berbew | f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
Size

240KB
MD5

eb91f67e8842af4fe6b213320992fe80
SHA1

a2433d45af4cb81ab6c5a8ddaa0702e8f0d24c18
SHA256

f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7
SHA512

c2cee927afdee64e95821399d98cca6fa0d68bfa7b91e0c62a4788742e60f261690e1631da6b2ac18e6cb80319a11c46bf93c40759b20b0f2cff2f39589473fd
SSDEEP

6144:RHYdAtb556UcGGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:Ruq55JGyXu1jGG1wsGeBgRTGA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkdgpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ollajp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjpnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 44 IoCs

pid	Process
2820	Nhllob32.exe
2612	Nadpgggp.exe
2584	Nljddpfe.exe
2616	Ollajp32.exe
344	Ocfigjlp.exe
2672	Oeeecekc.exe
1260	Oegbheiq.exe
2276	Oghopm32.exe
1304	Okfgfl32.exe
2856	Oappcfmb.exe
2160	Pqemdbaj.exe
1220	Pmlmic32.exe
2136	Pjpnbg32.exe
2392	Pqjfoa32.exe
660	Pkdgpo32.exe
2532	Pdlkiepd.exe
2944	Qeohnd32.exe
1780	Qkhpkoen.exe
3000	Qbbhgi32.exe
952	Qiladcdh.exe
2432	Abeemhkh.exe
2412	Aaheie32.exe
2228	Akmjfn32.exe
1828	Amnfnfgg.exe
3052	Ajbggjfq.exe
1600	Apoooa32.exe
1976	Agfgqo32.exe
2648	Apalea32.exe
3044	Ajgpbj32.exe
3028	Alhmjbhj.exe
1096	Abbeflpf.exe
1796	Bmhideol.exe
2248	Bnielm32.exe
308	Bhajdblk.exe
1340	Bajomhbl.exe
2408	Biafnecn.exe
1188	Bjbcfn32.exe
2696	Bhfcpb32.exe
3068	Bejdiffp.exe
1688	Bfkpqn32.exe
2492	Bmeimhdj.exe
956	Cdoajb32.exe
676	Cilibi32.exe
2356	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
2820	Nhllob32.exe
2820	Nhllob32.exe
2612	Nadpgggp.exe
2612	Nadpgggp.exe
2584	Nljddpfe.exe
2584	Nljddpfe.exe
2616	Ollajp32.exe
2616	Ollajp32.exe
344	Ocfigjlp.exe
344	Ocfigjlp.exe
2672	Oeeecekc.exe
2672	Oeeecekc.exe
1260	Oegbheiq.exe
1260	Oegbheiq.exe
2276	Oghopm32.exe
2276	Oghopm32.exe
1304	Okfgfl32.exe
1304	Okfgfl32.exe
2856	Oappcfmb.exe
2856	Oappcfmb.exe
2160	Pqemdbaj.exe
2160	Pqemdbaj.exe
1220	Pmlmic32.exe
1220	Pmlmic32.exe
2136	Pjpnbg32.exe
2136	Pjpnbg32.exe
2392	Pqjfoa32.exe
2392	Pqjfoa32.exe
660	Pkdgpo32.exe
660	Pkdgpo32.exe
2532	Pdlkiepd.exe
2532	Pdlkiepd.exe
2944	Qeohnd32.exe
2944	Qeohnd32.exe
1780	Qkhpkoen.exe
1780	Qkhpkoen.exe
3000	Qbbhgi32.exe
3000	Qbbhgi32.exe
952	Qiladcdh.exe
952	Qiladcdh.exe
2432	Abeemhkh.exe
2432	Abeemhkh.exe
2412	Aaheie32.exe
2412	Aaheie32.exe
2228	Akmjfn32.exe
2228	Akmjfn32.exe
1828	Amnfnfgg.exe
1828	Amnfnfgg.exe
3052	Ajbggjfq.exe
3052	Ajbggjfq.exe
1600	Apoooa32.exe
1600	Apoooa32.exe
1976	Agfgqo32.exe
1976	Agfgqo32.exe
2648	Apalea32.exe
2648	Apalea32.exe
3044	Ajgpbj32.exe
3044	Ajgpbj32.exe
3028	Alhmjbhj.exe
3028	Alhmjbhj.exe
1096	Abbeflpf.exe
1096	Abbeflpf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nadpgggp.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Nadpgggp.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Oghopm32.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Oeeecekc.exe	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Elaieh32.dll	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Aohjlnjk.dll	Oghopm32.exe
File created	C:\Windows\SysWOW64\Pqemdbaj.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Cjakbabj.dll	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pdlkiepd.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	Oeeecekc.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
File created	C:\Windows\SysWOW64\Ldeamlkj.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Ocfigjlp.exe	Ollajp32.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Amnfnfgg.exe	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Pqjfoa32.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nljddpfe.exe	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	Pmlmic32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Oeeecekc.exe	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Apalea32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Okfgfl32.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Eebghjja.dll	Okfgfl32.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
844	2356	WerFault.exe	73

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollajp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeeecekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljddpfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbemfmf.dll"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ollajp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll"	Okfgfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bnielm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2820	2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe	30
PID 2728 wrote to memory of 2820	2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe	30
PID 2728 wrote to memory of 2820	2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe	30
PID 2728 wrote to memory of 2820	2728	f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe	30
PID 2820 wrote to memory of 2612	2820	Nhllob32.exe	31
PID 2820 wrote to memory of 2612	2820	Nhllob32.exe	31
PID 2820 wrote to memory of 2612	2820	Nhllob32.exe	31
PID 2820 wrote to memory of 2612	2820	Nhllob32.exe	31
PID 2612 wrote to memory of 2584	2612	Nadpgggp.exe	32
PID 2612 wrote to memory of 2584	2612	Nadpgggp.exe	32
PID 2612 wrote to memory of 2584	2612	Nadpgggp.exe	32
PID 2612 wrote to memory of 2584	2612	Nadpgggp.exe	32
PID 2584 wrote to memory of 2616	2584	Nljddpfe.exe	33
PID 2584 wrote to memory of 2616	2584	Nljddpfe.exe	33
PID 2584 wrote to memory of 2616	2584	Nljddpfe.exe	33
PID 2584 wrote to memory of 2616	2584	Nljddpfe.exe	33
PID 2616 wrote to memory of 344	2616	Ollajp32.exe	34
PID 2616 wrote to memory of 344	2616	Ollajp32.exe	34
PID 2616 wrote to memory of 344	2616	Ollajp32.exe	34
PID 2616 wrote to memory of 344	2616	Ollajp32.exe	34
PID 344 wrote to memory of 2672	344	Ocfigjlp.exe	35
PID 344 wrote to memory of 2672	344	Ocfigjlp.exe	35
PID 344 wrote to memory of 2672	344	Ocfigjlp.exe	35
PID 344 wrote to memory of 2672	344	Ocfigjlp.exe	35
PID 2672 wrote to memory of 1260	2672	Oeeecekc.exe	36
PID 2672 wrote to memory of 1260	2672	Oeeecekc.exe	36
PID 2672 wrote to memory of 1260	2672	Oeeecekc.exe	36
PID 2672 wrote to memory of 1260	2672	Oeeecekc.exe	36
PID 1260 wrote to memory of 2276	1260	Oegbheiq.exe	37
PID 1260 wrote to memory of 2276	1260	Oegbheiq.exe	37
PID 1260 wrote to memory of 2276	1260	Oegbheiq.exe	37
PID 1260 wrote to memory of 2276	1260	Oegbheiq.exe	37
PID 2276 wrote to memory of 1304	2276	Oghopm32.exe	38
PID 2276 wrote to memory of 1304	2276	Oghopm32.exe	38
PID 2276 wrote to memory of 1304	2276	Oghopm32.exe	38
PID 2276 wrote to memory of 1304	2276	Oghopm32.exe	38
PID 1304 wrote to memory of 2856	1304	Okfgfl32.exe	39
PID 1304 wrote to memory of 2856	1304	Okfgfl32.exe	39
PID 1304 wrote to memory of 2856	1304	Okfgfl32.exe	39
PID 1304 wrote to memory of 2856	1304	Okfgfl32.exe	39
PID 2856 wrote to memory of 2160	2856	Oappcfmb.exe	40
PID 2856 wrote to memory of 2160	2856	Oappcfmb.exe	40
PID 2856 wrote to memory of 2160	2856	Oappcfmb.exe	40
PID 2856 wrote to memory of 2160	2856	Oappcfmb.exe	40
PID 2160 wrote to memory of 1220	2160	Pqemdbaj.exe	41
PID 2160 wrote to memory of 1220	2160	Pqemdbaj.exe	41
PID 2160 wrote to memory of 1220	2160	Pqemdbaj.exe	41
PID 2160 wrote to memory of 1220	2160	Pqemdbaj.exe	41
PID 1220 wrote to memory of 2136	1220	Pmlmic32.exe	42
PID 1220 wrote to memory of 2136	1220	Pmlmic32.exe	42
PID 1220 wrote to memory of 2136	1220	Pmlmic32.exe	42
PID 1220 wrote to memory of 2136	1220	Pmlmic32.exe	42
PID 2136 wrote to memory of 2392	2136	Pjpnbg32.exe	43
PID 2136 wrote to memory of 2392	2136	Pjpnbg32.exe	43
PID 2136 wrote to memory of 2392	2136	Pjpnbg32.exe	43
PID 2136 wrote to memory of 2392	2136	Pjpnbg32.exe	43
PID 2392 wrote to memory of 660	2392	Pqjfoa32.exe	44
PID 2392 wrote to memory of 660	2392	Pqjfoa32.exe	44
PID 2392 wrote to memory of 660	2392	Pqjfoa32.exe	44
PID 2392 wrote to memory of 660	2392	Pqjfoa32.exe	44
PID 660 wrote to memory of 2532	660	Pkdgpo32.exe	45
PID 660 wrote to memory of 2532	660	Pkdgpo32.exe	45
PID 660 wrote to memory of 2532	660	Pkdgpo32.exe	45
PID 660 wrote to memory of 2532	660	Pkdgpo32.exe	45

C:\Users\Admin\AppData\Local\Temp\f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe
"C:\Users\Admin\AppData\Local\Temp\f50bba9d26ce1f1a6fc3777c157fa0c980c53b8e2d640e86a30f82d4742c7aa7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Nhllob32.exe
  C:\Windows\system32\Nhllob32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Nadpgggp.exe
    C:\Windows\system32\Nadpgggp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Nljddpfe.exe
      C:\Windows\system32\Nljddpfe.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Ollajp32.exe
        
        C:\Windows\system32\Ollajp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Oeeecekc.exe
        
        C:\Windows\system32\Oeeecekc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Okfgfl32.exe
        
        C:\Windows\system32\Okfgfl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 140
        46⤵
        Program crash
        
        PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
240KB

MD5
bea4b478de4eb5d448b49b6994191ca3

SHA1
2b92db83a4e517a9d76a70764a9000d3c5442ea1

SHA256
d7ce91adeafb4c404eca9b58a28ec3f6e357588697c1d575aaa971c1c73b2f7d

SHA512
a3f97905f1a420fc55e27c1951ccce677d8a3f4049adf7ad13dca14a684fe66e85ad80dc64d59e4560aaf9c77a22a4a0b5e22b54c03ec598c347516243f5386c

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
240KB

MD5
c16f9e9a38a7bfee7e281e78df41dc73

SHA1
0a65818e3b2009573809217158e1c9579d560c03

SHA256
6e6dd1b6a255082f995d52f15835c7221cbcc578168a3ebfc4fc29754724ce27

SHA512
6fbbce603b707bbab7f3e79ae3b5a727e20d093b4e738bebab1c1a646bb3228d6efbfc011d080b4911ab576610cc85bd6b39740b8a0e32d36ea4ed49db8bb05a

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
240KB

MD5
0b6442389c684b758c0f1ff8986b0ddf

SHA1
03574a79f582d4b1a892735ac45980d726b05cbe

SHA256
d8a4ddf375e83fcc5c72e0c563b0440aa58126f19f88381f846bc0fb866a2f41

SHA512
39c09c95ae0fd257b639fb3f1926f4d287e1525f4e2bf3d7387c8bb894ec1e000f16435b6bc2d70138dee7793a91135ba02a99fe81aa5256113270f91f87f0f2

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
240KB

MD5
e9cabb137956e1fe1851e2369eec0183

SHA1
8ab516ebbe9699b77aa0eb5dd298330f901cea73

SHA256
cbdbfdf7c5aa36308e1e6c9e16b13ff293351e9128c3324552141c0e62990572

SHA512
6cfa031bbf1ac3f672afdcd06c551bd936f305f55281520f90943caa3421055ebd86d42cd62594145122059ab2da90e4d83f6d4bd3b641f51552e1ee2b2dda83

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
240KB

MD5
dbfc0026a41157b190552d7730f93ed2

SHA1
9c92fedaeac4dd85e235e208b969517c0b12532f

SHA256
f9c7311fc89e134d8e902365d2a5479addbd5782e0af5c60bf294f8ff8b47f91

SHA512
6f87c44dac5440d5d8b68b4ef1f7e6c98327c1f09ea370791c1bbf4beed7abbd09ff3735b3261a68fa188f58dfc8bd9a829c8d6d4a61fcf6092e1031ae542784

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
240KB

MD5
8cb77794a06fee2b4e0fbf34df947df6

SHA1
fe22187cff0a8934c2cc3d90426bcc51a58afae9

SHA256
3d969390fff56412c1f410bd6242de2331b569bcf2f5a40f1769e3d2c0f62901

SHA512
3c57400cf61c3dd7beacd1ca04d547e0041b5ab3d1e4006ba9d760a8cf90a1e8e365b1a62175083abd4e64f4676e3d81e4d784aa392dc98db09a142f898d4af2

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
240KB

MD5
5e53c0a331005ffd1d835531d0936eb8

SHA1
3c8919d2cb3d8eb72ad83d7e8a9e78060cebe731

SHA256
a7ec6eb065157c922d40c37a62eca0903415cafeee3a53b0ed3c1c56198781e2

SHA512
82b5b6a83f44c0925d6319ef9665fdd2ff4482f780a63dc56b51867d4a8cf737a704064022f7b3444a5bda8f29bdb24905ac6e6a64c70802b8895321ee54353e

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
240KB

MD5
77be81965f84544c3216f6ca25640a45

SHA1
0a6a7e287a919a60423fc41b108353e23907699c

SHA256
5c71def644a08f1273227e605487f8985195276a31c87b81f7c9a0562fe49db4

SHA512
c7a0f19479b9be7f198a2f7410c413b4a73c98e785c9551620851b415846f8b99dee3257bd272f3f2cf330dc7684f76868a99cecb772e3843c76161176a43c61

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
240KB

MD5
96677b3925cb160020cf13077a0d62d9

SHA1
766cd68bfee795f6d25b40a7d2c5d34b9a15cec2

SHA256
c73fae665fbbc0e80b9c92bf3efe056a7fbc36ded77b75f29452d2d0ef12a288

SHA512
9fd8029f4cf543a866e2d118340f5053df23b79c5e502870d3985783ee195170eb92740ebd0e6d363ac97fa9017b3db2f45ba10497499bff05ff091bfcfc669b

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
240KB

MD5
431b5e8d368622fcff9e81dad769b51f

SHA1
66992cf1ce32c92063e37ca1a52833a66ac9ab4f

SHA256
3c676a6235ebc316bd33cae9c689f524dd52d3e5dd62eaabc77873632512aa42

SHA512
7a61644a762514d890e19e33e68ccf84c203ff63d8b48782fe4337f042e8d494703f68e8d14b5cd1e5d217608c4af64ffe6e6547c06679350045ce7d86af1f5e

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
240KB

MD5
4c7a211a5c50f75e0b4106c59703111e

SHA1
8f00131b751352e42979279e4e82377bf6f6d82b

SHA256
d88684bab83efb737c30509fded8d3f17ff62d0999092dc88d74bc55dcbc523d

SHA512
967bd76d4fcfb53915322291fd497cd0923e12da4ed60145266825095c5446b866f815f4e65ae312866828d28e22a54d0049b6745217ec3819122fca9f3ad32f

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
240KB

MD5
0b16c9968f585e0e3d698df0000ea975

SHA1
cddb875175f6499e72abe4c0a18b5d21d24ed0db

SHA256
ded04e6d842cf5a2f278cd2eb6c2a6cf30d052167bc1db10f434ad43dbd7fbd5

SHA512
b4174a9fdf144222ba92b154724e0036ff9db270f394fab78527e11982c84d46062bb4c83fd026aed31898bba39b1232aea8f9f5f2d9bcddeb115c7c87be00f5

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
240KB

MD5
7893c914c0582f942d64da8bb309a07d

SHA1
1db557f73e537cb92e7c7a5e7826bba3c99f7ca6

SHA256
27a701ef7a9267db4d7ecd26536a4165b4093544555ab8616c4b9d86cea113a1

SHA512
0b2ab86e44c133fbf891ba47ea23fe66528e628a74699c96d785743f8c5322997ec96a317f6b99200aeab69bd3ea5984eb18cdbb475df075c3b1f2a4397fe0c2

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
240KB

MD5
6e90774412bdc9a2021aee36c6bdbadf

SHA1
4aea102d5d30675f499a58572c9a972b53aa3a8d

SHA256
3b1c9f1448c88e7cdd2e8d159ebe4482aed02b42872d85e1b3cec3653ce167be

SHA512
2fd426d1f3eed3c4c5321709bb8469f0e8012d3c7f0d3139e0957fcb578dd701b7338ca440d95df18a57d444a72c0369fec2c8171d84eb8efa71f5a5408f56b6

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
240KB

MD5
8d195be991f4b49e404e34875ea01ee6

SHA1
76af38f5585597bf250b5addb8edfaded7e493b6

SHA256
9886140693eec3fea582a4071d8f647a5fe11c34c41272340555f94d84d67eb5

SHA512
f2eea03169b2cd523f16ff9cc95f646e1b4ebd7a8bb58e15852e69287afc13a52bd126d40b3b8115003481110d5ffd45db25609bb3609a28aaf195d5eebad7d8

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
240KB

MD5
4a821754f02256ebba80852cddc322d0

SHA1
a810e593499c1d1cfd62b6e5d5ece64f2525da2e

SHA256
6bb919ebd942fa996fcb2d1e430dbb990bda5937fc4ec985ff7b721abe33f0f9

SHA512
9b06dc0e918464ce4158462e6f33596242159d668657c9ba26840877ecf850873ba8141a070646b9f4e57b0221d220f030b6e99c95246e7336f56aa48b645ebf

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
240KB

MD5
799939d311baf70c41d778ab16437415

SHA1
733628318117b4dd85d50ba5c750837e07d44445

SHA256
16857bd5df0e41fbbb0fbb978fcfb6e6f48fb163b8558f8a2053bf55c02ccec7

SHA512
3416b614a8ac462c741caa6ce996a1665b781367f6c1e01563430cbb035e588b07f02563411052a827f2ae612a384f17e3d07a0a51cdb73b946bd393dce4ad9c

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
240KB

MD5
42270d1afb6b9669504db744868c6b91

SHA1
dd7388f1c57efe7c4b1c76973d4eea74ff13457e

SHA256
f39daab7720886a42146a9f9aff51839d7469f836e62f194f858e4fd38378daa

SHA512
2a19cd29bdfaf23bfc3910d895b35f55129c82a5b2873e21f161ded03e70887204f946979985e26607d7155c9c6cd44b0e24bcae7b32eab4817a5799cd5b6d29

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
240KB

MD5
535b38c5fb41c1836f2cc3d3eb04a64b

SHA1
7e65461905cef3a96813961cd6d0091a6bacaff0

SHA256
1b7cfa9a08e7374db351249a6ddcaba747558e61ed68843fadb2f97ce7e5aca5

SHA512
bf1a2ddc248f39c5e5273d398274b575bd39ba80b44b28bbb0692ecc75fdce1c2b5cd6594e5e15b2e5268cf9ee030de27f92273317b86bd9f9af63a67d41f980

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
240KB

MD5
2b4ba0281fd4c8e76787ac2f0eee3969

SHA1
c6ec73ad9efc2af857058df7b41d246996cb4957

SHA256
23a5ef874aec2ac5ed1336096574b6fae213ab5c6e1346392d8c5acc98aabcb5

SHA512
a43cf90784b678e755195e86e37504b19f902876e60b796445eecc5501a302014902235b8a04cc96f1a23a099736738cb9eda9cbfa4206deb00acf05e3fa96af

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
240KB

MD5
914e5b71f548e7052f33566f90d54101

SHA1
ec4dad0fb24c12c296122fa7c23bc65e73b6a875

SHA256
a90ddfda8ea53aa31c12eaa9295a98a53b6f9fb3f987c2846e31eab9284fdf7e

SHA512
ea9fa2a01b2f81a9218172f91ab70901c54f328a649edd6e2f8ceae163c882766fdce9b541eb345004b2d63bd809edbe31cd43c76d83181d269c982fdca57c6e

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
240KB

MD5
c5690f3b242b375fee0936a7f1e98a90

SHA1
faad26c9f15953711992e334d78454830b4507dd

SHA256
05a66dfd3d02a810ed22d406f694bd5c495286279009fa1d745c8b39dca845a6

SHA512
8bdd892d43f58ed23d16097d120f608725c8086fbc11673c39361e4f3ba8d63ffa4c8557858dd2487a15f8d85327cb2f48d39241e1bf446fa98578f50342c491

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
240KB

MD5
7275851c6f11172e1a480627e3b2b3c5

SHA1
3bfb1f2d55c5b04a7fb6c6cfaa77858c3c81ebfc

SHA256
b1e43763d68d37eca6b732753e069dfb049f17b7e775c831b89ccf27f3acbf03

SHA512
a51723271f33f8f002cfb4da653765bf788355505cd7e14db61fb730284242a494a75493a724c4693d27ace298b91f95dca353e42b27a7f81e377dae1c8e6f30

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
240KB

MD5
e93eac869af80837bb049fea94130d6c

SHA1
011b415fe0a170b8b6dd380210ca70f76e70906c

SHA256
9d7c304bf8d6f891f8e11a29abb0a107e2bddf320c257531fe1942d6acf53e16

SHA512
87f9522e94ea524a129f25553169134e8c6767d0dc9b6847fdc0845ceece292d68a3a7f421a0f31711d0190e34eb32c5a5ea8258f578939b4350d678ce4cd0bd

Download Submit
C:\Windows\SysWOW64\Lcnaga32.dll

Filesize
7KB

MD5
b8db4e7201ada544b5d8c3de225a3eba

SHA1
0f961bb94cea4836fedb331b26a98a4665a4da3f

SHA256
bcb91849a17b8949a6b5a75f727714f7e88e2e5687bc45b3be42081b09d6ded1

SHA512
88411364afc6c6654b8e1ec21f5acfcee893eae08193305955c9adaa9d7139fe17948523a6cb3073112706e7b549520fb0102a65930c64e916dcd24457b4d438

Download Submit
C:\Windows\SysWOW64\Ocfigjlp.exe

Filesize
240KB

MD5
c0465f80b956eb9ce3aa298b2e0600ab

SHA1
1544bbc7157debe35c74a7720b359f8590daf10e

SHA256
b7de4af4763a64cd1b856e0e8b392762b00bfc28aaafd4cc7b42e3aaba9010d5

SHA512
5bbfe44cfb5c2c863390f4b36d7d06d16135dd3a5edc1a67cd87c61e2fa089436c49c4c2ed9450491b4e5b04ba1f5003dc101ee9247c59d407f69d20b7053fe0

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
240KB

MD5
2e94203ae79b2d862ffaa7c7d6b19e34

SHA1
1f5f5bdb5c1187b4b18826011d195a6f0ea2b455

SHA256
22aee665670e156fdb6b3dfa3161f76d1ea3d2ca2d5d8aed740c0b9c5fcb0735

SHA512
1efa09612227169716d05c748107174eb36484ce3bd84480c2c6afcf6225f3986177868f6d9fdb0a0f7a18d39b7f1f9fef5c8efd59f0d3ae6d7c035417b9467f

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
240KB

MD5
f63e57ce0ba0a595620279d9271fe308

SHA1
8a6d479218decb4d6092e692cbd9f37838ccac07

SHA256
3b0e6988398dad5a1ddde34a61b794466801c380e223111ac5154ddda7f47594

SHA512
d28a2a8cbea7584b6fa07f8ce039b25323f050806c69383074484c6628d7a64eab4a552971201f6005a8e633f8759eaa6fa938cea3ba7fe0f5de02dc7df19424

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
240KB

MD5
a4d7bfcd5f6739eac9a4ff28329e072a

SHA1
575b789c39b9481e73f3fc882053834f685d255b

SHA256
2685d703fb7312bb2938ede15a8b14bc5508b26994af4f11d4afe707b4fc0b79

SHA512
1d7c0bf308e0023d4b44890cddde2d0ecf167b37b0139a20582dfc96e2fd3b151cba6dbb8faee20a2704da7126019789937a0401355cb99c4a084e72152bbf21

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
240KB

MD5
5bfd8c6b2346a97b369471fb8f152a53

SHA1
7fbc0baecdd9a354552c7bfaff1c48f9a8dcb3ec

SHA256
83ad1f5bdb9cb1e6d35f648f58c827446bd1432d8e2c94a249eac72f592f552c

SHA512
467dc89f48a8b3bd01218909f375d3308ae029cfd65a054b88af1ef46c6bd51855142def37eec154dafb3a9ab04e536fac5a896750b63ea35756f9a951a42b22

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
240KB

MD5
d0f512f5516a22a58ff0dcc1eb6bfc44

SHA1
7eeed861a3c1a6ac843a9380daf46a9a5f7a94e6

SHA256
701dc1c58493a78720a0995043d2e5f8012ccfeaff69be550f82816665bdddb1

SHA512
6077572b870dd5951df17de2c63ce833187df074ac47f5d3b25366cc606477bdb827602cb6a232830368da972a221e79f04c96fbc07b04c1cc74b953af5d0a09

Download Submit
\Windows\SysWOW64\Nadpgggp.exe

Filesize
240KB

MD5
3bc8f455b34f15fe1bf68b9afab0345d

SHA1
bf3f2882bceb06cb9940e43c74292b56a24a317e

SHA256
4d2dedb46099ff014441d4c74508bd7b439cda70e272efec9a0a85c6fcc50a70

SHA512
a4d169177ffc2d0cebeb752216b205a05ef00b939bc3b61406e34797eb256209c529157e447d24cb3df5c38ef0715d8bf0a2e37717b07bd47b3582108c4df7b2

Download Submit
\Windows\SysWOW64\Nhllob32.exe

Filesize
240KB

MD5
f27eefc34b7d96027434b7b5c21a1540

SHA1
b24b73fb307e63945beee873251eeab2bf614885

SHA256
112ec41c4d01b32715807fd7b63c6537d57d961b150ffa77358dc7e58a805a4a

SHA512
c98c570156f7e05a908c736a2dbcbb38f24adee020aefcee0faf56dc47d298269d8b5de6124f90ee510f3a89f75d27d831f135739f25770c649fbd98db37ef47

Download Submit
\Windows\SysWOW64\Nljddpfe.exe

Filesize
240KB

MD5
2a6ca1ae3180a2ab7cc359394e28fa3d

SHA1
68563f24837d7fe3a7aa6675bba630e7cd767c4b

SHA256
0db6ef4ac8617ffe414989f56fd34c37dcfe328e582e7b69c68520baea07260a

SHA512
e1ef3e3f196f0262e87a1f4cbc83cc350d823fe4721c93e8f37c51aff07b98aa910576f8a87a5d76c521dbed66336292b692ca5f1f0e8d393d8e6263029aa6e9

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
240KB

MD5
36cd7b9b0aadcd92c26ea9239ff45d19

SHA1
4441d5d1432cf7d0c06b0bf3932bc6cdb3709c8c

SHA256
8ba4612dbaf94f08c5649665f8fe3fd292542f54bd49d72f0330f74a01fc53be

SHA512
dbec93a018b5da6c2511eabba3877e868c22cd661d7547fd20e74c74293e378a0adcb56cb63b1d3db2743925e082d574f8fd65f63761702051485f61a2495891

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
240KB

MD5
74c53ef7ef3ebceb2540f646f46f8664

SHA1
a1213598a08cc367989f3f53895bf52a0fe94a84

SHA256
1c041e3ccb2a59a5a2d2c2fb7e737de79b53f2f5c2a1de53f7bd3de5f0f885e6

SHA512
017d111126066f1e58198c4ef007b4fdf989f52b36ca666d83e0c541c52825690faba1a92020d499a63cc4a38b3c1acb2ee66403f95038c75b5f76683842ddfc

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
240KB

MD5
65e8bcb6b116b08b995cf751273306eb

SHA1
9bb793c0e54ec293d92ba8fe5836743a0663b8f7

SHA256
f2041f77b013802314a73e396aa955a018a32ead6deb699c7b64eb5abfe4b81c

SHA512
615a07c78de1d700bf16452524aef4fd6ef6efe9bd4a4b140283ddf558e0c5d3c0d00d4283edb39a7a64de170b0d883b88dd8f011936a9f0bb8b01c1b3fa2b83

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
240KB

MD5
21e685055375a04bd056307b0f873a3c

SHA1
74f5d00d4bf17eea06562c49a11420b5452c05dd

SHA256
b1de88993ee9f9ddb8005cb20d36e09c0723f675c6e906eef14081ec5d054335

SHA512
cfc3152a30e8fdfe67a4349823b214b4f5c4a70e33d70532b5ce8476d38b6459147cb2ba9121e404df745e0484775798fcc89a3f6dc7982eb27d16b4d9f2800b

Download Submit
\Windows\SysWOW64\Okfgfl32.exe

Filesize
240KB

MD5
f50381e0d28b4771d1acaf34297894c0

SHA1
01a634566b47309e050bc3891b2c92b85392af13

SHA256
cff5e79ce88d81f83c31477c9f4ddc00292a4aebee2cb777a0d1c9d684067216

SHA512
a0b7fa7ca157b3361bbea550dab3260f62ee218330da03b959a7b25fb0a2a31227043f1b694376755c6ea89d969aabc515bc54202f690265313700610ec0032e

Download Submit
\Windows\SysWOW64\Ollajp32.exe

Filesize
240KB

MD5
a749759e47dfb711e1074d3206819a1f

SHA1
a626599be7ff10a3bbad72d308a2f36c42ce630a

SHA256
5eabe078b91132ff1f8a0ff8ca4b51829950bae75e54ed72b301a520e81194fa

SHA512
1446410933181e9c551da3158d39a69d61915b3b12a7ec67c5bcf530c62e80f80c430cc731de2a1df9b36989615404bc89c217100dae6fd9cc2c17359e12aaea

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
240KB

MD5
601c7cc19c2c1913d5c281f3cb851f28

SHA1
49275e304124a771bf3e5a7b90e7631a31de2344

SHA256
d25dc532abd8ba7a247bc0b405f7a1ecdeda0648ce4456ac4e2700541393476d

SHA512
ef948e33057c2004b4f003a3d6b255497ed64a4bc508b0531cc9e4420e9e7166c27399b279151f2428bd804e440cc691c4ccd6f3402b96b51c397dac9878f25f

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
240KB

MD5
cda867e439d6087689be03084230a100

SHA1
ad236f95a2cbac1cceb4f0c3d0fd53d7652a9925

SHA256
b2c649ff28964fb861070b5ed01e03bf9f75d7930b4520719155d8a8d4fd7349

SHA512
970589c9923b86cf95b934eb8cd7ea9383ec0c859e159192ec45b6327e21b7d07e5cd09a428b650c14edb2784f81712716420e3b9eb9f1dab7869659cbb345c3

Download Submit
\Windows\SysWOW64\Pkdgpo32.exe

Filesize
240KB

MD5
5b077048a1155d3a2570207b40e0f580

SHA1
1d207ce4c8b2fb2eebe2d0ccff5bf93024a5f902

SHA256
ca3a38ae15354449ba388c2938d0ec336c3ffdd2a702f85e551cfd89de822688

SHA512
c66417b5d7cca6694b7dd6eb820adc278ee6baf601007ca94976c9e779f9a8cd71222910493a9a39043b768ff08988183e3e9629e6b6a06c3dcedeb266e057a1

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
240KB

MD5
89122430ac91ecf94f749ca16bc8e95e

SHA1
ffe94b97780d2a8bf7ec7c540739c1868ce4a08b

SHA256
4eefab5c21943c6b24ab476ff4832ca0a21dd96a3761417b0f1673632c9e865a

SHA512
85fe472bff3c2ecfc501379bfd0234ccdbfab6ad0c4a0802a0689ee850c8378c6a5624059ce6398869828422b2c7ec338aeeb78c4c638e8623221ad4d25523d8

Download Submit
\Windows\SysWOW64\Pqemdbaj.exe

Filesize
240KB

MD5
2a26d0e1b0f6c64c057f97308505edd1

SHA1
7160a10c720e7344170d696c32485a2605e51103

SHA256
9a1f17604d54d312ca99e3a24b1ba65d33c5c75e240e1399ca205d97bbdba17f

SHA512
67111d793050df8708b10f39d6287d2aca6638237a54750fa8fca1472ca2a8e783b24ec133cd072b5f8c0a3eaa675b7f464300b80ad98d2bed047f9f502c5c6c

Download Submit
memory/308-422-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/308-419-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/344-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/344-80-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/344-421-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/952-269-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1096-387-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1096-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-386-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1188-455-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1188-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-457-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1220-172-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1220-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-106-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1260-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-456-0x0000000000320000-0x0000000000354000-memory.dmp

Filesize
208KB

Download
memory/1260-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-131-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1340-434-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1340-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-333-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1600-332-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1780-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1780-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-249-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1780-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-398-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1796-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-310-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1828-311-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1828-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-344-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1976-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-343-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2136-192-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2136-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-163-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2228-299-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2228-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-300-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-410-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2276-120-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2276-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-121-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2356-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-200-0x00000000006A0000-0x00000000006D4000-memory.dmp

Filesize
208KB

Download
memory/2408-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-285-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2412-289-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2432-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-226-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2532-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-399-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-40-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-35-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2612-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-62-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2616-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-354-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2672-444-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2672-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-443-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2672-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-468-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2728-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2728-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-144-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2944-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-239-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2944-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-257-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3028-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-371-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/3052-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-322-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3052-321-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/3068-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-479-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads