berbew | 30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/11/2024, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
Size

96KB
MD5

b7778202c467c14ef11eb5efefaf028b
SHA1

1bf5efd783977585fd3e187b3719b113714a5aa3
SHA256

30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9
SHA512

76a79c2c74ebfa66d3bca55b5612fc7e7deb9daf35b95fd1de66664b6dc0c65542d75dd40946a18fae2171ce78cfd140182462b84988f6a1f8e6af861fba0c5b
SSDEEP

1536:JdvdYaqQMgHpSgwAvxg6OyZQtX22LA7RZObZUUWaegPYA:vxqFgJSkvx2ftLAClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obokcqhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcibc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcqcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnoiio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nedhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nedhjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnoiio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omioekbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olpilg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlefhcnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlnpgd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3008	Nedhjj32.exe
2268	Nlnpgd32.exe
3044	Nnoiio32.exe
2808	Nlcibc32.exe
3020	Neknki32.exe
2884	Nlefhcnc.exe
2532	Nfoghakb.exe
2980	Omioekbo.exe
1744	Opglafab.exe
2032	Ofcqcp32.exe
2340	Olpilg32.exe
624	Objaha32.exe
496	Opnbbe32.exe
2704	Oiffkkbk.exe
2116	Obokcqhk.exe
1940	Phlclgfc.exe
2304	Padhdm32.exe
1516	Pkmlmbcd.exe
1968	Pebpkk32.exe
2264	Phqmgg32.exe
572	Paiaplin.exe
2408	Pdgmlhha.exe
888	Pidfdofi.exe
3036	Pcljmdmj.exe
2332	Pleofj32.exe
2960	Qdlggg32.exe
1720	Qndkpmkm.exe
2744	Qpbglhjq.exe
2664	Qnghel32.exe
2868	Aohdmdoh.exe
2800	Apgagg32.exe
2972	Ahbekjcf.exe
484	Akabgebj.exe
1772	Afffenbp.exe
2392	Adifpk32.exe
856	Abmgjo32.exe
1980	Agjobffl.exe
1972	Bhjlli32.exe
2844	Bnfddp32.exe
2160	Bqeqqk32.exe
2136	Bmlael32.exe
1096	Bdcifi32.exe
1196	Bjpaop32.exe
1684	Bqijljfd.exe
2788	Boljgg32.exe
2236	Bgcbhd32.exe
1172	Bcjcme32.exe
1364	Bjdkjpkb.exe
3028	Bmbgfkje.exe
896	Ccmpce32.exe
2760	Cfkloq32.exe
2628	Cmedlk32.exe
2624	Cnfqccna.exe
2576	Cepipm32.exe
308	Cgoelh32.exe
2732	Cbdiia32.exe
1600	Cebeem32.exe
1616	Cgaaah32.exe
2108	Caifjn32.exe
2120	Cgcnghpl.exe
2372	Clojhf32.exe
1604	Calcpm32.exe
936	Ccjoli32.exe
1932	Cfhkhd32.exe

Loads dropped DLL 64 IoCs

pid	Process
3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
3008	Nedhjj32.exe
3008	Nedhjj32.exe
2268	Nlnpgd32.exe
2268	Nlnpgd32.exe
3044	Nnoiio32.exe
3044	Nnoiio32.exe
2808	Nlcibc32.exe
2808	Nlcibc32.exe
3020	Neknki32.exe
3020	Neknki32.exe
2884	Nlefhcnc.exe
2884	Nlefhcnc.exe
2532	Nfoghakb.exe
2532	Nfoghakb.exe
2980	Omioekbo.exe
2980	Omioekbo.exe
1744	Opglafab.exe
1744	Opglafab.exe
2032	Ofcqcp32.exe
2032	Ofcqcp32.exe
2340	Olpilg32.exe
2340	Olpilg32.exe
624	Objaha32.exe
624	Objaha32.exe
496	Opnbbe32.exe
496	Opnbbe32.exe
2704	Oiffkkbk.exe
2704	Oiffkkbk.exe
2116	Obokcqhk.exe
2116	Obokcqhk.exe
1940	Phlclgfc.exe
1940	Phlclgfc.exe
2304	Padhdm32.exe
2304	Padhdm32.exe
1516	Pkmlmbcd.exe
1516	Pkmlmbcd.exe
1968	Pebpkk32.exe
1968	Pebpkk32.exe
2264	Phqmgg32.exe
2264	Phqmgg32.exe
572	Paiaplin.exe
572	Paiaplin.exe
2408	Pdgmlhha.exe
2408	Pdgmlhha.exe
888	Pidfdofi.exe
888	Pidfdofi.exe
3036	Pcljmdmj.exe
3036	Pcljmdmj.exe
2332	Pleofj32.exe
2332	Pleofj32.exe
2960	Qdlggg32.exe
2960	Qdlggg32.exe
1720	Qndkpmkm.exe
1720	Qndkpmkm.exe
2744	Qpbglhjq.exe
2744	Qpbglhjq.exe
2664	Qnghel32.exe
2664	Qnghel32.exe
2868	Aohdmdoh.exe
2868	Aohdmdoh.exe
2800	Apgagg32.exe
2800	Apgagg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Nhcmgmam.dll	Neknki32.exe
File created	C:\Windows\SysWOW64\Pkmlmbcd.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcibc32.exe	Nnoiio32.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Apgagg32.exe	Aohdmdoh.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Apgagg32.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Jfkgbapp.dll	Nfoghakb.exe
File created	C:\Windows\SysWOW64\Hfiocpon.dll	Omioekbo.exe
File opened for modification	C:\Windows\SysWOW64\Objaha32.exe	Olpilg32.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	Pebpkk32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Aohdmdoh.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Neknki32.exe	Nlcibc32.exe
File created	C:\Windows\SysWOW64\Olpilg32.exe	Ofcqcp32.exe
File created	C:\Windows\SysWOW64\Enjmdhnf.dll	Opnbbe32.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Odldga32.dll	Nlcibc32.exe
File opened for modification	C:\Windows\SysWOW64\Nlefhcnc.exe	Neknki32.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Ameaio32.dll	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pleofj32.exe
File opened for modification	C:\Windows\SysWOW64\Aohdmdoh.exe	Qnghel32.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pghaaidm.dll	Ofcqcp32.exe
File created	C:\Windows\SysWOW64\Dafqii32.dll	Objaha32.exe
File opened for modification	C:\Windows\SysWOW64\Pkmlmbcd.exe	Padhdm32.exe
File opened for modification	C:\Windows\SysWOW64\Pebpkk32.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Akabgebj.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Odlhoigp.dll	Olpilg32.exe
File created	C:\Windows\SysWOW64\Pebpkk32.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Paiaplin.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2328	2284	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcqcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olpilg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nedhjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefhcnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omioekbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnoiio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obokcqhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfoghakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obokcqhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll"	Phqmgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll"	Nlefhcnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippbdn32.dll"	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnpgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Objaha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omioekbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Paiaplin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olpilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opnbbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlefhcnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nedhjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll"	Objaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll"	Pcljmdmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3008	3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe	31
PID 3012 wrote to memory of 3008	3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe	31
PID 3012 wrote to memory of 3008	3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe	31
PID 3012 wrote to memory of 3008	3012	30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe	31
PID 3008 wrote to memory of 2268	3008	Nedhjj32.exe	32
PID 3008 wrote to memory of 2268	3008	Nedhjj32.exe	32
PID 3008 wrote to memory of 2268	3008	Nedhjj32.exe	32
PID 3008 wrote to memory of 2268	3008	Nedhjj32.exe	32
PID 2268 wrote to memory of 3044	2268	Nlnpgd32.exe	33
PID 2268 wrote to memory of 3044	2268	Nlnpgd32.exe	33
PID 2268 wrote to memory of 3044	2268	Nlnpgd32.exe	33
PID 2268 wrote to memory of 3044	2268	Nlnpgd32.exe	33
PID 3044 wrote to memory of 2808	3044	Nnoiio32.exe	34
PID 3044 wrote to memory of 2808	3044	Nnoiio32.exe	34
PID 3044 wrote to memory of 2808	3044	Nnoiio32.exe	34
PID 3044 wrote to memory of 2808	3044	Nnoiio32.exe	34
PID 2808 wrote to memory of 3020	2808	Nlcibc32.exe	35
PID 2808 wrote to memory of 3020	2808	Nlcibc32.exe	35
PID 2808 wrote to memory of 3020	2808	Nlcibc32.exe	35
PID 2808 wrote to memory of 3020	2808	Nlcibc32.exe	35
PID 3020 wrote to memory of 2884	3020	Neknki32.exe	36
PID 3020 wrote to memory of 2884	3020	Neknki32.exe	36
PID 3020 wrote to memory of 2884	3020	Neknki32.exe	36
PID 3020 wrote to memory of 2884	3020	Neknki32.exe	36
PID 2884 wrote to memory of 2532	2884	Nlefhcnc.exe	37
PID 2884 wrote to memory of 2532	2884	Nlefhcnc.exe	37
PID 2884 wrote to memory of 2532	2884	Nlefhcnc.exe	37
PID 2884 wrote to memory of 2532	2884	Nlefhcnc.exe	37
PID 2532 wrote to memory of 2980	2532	Nfoghakb.exe	38
PID 2532 wrote to memory of 2980	2532	Nfoghakb.exe	38
PID 2532 wrote to memory of 2980	2532	Nfoghakb.exe	38
PID 2532 wrote to memory of 2980	2532	Nfoghakb.exe	38
PID 2980 wrote to memory of 1744	2980	Omioekbo.exe	39
PID 2980 wrote to memory of 1744	2980	Omioekbo.exe	39
PID 2980 wrote to memory of 1744	2980	Omioekbo.exe	39
PID 2980 wrote to memory of 1744	2980	Omioekbo.exe	39
PID 1744 wrote to memory of 2032	1744	Opglafab.exe	40
PID 1744 wrote to memory of 2032	1744	Opglafab.exe	40
PID 1744 wrote to memory of 2032	1744	Opglafab.exe	40
PID 1744 wrote to memory of 2032	1744	Opglafab.exe	40
PID 2032 wrote to memory of 2340	2032	Ofcqcp32.exe	41
PID 2032 wrote to memory of 2340	2032	Ofcqcp32.exe	41
PID 2032 wrote to memory of 2340	2032	Ofcqcp32.exe	41
PID 2032 wrote to memory of 2340	2032	Ofcqcp32.exe	41
PID 2340 wrote to memory of 624	2340	Olpilg32.exe	42
PID 2340 wrote to memory of 624	2340	Olpilg32.exe	42
PID 2340 wrote to memory of 624	2340	Olpilg32.exe	42
PID 2340 wrote to memory of 624	2340	Olpilg32.exe	42
PID 624 wrote to memory of 496	624	Objaha32.exe	43
PID 624 wrote to memory of 496	624	Objaha32.exe	43
PID 624 wrote to memory of 496	624	Objaha32.exe	43
PID 624 wrote to memory of 496	624	Objaha32.exe	43
PID 496 wrote to memory of 2704	496	Opnbbe32.exe	44
PID 496 wrote to memory of 2704	496	Opnbbe32.exe	44
PID 496 wrote to memory of 2704	496	Opnbbe32.exe	44
PID 496 wrote to memory of 2704	496	Opnbbe32.exe	44
PID 2704 wrote to memory of 2116	2704	Oiffkkbk.exe	45
PID 2704 wrote to memory of 2116	2704	Oiffkkbk.exe	45
PID 2704 wrote to memory of 2116	2704	Oiffkkbk.exe	45
PID 2704 wrote to memory of 2116	2704	Oiffkkbk.exe	45
PID 2116 wrote to memory of 1940	2116	Obokcqhk.exe	46
PID 2116 wrote to memory of 1940	2116	Obokcqhk.exe	46
PID 2116 wrote to memory of 1940	2116	Obokcqhk.exe	46
PID 2116 wrote to memory of 1940	2116	Obokcqhk.exe	46

C:\Users\Admin\AppData\Local\Temp\30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe
"C:\Users\Admin\AppData\Local\Temp\30b34fa3492c9be09c0269e46fb5410f768ab787e362af8d3fa907b8b618f0d9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Nedhjj32.exe
  C:\Windows\system32\Nedhjj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\Nlnpgd32.exe
    C:\Windows\system32\Nlnpgd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\Nnoiio32.exe
      C:\Windows\system32\Nnoiio32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\Nlcibc32.exe
        
        C:\Windows\system32\Nlcibc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Neknki32.exe
        
        C:\Windows\system32\Neknki32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Nlefhcnc.exe
        
        C:\Windows\system32\Nlefhcnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Nfoghakb.exe
        
        C:\Windows\system32\Nfoghakb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Omioekbo.exe
        
        C:\Windows\system32\Omioekbo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ofcqcp32.exe
        
        C:\Windows\system32\Ofcqcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Olpilg32.exe
        
        C:\Windows\system32\Olpilg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Objaha32.exe
        
        C:\Windows\system32\Objaha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Opnbbe32.exe
        
        C:\Windows\system32\Opnbbe32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\SysWOW64\Oiffkkbk.exe
        
        C:\Windows\system32\Oiffkkbk.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Obokcqhk.exe
        
        C:\Windows\system32\Obokcqhk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Phlclgfc.exe
        
        C:\Windows\system32\Phlclgfc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Padhdm32.exe
        
        C:\Windows\system32\Padhdm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Pkmlmbcd.exe
        
        C:\Windows\system32\Pkmlmbcd.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Phqmgg32.exe
        
        C:\Windows\system32\Phqmgg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Pdgmlhha.exe
        
        C:\Windows\system32\Pdgmlhha.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:896
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        67⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 144
        68⤵
        Program crash
        
        PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
a4b4b41d31cf0ac2029978fc4df47009

SHA1
67b537552302329eb59eb9b6d60b8b069519b91d

SHA256
a3ecfce2cac1bebc2fd9c226892367056db28d5af8cbe2c5446dffd0638b9a20

SHA512
851adcbff39913eda7cd6f13181c4a8b1a499b7cbe10c76667512951cc66f88361fcb9a1b5ae93363da544361d77f90110df96048cc98c4ea6ca577e1baff11c

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
96KB

MD5
7919fbb3de45f2bc30efc48333699975

SHA1
f78ca5b50b5d6a84d6b4067b38bbe93db4c4e4c8

SHA256
ce2a24eabe45f9e5d5aba30a3b88f93664053fea987c26d4e504adc674eb3e02

SHA512
c13112f78b7b6a81e5bc1d1dd101d57856dae7783d9a82a0e0ef23e35a71a747939215fe2f11773f65504d944271c172b3f0f515427bd121a26e1c0ec0f6a42f

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
96KB

MD5
23f4e52eadd579b52634d02a210b636b

SHA1
86d8c209037214b9dcb3853a0b4a626881b4a0ba

SHA256
368bcb22363347678ca341ada15d8688fc50fe59cc8eea5fe69408eeb12d4653

SHA512
d6ad920c51246dfa44b341562f36b3f1e8595fe3b120b85a97e023afcb93904cb9548040df526e111d88e2373385c7b9937b8c9e18323fd57b6ba4bcfb5a51e2

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
a87424a46e1a463b1c741917fce6fa9e

SHA1
8f7bbac114e81ee0f3ef8a96ed0dff828eff6b02

SHA256
4650cae6e06417e47100d7878046755f811d7dfc99053899f5c399ff27a1d245

SHA512
d927d74277fe6a9840b8cf92590cb83a2b2c48cb24081dd341e25780bbb665d845aa4f7750d1e43ffed6771bf9995d7bc5d869feda23771457333e1eb13b12d4

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
35fba57a106ab013e70396c3ac2c4230

SHA1
d20ae696af8375a80a41c7f0d625f214c6f2e7be

SHA256
a842d558f3448aeb5371c1580f57d971f2ff3164c727eed9ca784b30557a6736

SHA512
4ccb38dbdf4b968695ddfacf15c3ee3d5bed996a390494e0abbd9731248704fdea23b13e0a524eda516f2e08486fae6f4459e217b4ccf8763d3751c7a7896d44

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
96KB

MD5
2399662e29cfe3bbe3434c76e859bb8b

SHA1
59471bb42893c6ef33263a12bbbbb06d470ce8e3

SHA256
079bb16b743dc2a289c6a248d494d9fc6b089235e4b143fe08791ff276f05ab8

SHA512
34063ef73c3ac5b62df75b2a3cf61f14828044ef9b42bf6daeadafcdb3379dabeb3661d6a3c7963be16f9837175ec5dbfc473c12bbc05fe63ce9b843de2dc578

Download Submit
C:\Windows\SysWOW64\Aohdmdoh.exe

Filesize
96KB

MD5
27b888176c84a33e75cd8536ddbcbfa2

SHA1
006bdcda46373602ccff1c1c70598ac6f6f8b122

SHA256
be4a054b6f51920b80f41448bf0ad8a4a051d8f36e40f9e4af61bcf8d0ae5654

SHA512
7fca9abacbb80cf403a47452190e63e48454147e7ccac4f21dffd33cf55b14d879661b46acaa6d4f6284d46fae12976eb721cf6d6aeacc15b1e3283e330ba217

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
e5d1b09dcdc43e7330912e11efcc2b64

SHA1
1051a7e58c88ec7a49ea4dcb0e3f767e413bd9a0

SHA256
80c8c481d94bd02f02951e1258e3864db5f8a9f0dd7095d483bc6abdd2ceb286

SHA512
f41507558441f1e1a942023ae0cdaa071e4f33aa6aaf82a282acda96488918ec41983bb0216964eb0e2d66862739fa885e6bd0f6f8451a190f87fa13bd26a0a8

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
c92de67d9fe429ec1a46b31407b1362c

SHA1
622080864bbcc17bd288033f87a79a901fbe3616

SHA256
19ce230ae28c95cde1f4cce7e802aa99f02bd4bb745c31de3790bbe441a85dc8

SHA512
843dae401a42c6fc8c346522f43373d1eef35a721e73fa53a50d0b9caebc4f31005edd07a8ad36d1290e285c8ca72527034e3313d873a600094b4df0c52103a0

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
96KB

MD5
0e7723f1f70fb854e66e64ba43fd616a

SHA1
f80df28fe071275a3ef7fe62b3818feb13efbb9b

SHA256
0a61bb218a13cb152208f940d85d4a772892c81281fa07f1d6eaa1b8ab5e081c

SHA512
b3b9b65d226c9a2b7ee844a70e96e3e143bc6d5335902025cf3971a35caf6fe7d14f9e62e6166a7e11436b0a249c56eee1ed841e24e05feae98a490fa2838305

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
4da3e54a8ac567c3c8be53ce443f007b

SHA1
b0859261ee17b79ab52e6065579c7c1a153ada8a

SHA256
ad5877953aef5ebca83d8312f04cec09063f8152e17ab5bc6bd32db684236e7d

SHA512
67d65146096d0374b7f5f1b316419a5915bdbba5afc50a02f7b0f55f8ad2dc6e67b5a17af0397cd073958f9b036131e19880c50b8e4bf3fb38a9b97cc80c4ef4

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
96KB

MD5
cae37965a725d60845a0bbb362918eb0

SHA1
566b2d4b2c7e0188dddd8cd68b65ee4b89b09a63

SHA256
551a922e0c5eb9a3b19e84921daa985feb4e4032da91a6e75bbc811767d74359

SHA512
9bfbe75b47fb9dc11934138df15d019472a90978cf193ef14c32b4bab8a84ee1e6e95836bf27d4dacdafc06d25330dde4f8700cf9dfd6a40a96a9c6e7bf1024c

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
96KB

MD5
ee63da8e341d04b399f4a306885924a9

SHA1
64f9604d5326be8ce2843cd98a416261b3cdd984

SHA256
0b31d2adb2b0fc1fcd498f0fc743e5644c86d402980a30764e1ef4e0629b0955

SHA512
5666158b366d397a729ae4199097b1bf0cd61dd69e2aeb98a8f2b96db55a1f04c2ac6e8e71ad5d377d541c8e6aa9c813795d485647270448cafebc123782bcf8

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
96KB

MD5
6e3c8793b163e67d42e8ac1e5e6a4c74

SHA1
0fdb4b021ba7602594b965c3023b179ccff95a41

SHA256
0ea74cea483c993bc946d5778b1da8eb24ef1b09f1c32a3186a9f847033c3efd

SHA512
6ff956cea47e90e7c079dc9a4d5ee423d54b957e02ba8d1ca3a627131e85efdd807c0ef6c51b040a1804b909cddd3cede68003ff16ce16e5b26d9a3edc265c59

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
d9f6c9450b5b028f7426458d5639b39d

SHA1
4493d5b3a90b48a7c8d6eee67863d01327c25f9d

SHA256
eec1243e9529ca1693aa176d3bf187e6b181b34525b66b990e74521cdb2680e0

SHA512
0cf218944ee2ef698da4d0872e2cf2c1ec59f2fbe1b828b27ab33d1fd274565eb5be5144a3852ee6834a87781b97a529996edee3ca33144770585e56ff6e95c9

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
96KB

MD5
d04722f4956ceb399c390ad9b4dfba8e

SHA1
1acf2c64422724619f11c60f2096d35d0d47f3cb

SHA256
ae9c3007e3bd4c9608781c49a592ddd2e6bebaf081d8458aa112e3e977145080

SHA512
9c2e116144fe011645ed7034dbd297f48fdbc97a5cc9be1de894f02a80d7a868b3da7d7061a83e98d25661e35df2f000ba2bac5e882964a3bd6cbcee696a5ab4

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
96KB

MD5
c051429d5e52d3d7ea3985005f08140a

SHA1
e78a66af184639d01f8951119d6110e33d5141f0

SHA256
af80e08a5ac60cb5e205ae848613746491a6a6cdd4da8a0a27d55e761b6f9b9a

SHA512
cf4291eab508019c3e2338d8ed74fbbe62a31794bee18bd6ff4b51c89f2d6f0f89188706d4b3b15d557f31993a4b22b4601cfbe25f20da79d097c0466118e3e4

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
96KB

MD5
a91e944de69ec7225a8c6a9d7ff66e51

SHA1
3eab813e90745585119ba25ed051bc9ba3657581

SHA256
45340f7fd174bc1472a1b5eb698c18097be6c0b50eb47067d3603828ae83add2

SHA512
5d24f4d3804bcde5dfdcaff19894c1254dd14d9fcbbfaf6c972ed14b28836062138e734e92f4fb1b8ceab356024343d36f70b3704a556ca365365971849ebfd3

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
ce56ab2ee5d36d94cdcc3c0677477602

SHA1
53e136008dd2799abc74132e54c6b4136f85c4ff

SHA256
1c51561d452031e3ff3da0aa69f9acbd1053e327a3a125a9c139338dfca421b9

SHA512
6cd7098135308a1bd6521b2ed0d41923a7dd02ee491fb01178e2aead9d44093dfa101fa8045b15dbb5722b90df75ecf4af60f18dc73d349298821fdc9760acd5

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
96KB

MD5
86dc34c63b61d6feb9643f56fa6e1741

SHA1
58dcffc4d904ec8761e00ed215201aef55d8e871

SHA256
7219a494b9a23915356fc3d66378719659e392182904a6502c15619bf97c73ff

SHA512
ee56cef0c228d5d7585973b3ed1023d601f662ebd9739ea4824632e3d247dea155f9c29923b85db551ba35bccf3cfbb0ed37aee597f2eaa50857856ca111e5bd

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
8e873371362f3822f917baac41d34b8e

SHA1
64dacd68d94ef38c7431a593bf4fd992d513bfdb

SHA256
3e6e7f51bef64f00694585a506c7e99831b18470412e77ceaca3de2639e6b423

SHA512
4928939ce50cb0bf1b7e7f2b634ea52051987ec7bb337588d0cb10876b4a316ff3df2b61e1d0fcb0b4efde93d5b57a700475c15131eab9b58f7568b1a51860b6

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
1a7591b0ef55addda68cd0dcdca3d2eb

SHA1
d7760aeca39b39a2e87415876b2b9f7a4331e2cd

SHA256
6b3e76e75e1131cf3dda2f52b1b19a5030110f57472907282e0a14da7b28d587

SHA512
cb901a5b649437d10f05be93abcb63b897c235c845ac5fbedce2f52de53710b181c3ed2e8b3e7a4756cfede96b35492058054e3832f4c59e3327f2b6096f801c

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
ddf616e4d739a108f3fa7ead69ec440f

SHA1
04e73c3107346dba824260637a79593a8c37da06

SHA256
bc26b84610a5db278167a4d2d8ed9be74ad51a1aa0f3a7ee7c9ff7461e4db8a2

SHA512
2b9b111a1a6c5d1686e0121df96bf9d3faf588a9189e21157d4af159ec69cf89c444e18566ddf87f56fdb167d72ffe0b58b83d1058faba466bcd7f0f5f2f8a7f

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
814fe27e9e492ba56355748ab960d16f

SHA1
210d192650f62b99bc9022525c8982b334d580f3

SHA256
099952bd8c8fa6d69945324e51ffc1c3af4aef0b8f9dff45cfa5792babd5f490

SHA512
1aeef6b9b2a237cd12ced050f9c60f57f878506ded1c1af4f4b9d5f011702764b0b5578e3f9e79e006571d3c2cc9dd63ca813a9df6bff2f2f1a326d00c4c6cfd

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
7f60cb79642d395abe14d70ef68e0314

SHA1
1864ea204a30d23f97f8284ac57e516661ac9e54

SHA256
08a2eefd477b0c5adfd0591101c38ace8fdc77233414af505f9409a325892b1b

SHA512
114deeb10e2ead81d7369c49cd4c9253d0f318391a0ac5bfc7a78327e61259437c7d91c7cd083bfe191136eb6406c29cf839243d9a4a53c440add9d2c15ee53a

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
f6cba628563cb0c48c9530745176fa4b

SHA1
44001e26de72c0d86b96cf7775a594931ac3bdd7

SHA256
ae80b6ee8d6ba1f35aa1ba0a3d7e2fbc5a5507174058c663c63829751f0821e7

SHA512
494f8a327cb80eec7638063ab08f5644fed93c5c43611754cf7e0fbcb16391ed14f28873d51580ac87de79b9acd4cf82eef1a8ca2eecbb664cc92a863f4613c7

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
bd8c1255430de59e869dc3a8d28ed445

SHA1
4f007e1a65f34d3e7bc4eb770d3fc4b3189c8b53

SHA256
a9529583aae2ef8e1d2389e1e68aa82a3a6149696616f4a09ab81c001e3f39bf

SHA512
26a7f5acb4baf89989702bc50e75b7848083b49eea49c0da2ba813e40b659336d09a7926555a71b7e3ace78dc6d45e7769b91f3f5da7aafdd97c455ba72278fd

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
0d97a5b79a1893668126cb24aa7e12d6

SHA1
e8b9b7921de10b4a62adaf89933e378dd801714f

SHA256
d6dd9612aed8bca418281d0235395b22e13d9367b2321c171cbbe44348609f76

SHA512
287c9809f2ade75e243603efcb48d885227849dec55601de05505b3c412a09a2447b3da3ad9a7cd05643b27c6e00a1a8c6113a07ca4430e696a0fddaff2cf50d

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
fe93b228d19380d40eed252f874ee743

SHA1
644ec99ecde51e2ba8a373caec7d036f49e1b9ce

SHA256
785fbccef5d41efa67dd3be7499c5d1545c09078d79fa1e70ae4475fc181a52a

SHA512
bf59983d3c26088e3f8f4a26fe34964253e3241bf27e910974a2e7e28374f57ee3b430f097dd925d4029fd68eebb2dd02ca94c2b6bb2ae171167deb03007eae6

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
8014d90470de127b12debe313956e066

SHA1
f75080b7b67483deab3b55fb86c2e11e774aad7b

SHA256
7dae24547552dd6dec9823eae52e2ec618e644a1e926cd1723ec8c2eb0f4695b

SHA512
b6bcf8770b9de602303770cca58de686954462170b73120f57c6e20098a6934810f766de0a9467fb9749379154c3c8d4ca9db7050a6de2fad6269b16c6bed907

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
d74be32d8559e8265daa4179af2b5c4f

SHA1
7e5886d56a515382f75bfdb507489bafd7f9f13f

SHA256
ef91131ce309342ef1bcaa368fde13f48c30c84ebbc7072c2367ca24633e2f79

SHA512
18d7fc5792b0a22d9a449d4256478ccfe7eece3f0215cd076f34341a11fea68600035dcac87cb5ef363fbb618bb50c5e78d2bb7c6994390e8e5ccdbeaf2a1d23

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
3b3831e77348592e304fcfe8ced3b41b

SHA1
7535a6b79781ee5d6acd3cfcd474005fdfd75874

SHA256
d0e29c5a6f9a29795cd246594d063e2c320129c801c6542e315b25af308585dd

SHA512
bafafaba5c5b0d84f61890147b23ffcd79b6bb47e23ff430fd28057cddce9c6a295ada421b426d55bc702eb98812ebd1d3a0a01d9fb08ec519cc2fe5efb797e1

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
0257fb2cb7d28cd67440c2d08fe5457f

SHA1
ace70baa95a08d64bba62da27dd69add74bebd49

SHA256
4b420f3b6288a44ab2114cd912be94f60feddbc0d5837f2c383bcb117eb9b783

SHA512
41a3d54c77af435060aec0c1cfd59aef213c99334ec43120bd9c72235aa968d05e97ee55990cdf5cfafc2e58981478352934185a1c0a51fb0ed5561b4bb8eebb

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
96KB

MD5
a3b353734b0b9931844ccc568ea07d31

SHA1
28d3ff737ac0e33ff77d2fbd2df84e772c020d98

SHA256
336bef0546da8394f097cae8e7d574566ffc9fc8cbce1698d7b8ad86a978d85f

SHA512
2f1be5ceee79c2d018bc9758d37b829e916c26470557ff57da551018894a983d94ecd075674b79f7e960fa7b0ea7a7787275816c70ef946d701e45b9e4f53d5a

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
5454f98c335b1528b3542aa16e311f28

SHA1
a26130e3af723c297387c54d368e5387b79a5871

SHA256
65689c590c9ae5a030ecd233d179e5b79b8082ae29ecc4d362931a797b94cbee

SHA512
00611fc5ede946d7064871d2215767c5208d0bce94be1301e5c214011e16bc0efc8e324594e9d5fc84b3160faea5c4a067538e5eb0a143574204f9ce78164cd9

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
6d19fb677606d4c0191d3b6aec3102cd

SHA1
042dbc39353babf907cd48a9561ddd9e114bc7c7

SHA256
2e0f967243a880413a0622b28c15b3b794dc9335bb6d579a45c306ffbf3c6a18

SHA512
56b8c69ba780d60331b9cf396ee42c3ee68d71f770dff65d88a03d6fcef494e4310c0f628d73ca6de957f23dc56f7d18bb23d3a2a2426a5aac654e74ff790deb

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
5a8043e7bd9b2d3e3dd45b34965ec7f2

SHA1
7700d87909c8266c7705e98fbcc947e55ef8b03a

SHA256
f6bc515cdec454e25634dedc1e44e18d88651b191ad972560c8709266f76fdc5

SHA512
83c946b38ba41c06eaeb35d0372579bd6414d982106a2375919bb1c66e3b13c7b3bb30db7b54f3ea4fe0e9da108e6a4b0aabf2e692d88b8996a1f63127abfd5f

Download Submit
C:\Windows\SysWOW64\Padhdm32.exe

Filesize
96KB

MD5
1c4de6f0dc45684c1cdd168a6510f02a

SHA1
10d522c87cad8175aedcafd9738f0c92dbeb34e9

SHA256
1b5ab6d2a618bc4d8f54665defc6f6eabdee130769a08be3b659b8e72ec12bab

SHA512
62c366c91a2f4a562dcf2fd0c9231ee3efdfa7958f9ffda8182805f8a73581eee77943f96cd68e736d57e65bd5c973936030cd0f192bffa0026445eabbdcaa7f

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
96KB

MD5
dd127bc15ac344a1e59814debe25fed6

SHA1
b7db7fa311a3825d6502409571af0897645eac8c

SHA256
eafa39cf70d00646bd7541537086764670810fece8c2bd93af3aa50842973af8

SHA512
c4682499be4e478b82bf0b01b4047e7ba932d9c2024bafa350dc1a878f58bf2bbc7115e141d6b38639f5d5eb4d5dace659c503c9e1a0ecd37eccfa8d0578cd0d

Download Submit
C:\Windows\SysWOW64\Pcljmdmj.exe

Filesize
96KB

MD5
d7ca6ccae4523779063aec2997873726

SHA1
b17fb04f2686d35be966f51bd7852daf7ef5e8e2

SHA256
f56d36c503e4034361e8ce3c3a3f6e760c9de72af52c93891e31bc8adf1a5bb0

SHA512
ec3ea91797cfd9790300b49f5f96d7acf63c61ae77489aac42f09b245587d063da6a83e3eb43d80a412e91221cd0f89b258080bf1e63c7982c1c308dec0e0831

Download Submit
C:\Windows\SysWOW64\Pdgmlhha.exe

Filesize
96KB

MD5
aa0d4fdd9ccec2b9e745a668e4f6523b

SHA1
d22fa515fb6e13824c966d2cd0b5dfb11a31b755

SHA256
24737671dd9ab85616ead55b0782076a6a94657cb35acb20731f469dd6b73ec7

SHA512
ff38d872abf45a4523cd10473681a6fd3299e09997e4ff601a9a70b346c81cd7600a5b83d862f577d5144f52f8bc62d3ae93c7d069b383c9323eda850f74759e

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
96KB

MD5
a00de0945b67ca1e8f15e2deb9822810

SHA1
ab22c526cf471d2606cb38318fe42b87616fe52c

SHA256
1ae039160bb5788cfb0b684a1e521d3e5421bcf8e82fd14b17d16e458ea15066

SHA512
fcff8cee18aa686d8360f94de0032b25ddf9c0e1b5949b2e17c849abba8f7980fdc2b9074eef992900d5cdb83e281ca293db912534af76e779ccaaaa6de6a3cd

Download Submit
C:\Windows\SysWOW64\Phqmgg32.exe

Filesize
96KB

MD5
91d089b941aa3f5adc20ad46345d5b6f

SHA1
8f1e12d93fc9090b8b2646a3344566719475d338

SHA256
368a30d8f77bb1c98cbde05374c312445f014dd0ae1bf4fbbee3ce56e68fb0f4

SHA512
bc457b519ebcc671797692fd41cd119f61cfadf4ccccaf51d86b6dd6022af99e548be4c19d05507b0f6c6b008a405ffb2b85d562dde6719fc6c3dcace96330c1

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
96KB

MD5
89f32cc312664bd14cf00dbec9040245

SHA1
df1b0dfe286a55a2e3d32b4bedbd97ed4867d2a3

SHA256
eaa4ae03078eb9d3b5511a2e2c99e041c6b616e85f25954713af54b1014e9bf6

SHA512
6427a74f1135c9374688c7a87fdc181d7a7771d3c3b118877c22c582e95ee344881b81a46fdc31cb751e88a5e3e81da11e54d085860e42577b4e34e32248556c

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
96KB

MD5
3ed3a23dea52cdf33cf483f042966cee

SHA1
e089a2e13740c9173da7665dbdec506ff9a8b9cd

SHA256
436c022e349cb4f17b0ded0ce3abe822474666999fd984a139a9fea6064fd837

SHA512
8e1da0a4402246ed4d617f39019bdb33faaf86a9e9f354b0a8ad0be7ecfcb0c96767d83937c23cf53d6a1296c3951f60199fff2dc8fa48e127644ee810e25b51

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
96KB

MD5
80dafc3382adadf2beed09303d9cf0d7

SHA1
d4ca8504535de23ce96f018c121376a965fe8006

SHA256
6b1bc6555318f51a010cafa68476c9ee0f8883bb472abd58c0e137808a8e157b

SHA512
4eda0227a066b90b0a6e28bd650d466a06cec1533cae5c475d4ca478a53ff5839c3e345205d24986604fa87446acc2e8bb6b7e4714a34a6984d107149ef769c6

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
96KB

MD5
c3776d6b0876fb2c5d16e65428acd00c

SHA1
c9e895c227539bfbdb70144a384255830b303349

SHA256
6bb0d6bf44755bd5764918bf74b3c9df05556939a00fc133b3a5a36abeafc15f

SHA512
b45cab65a3e2a5439f4ae0cf04ccab57f1a0331d67dde8c42d9fff58a2968dab7762dd0bd5d0dfc1eba8f3777f9890c16a11c9dfe69c99e7f63f99b22a1e5038

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
96KB

MD5
f3f6449d80a767ffa51e8e2729037d31

SHA1
78cefbe95e27ba85d0a41d96b714afb7981599a3

SHA256
1e0e5b43f26dcb88d84975700d34901599e4ff34d8450a2c578148d7a11d6456

SHA512
15fa29277c493bdb9bad1ed79776564c350a364c76690d317d970a89c3d0d85d912afe365ebe0fb62ef1d6678311e541487067d1d7a0b53992d7c4054bed8671

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
96KB

MD5
7cbdac4467c1c5078c942f02b9e3bcd6

SHA1
7f41f5e543161f2b9eb1341c82b8bcd1115fc666

SHA256
7b73d97ff99e0cc16ce3c2247b87b18c91393e2efaa0b35b6feb34855ef51cc4

SHA512
8191810a8d7e8905651165a0e6a251bb0f1cd43a189329c4172e6cd9f9659324c38db0f5da43a40ae62fe12c8ebdb569f4968f167f86a54f84041d727657db4f

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
96KB

MD5
d7f58e6f143e3cf5ce36b59e266bb5f8

SHA1
aee788435fb3a7699caf869e2017f2e37e2fa49c

SHA256
c1bd286aac37d2028c760b73b98d1f80b4263affed0d6b6f4bec5a88995cf06b

SHA512
15dbf0a84d1c22f8b0a6eab33f91ff0d9f85d7d59e4768356951c1bfa16afc2bec9ce3591e103fe1b560cc800689910b0fccd5941d29d6e480f39470b97cc39b

Download Submit
\Windows\SysWOW64\Nedhjj32.exe

Filesize
96KB

MD5
45852d9478f88e006f9f63ab9a963143

SHA1
d4aed9fc1c1c392b29b6c14b4090b70b1f01e12e

SHA256
2d27fc08d0a66dcdfbbe43c5b8fd0d9e7031a7b5aa5d35b0a8356baf597a983c

SHA512
8a7bd918bad0825acd23c83d8f44112032cac8cad3e7329c42550d8acab07b95477b025bee6dde61a930ca229522173117758f6075e459bd79073ebcd6a1abf3

Download Submit
\Windows\SysWOW64\Neknki32.exe

Filesize
96KB

MD5
524a03e74e5b95d8df45d3505f4a062e

SHA1
4e2ad12e156c6b6625d03798ac03145e9c1fdee3

SHA256
af3ee5be7a4c52b12d0779b5ba11cf8f6b896e35b31f8863781696d689a94c4e

SHA512
88c5b96e94d072451675188333b0f7d7451533d9f93de0bdfae4752abc60531f00e58f5247ef039a8528e4d6c6d786453f9f149f9f370e57748329c2a506bbad

Download Submit
\Windows\SysWOW64\Nfoghakb.exe

Filesize
96KB

MD5
6f821b23515346db3fc4c6d1d364e2e1

SHA1
bf1394d1409185d293206264eb41adf98463cc09

SHA256
f02670fddbc7ae435f7ac99e92e5624de6d04f27389d0af9bcd8c078c2ba37c9

SHA512
59fd1860e5bf11c745ede4c951fd21fe2c35e1f6e9119663a8c57744f9a473ca49f584a1061a0754969687e0058de5753cfa7b244395edaaeb58416e073157fd

Download Submit
\Windows\SysWOW64\Nlcibc32.exe

Filesize
96KB

MD5
d2a91c46377aa25072d28140c48e3e4e

SHA1
526cf147f1e6ff507177c0d38b9bb2556286b943

SHA256
cbfa8cd7772be93a2e95cefd4c6b00f22db0803e5af7fad96945162ca69a3aa8

SHA512
2267c92217b1bbf055872ed08162ca9374be4051df6e171cc4075d8b364a4a4aa5c5dd2eb17532f656e8c0ac634050087ab662fead653854846533be1f42cbb4

Download Submit
\Windows\SysWOW64\Nlefhcnc.exe

Filesize
96KB

MD5
9e6f68a0004da0a9b28e5d42a4c2f96c

SHA1
f3ae38b4f4fe255a0a72a69ba825a175de9cd015

SHA256
a4dcc59993161b7524c9a6101e38884a8c37e8e34e6e5d87319e315665751c13

SHA512
2c3315f09de249756ab06fd38935f3687f1b9ed3fdfb2f4808626b66a2acb0de1114b475ee268f6e1d4e78384a9e4c3cd15e8009a8aac862a4e64399479e0b51

Download Submit
\Windows\SysWOW64\Nlnpgd32.exe

Filesize
96KB

MD5
132fb4f8a3b5ecd792fb058d2c84b693

SHA1
69b30b3186b203912439ce81cd603446ab8badc0

SHA256
a9ffeab39f08353f19076a2dfcdff6e4c4072257f554c69292f1dea9624b6dac

SHA512
4cb56d338fbd46c0f4ad3956db2f9125ef42b4432dd1ffea71daf8ae50f90af836d16e727af50f7f64bfa80cb566283cdc2d0cf76d465032a83b103e795ac49a

Download Submit
\Windows\SysWOW64\Nnoiio32.exe

Filesize
96KB

MD5
6c6e5348ae7dd5d03d341d919d1a4215

SHA1
3d2d4b242c5d39bb97d8fed28c61addae41fea0e

SHA256
ad31c17683c69218cc1c61c9e77eb90646714c9f8a4153f5c80c650a1c3e6dd1

SHA512
d381149434891f902dbe0153bff4a38304f42443313fd4ee14e1a202edaeed12a4f9f0e146f7475fd1ccd772632a8cd5377daf2de99aea513189d402242dcca1

Download Submit
\Windows\SysWOW64\Objaha32.exe

Filesize
96KB

MD5
3ff3ed7d8d322637a3e2e178c9a1e380

SHA1
4a933d35be839af4bd2acd85d9bd357deedc738a

SHA256
1c58a4b145aa6c673a0886a110cf87a0e058f49587b60994175267f1cc7d5353

SHA512
727b26ceb4802a5766a50056c65987448bc5e8d35c45282802e264ba7349c1d260cdb2eeece679f5bc9a9674a0c70f21854be79334a5dad96b6a6ff5c13f49f7

Download Submit
\Windows\SysWOW64\Obokcqhk.exe

Filesize
96KB

MD5
36f82b98a2747672981055142243188b

SHA1
50531785dc09fabf3d14e8a51d5b13646d4e1aca

SHA256
00df067ecd9bb2f6938cadcb99f011941e5b9de0776c1849bc7e58aa6d3c327d

SHA512
ed9052b198de227593915b2a8f15f47b7501adf9e74292ff61e308414e1f1a308c3670e97f26aaa050a094edda1620de16262eb74e5164f99d782c945c4d72dc

Download Submit
\Windows\SysWOW64\Ofcqcp32.exe

Filesize
96KB

MD5
5cda0694777e996400eba2e4306ab582

SHA1
6a11f9a5101221b82680e376a497170889719930

SHA256
9a2d4871de623646c9965d16d7096d3f5050bd4b436501711177b385fd4c1920

SHA512
8602f61aa36657c74b84fa7493251572b8fecf624711c71da621bbc5649bd02402d2909794036ad4c6c7f5bc4d4d32aa86cae2c376a10625639067fab0f2b669

Download Submit
\Windows\SysWOW64\Oiffkkbk.exe

Filesize
96KB

MD5
7e11f61d37f887dba48b3b6e7c9da5a1

SHA1
a4bb3bea60662102f1ed1a4dc12d43164737f93d

SHA256
66623dadfcca6b30f94f4f676de65aeebf1db72c8a16a8fb89f76fdab4a07007

SHA512
b90a0be1732ff423de1aaccf0fabe05806eeb9bdbb0d196861174d99e886aa3e6eeeb6cf22df1680cb3868b7d9f8d2a9c4435b617d15527a78c0bb4ee6adbf8e

Download Submit
\Windows\SysWOW64\Olpilg32.exe

Filesize
96KB

MD5
203ef45b789a89315b928832b8e81abf

SHA1
2d309f92f03033158f02b49509b049cc42f0e5fd

SHA256
5d4468257439c83ba1bb742aa32c4692e4cd7117f66387ac32eabcfdf761b8fe

SHA512
5c34c271c7a8d60fbef1740ad8606242e625323d904cafc1070e0b1bb98aad42becd1e6215ebfe2e0d2e525b96a24d2f3570dd96021d179b9ed459e7af490701

Download Submit
\Windows\SysWOW64\Omioekbo.exe

Filesize
96KB

MD5
6ead309f65b2a02881a9f2bdd98922ca

SHA1
8fec2f04681df2f97585c19666a404960b58a624

SHA256
a142bdec37133bec9f8554e42bd467ae31d796d47a28e9a94313d0eeccb96920

SHA512
2a5e3cc4db5ea798e65a810df6823efefb6b42c6c4ef21d9bb128f679dfa4f902e2ee57cad232dc2bd909800ec07e349325178aa60af3a9e444e73b02a9bf187

Download Submit
\Windows\SysWOW64\Opglafab.exe

Filesize
96KB

MD5
548bf75b7296ba7cac9ff1b26feab9d8

SHA1
e094427c7b0b021dede73fa6a1114837f4f5b0e6

SHA256
312a3abbeac924e30e680fc50230e28f32b7c9e8e0d8f6afce40d0ec7011c0a3

SHA512
afad142fe2b78a2dc126b86fa9dd726339783238229b9e783b6ff8454ae6aeb914f8902f0b0b09c8b9733d64675930f49fe3f227e5ae8092f3f9075c2803381a

Download Submit
\Windows\SysWOW64\Opnbbe32.exe

Filesize
96KB

MD5
ea1ab15ede965cb74dbbca4ba2fef115

SHA1
d153fdd4469b1426fea81dd6518413bde3ac21d9

SHA256
0d7acaa0927816e67d193a53ac2aa2b6643a36369556ad087f46f36581ff6c9e

SHA512
7edaa238e1c906a3153af98ed7bdc6750ec20f574516d37d89617b7f6459ef7c4ab2c9287daa4ea92a4e90bbe771ed422e17a403f73cb8ae21e4b6c863b7a518

Download Submit
\Windows\SysWOW64\Phlclgfc.exe

Filesize
96KB

MD5
dfb5f059b26e1ddfa28269212118e78e

SHA1
61f7c5f2498959ff6bc11abaf843b93e7f1a5136

SHA256
b3b32e4255bf015abae7cb71735b2b962dbc8940c7c94965ca2b29314f673ec3

SHA512
e485437134c24d26f2ef7743b129d05324a64e832c1b71909c5fda1cfab9c09565a59d717b9e19a653c94a57216d8ca0d1505a8323aa60dc2ece1962dd1dd5ab

Download Submit
memory/308-783-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-398-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/484-403-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/484-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-183-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/496-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-269-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/572-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-169-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/624-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-432-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/856-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-291-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/888-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/888-292-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/896-799-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-773-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-498-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1096-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-792-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-787-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-779-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-243-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1600-778-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-784-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-777-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-520-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1684-521-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1720-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1720-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1744-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-134-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1772-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-411-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1932-775-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-224-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1940-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-254-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1972-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-445-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-440-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-144-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2116-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-774-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-788-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-476-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2160-827-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-478-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2236-795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-35-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2284-772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-231-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2332-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-157-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2372-781-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-421-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2392-422-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2408-277-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2532-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-108-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2576-786-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-782-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-798-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-357-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2704-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2732-780-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-790-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2808-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-465-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2844-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-789-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-367-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2884-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-93-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2884-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-324-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2960-320-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2960-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-116-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/3008-27-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3008-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-351-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3008-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3012-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3012-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3020-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-791-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-303-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3036-302-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3044-49-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3044-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads