41669f294c10b45bb53e12f1f60f70a93205fba0bee618c0a2f02e02040dac66

SHA512
181f732d44f3d6b0fafeab400bc51f8f1c8f7f7898b482c7516d7918a5408e036afb886469012abe9acd4105de8b154da0303722548e7afe0a17ec2181b93a3e

Download Submit
\Windows\SysWOW64\Oococb32.exe

Filesize
96KB

MD5
6fa3e300b262d3111b836787eb58fbd6

SHA1
9e513c25754651df58fc36c8645029a4a04902cd

SHA256
41ab4c34fc31b85b90b959052066d689fc92d4d6711b06fc9de1f8f0c8bc1762

SHA512
01250b67974a0728abe533476024c97959617c7eb5d0b2136ba385013ad6098bf9a459b3afc487f0d89c792edf6f2a0cb5bbbccc0103e6441d0bee7e822084f7

Download Submit
\Windows\SysWOW64\Paknelgk.exe

Filesize
96KB

MD5
5719872d38402545ace72bb0883206c8

SHA1
77f6caa2ac3e11712de9c1a40e00babb9a5da9fd

SHA256
389ac011c4f5ca4cb7cf1308c1fadbea0a7d23e22bd65abc00c52616fc4f2488

SHA512
a8c6874932da922828a80b27f5d079c418c8cd0c94f20f2dad0b6b20af7af943a40d48c20ecc3312b5a58053795f504eb629a61fb3e938a04da4b8571dbdb5b2

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
96KB

MD5
a1551911effc7b973746f3e14f69ee4b

SHA1
2691188f551273e48709d86bb0ff5b17ab85521a

SHA256
48df27b0f0230c48f0a31fccbcdf56a5ecde4d5d77bee3dbab831b95875a3746

SHA512
111b55485abda20f9149a4d30e156c1462f966f6d1c4b5ec194b6fcebf83a2601c993c16c1427962dd59701c0649df061afea38bd19e00cd1d941c5b2851568e

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
96KB

MD5
f77ed50336321e990bb04ef5d64224c0

SHA1
c7f1a91cfda9b5f66c23f29b65383c7fe9be5ca7

SHA256
4af3b7f97a07f4054d6dff00d6819a5f6c59ecb6767d49a638de372ee0aa1fe0

SHA512
91117dadb0b127ab349503d4ac4bd3d08e062f96abeae1cf384c9d40095c6b1ac7734be5e8edb1c4c6d324e1951fe5cf8b3b905ab7318dc711c5f0820deb1a29

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
96KB

MD5
5661134b7bbc98b4a2a1ff4687e4f751

SHA1
1b566527b4eff4f6c1a0f341a5ead091865886d6

SHA256
30cf9e9890f5ee39f20709633569d9f42c81ded564250375d646dabd1a41540a

SHA512
f267ee5cb70116f727d9acd64d95e2dcedc903501972e1931dfd08032208fcb61b85a76654d384c5fc3b290bc9db19299b91810f028d4684862ff04581fcf5af

Download Submit
\Windows\SysWOW64\Piicpk32.exe

Filesize
96KB

MD5
69edfe8095dd3bc762102a83a1941eae

SHA1
563e3c484798e9360e2957c9ba7d69f7e3217e80

SHA256
1b8977609d4cbfc6cd1fceb526866be4f2ebac9c3e1451e80ca15aa2bbf11091

SHA512
ec662c51e799574bb0ce9d55e306cc473f49c288bd3d9c53fb4df296f48dd344681faa49e31b0595f50ca5c46aa711a4c8c6c3e659ccf4b3d7ffa4873b75185a

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
96KB

MD5
0c0032d309e50ced0425dd22de9e6ed7

SHA1
ac302a054ae1e4ed75514dfc77f3ccb9bb160e85

SHA256
185bdfaf42295744a520274daae235711b51d0014dc155c3cec114557dff57c1

SHA512
17627fd027f70b7a8f9ce57bd5495e99b926fc38c565c905db9d80885211fcea4efb60786278c93e7ffa7fe6fdcf5546d505cbddbc957e312362f17dab91790d

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
96KB

MD5
f6d0343db4f37ffd4a3e9e884b96dc5a

SHA1
22734a624cef347f3a2e973bc6374a171109ba99

SHA256
49e23afdf09355256688b2dbfb4ea19abd7700b649b8b44028bbd69b27a6fb7d

SHA512
d22bb13b49727686b5cc32c67b1908f3a4e4dd37c67de20851cf1f96d83376da06f232b9014781cc1c90a468d39ca6caddaaedd51e905fe0a36ae14b72ffd6aa

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
96KB

MD5
e6fb986c29a37087d3ac6c8452946608

SHA1
d5fbb2fc0e8ef18977b87cc096438b2aa90b78fa

SHA256
60b1fae8d40dbf4f7d0fc30521f15f7aaf470f74f2590a9e2b959edd5fdc0201

SHA512
896087ae8d1e35da0c28ae695fa1f1a8a1b53e4b70b6f6c8d78b7b6a939e6940b13afa9ca8deb4f09771e957813e0b637824b820060e69960b64dedce1467723

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
96KB

MD5
1a3bdfaf1a07974a269ffccbbe18ce50

SHA1
b1d1be1f570d085a14221e6379236e5e52a69471

SHA256
9fe0478fc8aecb3e0f1b8825407a21f672993781b894bf6533c3aa455371ce6a

SHA512
a375b33f9ad6d24d07616dc5e9159f7015139247dbe054726088c1517d312cb826b9af02cdbc8023a07409756d00dda26a589fb50d17fbb1592ffbbeb44bf278

Download Submit
\Windows\SysWOW64\Pohhna32.exe

Filesize
96KB

MD5
a2f04a6cf143915c1a1a766005d39c0e

SHA1
3e54b468c697ed1887eea4470e50a3df6a99b32e

SHA256
4f0e05972adf179d68dc2bdd2bfa1cd69d0de05740415b21ec2f3e3d776b852a

SHA512
6ec5c03a229053b5dbed908d943ef2a798168be4a073a097f411f2cc094de120a94e3fea85f17319d6031d1744d899e5a4db145caf5ae3d9e61d95c494bcaa1c

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
96KB

MD5
c3776d6b0876fb2c5d16e65428acd00c

SHA1
c9e895c227539bfbdb70144a384255830b303349

SHA256
6bb0d6bf44755bd5764918bf74b3c9df05556939a00fc133b3a5a36abeafc15f

SHA512
b45cab65a3e2a5439f4ae0cf04ccab57f1a0331d67dde8c42d9fff58a2968dab7762dd0bd5d0dfc1eba8f3777f9890c16a11c9dfe69c99e7f63f99b22a1e5038

Download Submit
memory/340-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-219-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/688-495-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/688-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-806-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/768-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-288-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/848-519-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/848-518-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/848-811-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-256-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/980-807-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-803-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-309-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1144-310-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/1352-801-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-333-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1404-11-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1404-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-12-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1416-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1560-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-316-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1608-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-411-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1616-453-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1616-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-142-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1616-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-420-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1672-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1692-813-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-428-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1696-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-120-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1696-114-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-506-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-507-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1700-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-812-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-796-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-799-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-38-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2028-167-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2028-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-384-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2092-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-464-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2188-808-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-471-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2232-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-804-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-798-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-296-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2424-300-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2440-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-275-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2520-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-376-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2584-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-809-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-105-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2624-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-802-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-65-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2764-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-331-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2768-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-345-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-340-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2780-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-400-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2800-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-399-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2824-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-366-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-452-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2972-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-810-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-194-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads