berbew | d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Size

352KB
MD5

a772b54ca306fdbe84da35c979a3486d
SHA1

74e3b15436b2e85e5dca6b58be6e90b2de342923
SHA256

d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8
SHA512

9b800df611c985931b9e38053e9e1f525888b0b69d9e8fed6a9a174e7e911a176fd3dccfb95f7faef98766734c7e879274cd46897aecab50b3bf2ec3d1eb6347
SSDEEP

6144:gxWjet0dZ+bEMeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GO:gxp09MeYr75lTefkY660fIaDZkY660fG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofdklgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oagmmgdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Picnndmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odhfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 61 IoCs

pid	Process
2628	Nmpnhdfc.exe
2708	Nigome32.exe
2632	Ncpcfkbg.exe
2392	Niikceid.exe
540	Nofdklgl.exe
1992	Nadpgggp.exe
2072	Oagmmgdm.exe
3024	Odeiibdq.exe
2680	Ocfigjlp.exe
856	Odhfob32.exe
1976	Oegbheiq.exe
1288	Odjbdb32.exe
1152	Oopfakpa.exe
640	Oancnfoe.exe
2224	Odlojanh.exe
1248	Ocalkn32.exe
1760	Pgpeal32.exe
1492	Pnimnfpc.exe
1920	Pmlmic32.exe
1796	Pcfefmnk.exe
1732	Picnndmb.exe
2320	Pcibkm32.exe
2096	Pfgngh32.exe
2908	Piekcd32.exe
2064	Pmagdbci.exe
2644	Poocpnbm.exe
2344	Pihgic32.exe
2740	Qbplbi32.exe
1656	Qeohnd32.exe
696	Qngmgjeb.exe
528	Qqeicede.exe
860	Qkkmqnck.exe
2312	Abeemhkh.exe
2380	Acfaeq32.exe
2244	Amnfnfgg.exe
1276	Achojp32.exe
2360	Afgkfl32.exe
2288	Apoooa32.exe
2264	Agfgqo32.exe
2476	Aaolidlk.exe
1140	Acmhepko.exe
108	Aijpnfif.exe
1360	Apdhjq32.exe
1192	Bilmcf32.exe
1740	Becnhgmg.exe
2556	Bhajdblk.exe
1508	Bajomhbl.exe
2332	Biafnecn.exe
2324	Bjbcfn32.exe
500	Balkchpi.exe
2336	Bdkgocpm.exe
2192	Blaopqpo.exe
2860	Bmclhi32.exe
2200	Bejdiffp.exe
1672	Bfkpqn32.exe
1780	Bobhal32.exe
2472	Baadng32.exe
2456	Chkmkacq.exe
2992	Cfnmfn32.exe
3048	Cilibi32.exe
2500	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
2628	Nmpnhdfc.exe
2628	Nmpnhdfc.exe
2708	Nigome32.exe
2708	Nigome32.exe
2632	Ncpcfkbg.exe
2632	Ncpcfkbg.exe
2392	Niikceid.exe
2392	Niikceid.exe
540	Nofdklgl.exe
540	Nofdklgl.exe
1992	Nadpgggp.exe
1992	Nadpgggp.exe
2072	Oagmmgdm.exe
2072	Oagmmgdm.exe
3024	Odeiibdq.exe
3024	Odeiibdq.exe
2680	Ocfigjlp.exe
2680	Ocfigjlp.exe
856	Odhfob32.exe
856	Odhfob32.exe
1976	Oegbheiq.exe
1976	Oegbheiq.exe
1288	Odjbdb32.exe
1288	Odjbdb32.exe
1152	Oopfakpa.exe
1152	Oopfakpa.exe
640	Oancnfoe.exe
640	Oancnfoe.exe
2224	Odlojanh.exe
2224	Odlojanh.exe
1248	Ocalkn32.exe
1248	Ocalkn32.exe
1760	Pgpeal32.exe
1760	Pgpeal32.exe
1492	Pnimnfpc.exe
1492	Pnimnfpc.exe
1920	Pmlmic32.exe
1920	Pmlmic32.exe
1796	Pcfefmnk.exe
1796	Pcfefmnk.exe
1732	Picnndmb.exe
1732	Picnndmb.exe
2320	Pcibkm32.exe
2320	Pcibkm32.exe
2096	Pfgngh32.exe
2096	Pfgngh32.exe
2908	Piekcd32.exe
2908	Piekcd32.exe
2064	Pmagdbci.exe
2064	Pmagdbci.exe
2644	Poocpnbm.exe
2644	Poocpnbm.exe
2344	Pihgic32.exe
2344	Pihgic32.exe
2740	Qbplbi32.exe
2740	Qbplbi32.exe
1656	Qeohnd32.exe
1656	Qeohnd32.exe
696	Qngmgjeb.exe
696	Qngmgjeb.exe
528	Qqeicede.exe
528	Qqeicede.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Odeiibdq.exe	Oagmmgdm.exe
File created	C:\Windows\SysWOW64\Ocfigjlp.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pgpeal32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Amnfnfgg.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Aliolp32.dll	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Picnndmb.exe	Pcfefmnk.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Picnndmb.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Picnndmb.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Afgkfl32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Oopfakpa.exe	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Ipgljgoi.dll	Ocalkn32.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Qkkmqnck.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
File created	C:\Windows\SysWOW64\Migkgb32.dll	Oagmmgdm.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Odhfob32.exe
File created	C:\Windows\SysWOW64\Pgpeal32.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qeohnd32.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Pgpeal32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Ocfigjlp.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qkkmqnck.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Hjphijco.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Nofdklgl.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Aceobl32.dll	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	2500	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oagmmgdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Picnndmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odhfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Picnndmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnppf32.dll"	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgpeal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoilnn.dll"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2628	2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe	30
PID 2888 wrote to memory of 2628	2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe	30
PID 2888 wrote to memory of 2628	2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe	30
PID 2888 wrote to memory of 2628	2888	d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe	30
PID 2628 wrote to memory of 2708	2628	Nmpnhdfc.exe	31
PID 2628 wrote to memory of 2708	2628	Nmpnhdfc.exe	31
PID 2628 wrote to memory of 2708	2628	Nmpnhdfc.exe	31
PID 2628 wrote to memory of 2708	2628	Nmpnhdfc.exe	31
PID 2708 wrote to memory of 2632	2708	Nigome32.exe	32
PID 2708 wrote to memory of 2632	2708	Nigome32.exe	32
PID 2708 wrote to memory of 2632	2708	Nigome32.exe	32
PID 2708 wrote to memory of 2632	2708	Nigome32.exe	32
PID 2632 wrote to memory of 2392	2632	Ncpcfkbg.exe	33
PID 2632 wrote to memory of 2392	2632	Ncpcfkbg.exe	33
PID 2632 wrote to memory of 2392	2632	Ncpcfkbg.exe	33
PID 2632 wrote to memory of 2392	2632	Ncpcfkbg.exe	33
PID 2392 wrote to memory of 540	2392	Niikceid.exe	34
PID 2392 wrote to memory of 540	2392	Niikceid.exe	34
PID 2392 wrote to memory of 540	2392	Niikceid.exe	34
PID 2392 wrote to memory of 540	2392	Niikceid.exe	34
PID 540 wrote to memory of 1992	540	Nofdklgl.exe	35
PID 540 wrote to memory of 1992	540	Nofdklgl.exe	35
PID 540 wrote to memory of 1992	540	Nofdklgl.exe	35
PID 540 wrote to memory of 1992	540	Nofdklgl.exe	35
PID 1992 wrote to memory of 2072	1992	Nadpgggp.exe	36
PID 1992 wrote to memory of 2072	1992	Nadpgggp.exe	36
PID 1992 wrote to memory of 2072	1992	Nadpgggp.exe	36
PID 1992 wrote to memory of 2072	1992	Nadpgggp.exe	36
PID 2072 wrote to memory of 3024	2072	Oagmmgdm.exe	37
PID 2072 wrote to memory of 3024	2072	Oagmmgdm.exe	37
PID 2072 wrote to memory of 3024	2072	Oagmmgdm.exe	37
PID 2072 wrote to memory of 3024	2072	Oagmmgdm.exe	37
PID 3024 wrote to memory of 2680	3024	Odeiibdq.exe	38
PID 3024 wrote to memory of 2680	3024	Odeiibdq.exe	38
PID 3024 wrote to memory of 2680	3024	Odeiibdq.exe	38
PID 3024 wrote to memory of 2680	3024	Odeiibdq.exe	38
PID 2680 wrote to memory of 856	2680	Ocfigjlp.exe	39
PID 2680 wrote to memory of 856	2680	Ocfigjlp.exe	39
PID 2680 wrote to memory of 856	2680	Ocfigjlp.exe	39
PID 2680 wrote to memory of 856	2680	Ocfigjlp.exe	39
PID 856 wrote to memory of 1976	856	Odhfob32.exe	40
PID 856 wrote to memory of 1976	856	Odhfob32.exe	40
PID 856 wrote to memory of 1976	856	Odhfob32.exe	40
PID 856 wrote to memory of 1976	856	Odhfob32.exe	40
PID 1976 wrote to memory of 1288	1976	Oegbheiq.exe	41
PID 1976 wrote to memory of 1288	1976	Oegbheiq.exe	41
PID 1976 wrote to memory of 1288	1976	Oegbheiq.exe	41
PID 1976 wrote to memory of 1288	1976	Oegbheiq.exe	41
PID 1288 wrote to memory of 1152	1288	Odjbdb32.exe	42
PID 1288 wrote to memory of 1152	1288	Odjbdb32.exe	42
PID 1288 wrote to memory of 1152	1288	Odjbdb32.exe	42
PID 1288 wrote to memory of 1152	1288	Odjbdb32.exe	42
PID 1152 wrote to memory of 640	1152	Oopfakpa.exe	43
PID 1152 wrote to memory of 640	1152	Oopfakpa.exe	43
PID 1152 wrote to memory of 640	1152	Oopfakpa.exe	43
PID 1152 wrote to memory of 640	1152	Oopfakpa.exe	43
PID 640 wrote to memory of 2224	640	Oancnfoe.exe	44
PID 640 wrote to memory of 2224	640	Oancnfoe.exe	44
PID 640 wrote to memory of 2224	640	Oancnfoe.exe	44
PID 640 wrote to memory of 2224	640	Oancnfoe.exe	44
PID 2224 wrote to memory of 1248	2224	Odlojanh.exe	45
PID 2224 wrote to memory of 1248	2224	Odlojanh.exe	45
PID 2224 wrote to memory of 1248	2224	Odlojanh.exe	45
PID 2224 wrote to memory of 1248	2224	Odlojanh.exe	45

C:\Users\Admin\AppData\Local\Temp\d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe
"C:\Users\Admin\AppData\Local\Temp\d31d491d619d30c9cfd89740649f73318dd68c0e5736029bf3aa41c1890e98c8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\Nmpnhdfc.exe
  C:\Windows\system32\Nmpnhdfc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\Nigome32.exe
    C:\Windows\system32\Nigome32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Ncpcfkbg.exe
      C:\Windows\system32\Ncpcfkbg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\Nofdklgl.exe
        
        C:\Windows\system32\Nofdklgl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Nadpgggp.exe
        
        C:\Windows\system32\Nadpgggp.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Oagmmgdm.exe
        
        C:\Windows\system32\Oagmmgdm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Odhfob32.exe
        
        C:\Windows\system32\Odhfob32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Picnndmb.exe
        
        C:\Windows\system32\Picnndmb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:108
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:500
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 140
        63⤵
        Program crash
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
352KB

MD5
d235635f89b29df048a567c6dff62a0d

SHA1
d855d42200a91dc2ce1fa4d3ee0ac3655a33ee5c

SHA256
22696d226d9e155a04b8cde9b23298aff781531ea49748431e3ddc82539c8737

SHA512
f55d72cfcab58d8dee6b683c859dc44b7edfa7957db8af43b7e310aca62fe5b693c7e9c418c3ce0f3939e107871836f08308e75742ee70972e732c09e8606457

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
352KB

MD5
3430a801e6e76c0683c2b5bff0cbda3a

SHA1
a52ce3a209735e44f9ed1ab6a8a0499e92bebe3e

SHA256
9cd163db2e2d3df4690f28384e64fe02ab8d820a0e0b16315fe3a1d9714eba37

SHA512
160c1d9f268ecbb5890e561963be83bfca231c0d7d37108ca3ae19b52f66ee2889a60063836979103b28ec22d5691be9fdc12ae8d080c97f15f9397b772b094f

Download Submit
C:\Windows\SysWOW64\Acfaeq32.exe

Filesize
352KB

MD5
85acee54a1f674c0ccb8cf11ea920df5

SHA1
e52c6e25ec44e0c67e9c8df4110f321fadcd940a

SHA256
428d603c062bf67d65f0270d5ec19e649b39aabbf097657d179f3ca9263c1631

SHA512
5bc304339c84d18206f41535660ea34a0cbabaa61ecaa809fe25a52c6622c85c2d709f2adaba035d80e0cc2d075e4bd0462b26f0809ff4de29d329ec654ba31b

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
352KB

MD5
bd34f3c8c68458dc5134e9310858b6ec

SHA1
17cc22ee9d14bec3ecab0431002a2e09f2ac1f5c

SHA256
408966f149c170e87f846890d2f697333ca1fbb7f972024a265dd25f4c0dc984

SHA512
ffecb744bf26b5dbe3ff2f939ecdf35c0f572e6cd73156bdc377753fd02a0ddb9632f3d2c356c3ea8b09c8ce52d341d721eb8a281f3ac1192ca3bc968f788f37

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
352KB

MD5
413c1f9dab2b62b184b03e88c79324d6

SHA1
6af480f98d3199a8f27fffd8f10d4d2e846b054f

SHA256
6e049adf431e2c9bb0fea9a68db7529dd8ffa51669780e9b178248d9b9d2787e

SHA512
4ffc60c16eac0a7b4dd63c70d09c41497d649b5740324a303c2fb014bf35f65afa93334e700d5005d83f3661ba1a8bc2e823c7a5840c52d18511ba7f53c72fc6

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
352KB

MD5
5372be336cb13c5e2f716010c7f69d9d

SHA1
2dfac7fa3487a8489434a477371ce41620910ac8

SHA256
d061c6d6d61c1af0bb6f3e68b5db0575ffaf20af207dc366bd062b1590c0b714

SHA512
59f264ac8683d926a200e6f59c89f3d2b1d76befee693069494931eb03cedde46b496f5d23554addb4d9beba817a4e73cae63727b4bbce768277fdf48a270cac

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
352KB

MD5
c1a0ce7a82bdb898244619a7e0d4284b

SHA1
fffe906e09d31f83c7a02a790658b8b084ef5076

SHA256
715f48f5a14f7a1d1d15e7a13711476427d10902da30a02866df1ad9159bca87

SHA512
39666c0b07447e9d7d7624377a66d951df88cb05b31cf61002ca7729646a096a2bbb6a04b8f986ad249d229e370c5139a8de07a8d42984ca2e906d172c220013

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
352KB

MD5
1f38af0062d35134f5b9213b331fbe52

SHA1
f23b66f6f20306fef105871748e79fe99ee9193f

SHA256
98333945b2be6fc3af2233df93e6f26e6416910b4ed8b3eb51473e0af840025a

SHA512
cb29aec77ee07a35b9e02e29cfca23e077535780e16e5b057463f5e7e4a2fb9a16fd05e3783a8081bfd214f5e7dcf048a96ee5fb81434c24b62149c627b7adbc

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
352KB

MD5
67625fd907a17f0fcb6f4f337ad372f9

SHA1
6ab1930ee9dbef172983a5b1f855bb9882716eec

SHA256
8237cfa741156e2c2b64e1a55080e6bca8c74a66a40dab8047f82c5680e00e53

SHA512
63e56cc72873163ca80838346e560d5c990461c2034dfeef47b65a14d2352f99e8386160364ab765a695a213b8331e956822c2b01814b57d7a1df35ea4ef55b9

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
352KB

MD5
fef153200acc23ef83eca08015b39204

SHA1
6b25f981d8152c55976d579ef7e7b511879a4485

SHA256
59c2aa92ed5402150f106bc45d8f53908110cc851ce00e72ecd909a0fa428297

SHA512
4d4b06d088df28030d36f78040ea5230fdc769afbb2b2e1f21ead3976d7ed80d6bc9b2f5138efec39fb973ddcf16c0245a2114c5b63f162c20364f19e66ed51e

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
352KB

MD5
1b320e862361447932183ecfe396c413

SHA1
4bff4dbb83cb1f9fbdd6a1e3f8fe8ee9355582c1

SHA256
f2f0e93e09617049321c1c8019ce544a05b78a92292db23e8862fc58a51a35b5

SHA512
f693fa1d468a80b7884061fc1d7126deecd11cafefdada2dc034d2d9449c32efd5ae9b1692cb04bc742b000ee547a5bcdb700189c1af59afc1075f3a29fa0404

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
352KB

MD5
8cd28513b2bfb8f6613ad6c86daa011e

SHA1
c1c7b3cc3353878aced229354662d7d423b92a3b

SHA256
d1dae0ef0e27dcca0a552894acb00fba2bf2f6957fe8772341c3e5b9455c8243

SHA512
592fd04ddea5758e2478540367f5f2585064a369201fd52b5f945abb0c8a7ac0ea8e8110e699d4d1fd8a20e83d4f2698b168442c5a1f2621a8244fc463788505

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
352KB

MD5
a470ee0f31454f8e168f633d82b9623f

SHA1
29e66cebad9f1974dff270d5bd8a3b85967f2e51

SHA256
9791b183fccd383149a44f8db9a2525e8f1e4493fcbaa86fe626c236555c4511

SHA512
b9a8be1ac099d2b61d5918a02d1cc1879f7a1da57747b100ae72788aebe738007fe81faf43704d820dd507445206e93a170fbd97c09be1636bce2b4d48ce0937

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
352KB

MD5
d3c21ac701bc90e352bdc2b9b5e141f7

SHA1
974fba48b208d85ef60b57d1b95e8a69c86eee8d

SHA256
c0a1490e4262417e7c13d89f125b9386a36ba57b79db9f91191de4cf690f002f

SHA512
3743c1c4a4a852729baad0b8161d297a67ccda2b44ef095319e51017d457b6e04c41d8a35115e4f770f7e3c85cfa092f671c0e5894546a0607f658afe84e3517

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
352KB

MD5
6bd8184bd6971256ba9891c2b2d9fefd

SHA1
8a7eb18b0ff019eb4b8199e1abf054e56699198d

SHA256
7a8d5bcd5c77b6ef22748a8b3c1e49e12af57e20f9abb56be6a41bbca842be9d

SHA512
b1a0bcca0e1406c2054512ce509bcc80e59c10420eda01adb81a685c01a8fab9c86cef131668eb1d67de41a41d703106955f3e3ca4515d18bb3675ccfcd401ab

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
352KB

MD5
affbbb83f51888899bde6a9956f5913a

SHA1
80aab6053404fe4addedbed58b057fbae0950a10

SHA256
4e8efaf63d9ff778d757c250c774e8172419ff88ffbf13ff770ab21690e34d27

SHA512
16715dee107570175de8b899385935026551eea456d21876a06dedbecf1db7d66f218c50f5794788669c42ffaa5b96820825bd85a6ab4a8eba9ec5c3ce86754c

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
352KB

MD5
ef062e6e5c19d554082e3f5fe2f61d55

SHA1
6213fe05c31c481877d088c75f71b244a6b0cd8b

SHA256
3008e49de66ca8d1cc52030358bfbac8e61a23e55269054d172e3e92c0baf0b4

SHA512
f28502b166ad76f349202fc78ef242d5dfa72ad2a34ed3d9795be59b0b0058e78d7f2e9b24274bb9fa4776ffd372241b1e095e4d874c761accadee896b6fed39

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
352KB

MD5
a41594f07b1d6e83e840d79e1dbe6c29

SHA1
8a970cc4859fad366b5db4d719abb1bafda8150a

SHA256
8317ba9c004dbf8e6b27ae83b7e9b184d912f3238380b7a4898d9dd1837e908b

SHA512
df64db1ab448b4fa7714bd1ec8cca09b915fbc54de4498931777da953c2d26a52d9b55d63b8e31c73fc578a5bf0f3beabad074dc3c0ca106a7b57015bda5da65

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
352KB

MD5
7959cfbf8c2f4be138e6314eba05961c

SHA1
15c08fa75c5a9a8e1fc60713c13b5771e6f80b8c

SHA256
d9b6defa1e4c5489602741fa756e9f1885331b5a0e5429ba56c2d82c8e3d796d

SHA512
bdaf38a5ceefc04ed913574ad214a3d6068c7248e520e74a5bcc5351748c1e6a0466e34c6645537e698651c001fe76aa0257dfc27f85e965c9827bf5d3e91349

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
352KB

MD5
da4a17e2226abb457640d331a88f4d6b

SHA1
0032ff22fe3136c614bce84e10d93618243871f3

SHA256
0b3728b5b10c5dceecc0df66a15e38d2eeddc01a7c47c5f6641e250324e9cbc4

SHA512
a886318cf18ee5f296ceb832d3300403df440395ba292603408486ff9d24ec5c4adb6b79f05985e8fc8cca8068a05ca13ed9324735b2654774e274997a64fe11

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
352KB

MD5
1ff1710f67c8ef52ebd3ee234bcbaeab

SHA1
db8558d6d6c11ff4ec6e7d265e752a2aada2500a

SHA256
81c6ed170224c0188d4342da9f2e8babf2738d7bfa701e3bf0e1ed28b1d94256

SHA512
59812ffe17a7a0cb29a1adcb31547b23f8c76fd2c987a06126b1d8604dd68693a1526aa0048e36de7a5e37e0eb113766c575150871c1fe970ff046c9cd4fb0c4

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
352KB

MD5
0d0d8986cc5fd73ad6967c50454090b2

SHA1
fc27c19af014a1861fdc9bc25550e47ad59abc0e

SHA256
878e2be6e70f64d05c654344a1c9024ce6b080ca79710732ad03d60a98c42310

SHA512
ca34032c27cac2744a5cc886326c2077239b22dd82eaa3db11222b8a2b8e9233073fd585241665e524948e145d6dce43cf2f1935c2f8e57fd63cddc540790ab9

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
352KB

MD5
9157c3c952c1af9dd1badb842674e25b

SHA1
44e6b33e7e155cf2d0cd52c551c8ca171ad59b8f

SHA256
ad3a07fe514c4e5724c7366863f2a33cb22de33432dae2bac706e27044f0db69

SHA512
e65444117c691a9461939a1e34e883f978dd7977f9cd3a489eb2ea398402a64165a619c263f7df3ee67fdd9c713ad86572d2d09746ac0c16cb5b152c4f7dd33d

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
352KB

MD5
6200e849796d4139039ab217f940fd44

SHA1
d6d6d21e9467bca492317dad97e101530194694d

SHA256
c6c788ec044a80aa7a65857ae9ed400af1c7d03b373cc4f6a91d00c54c8d420c

SHA512
fdaa1589c4d67c0a1029052148fb5028d8c1b2630c974f7ebf0ee084724f843d6e4e2ce6564e1634660cc04ee24e7413026a503265900bcd8f59280fe29ccee8

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
352KB

MD5
c08fb942f283f0727ca9483bfbaade79

SHA1
2ff680d6a9e7391a84a87c7f83091574de922d6e

SHA256
29dbefd52de592aa917565361e5201918424cf69008cf79b97870536fa309607

SHA512
145b9364ce5dccffb35e06064fbfc3f2e5a4657069b582e2374efa2ccf4c5709a73c813f7f3cce58282913a03f3f908f1e672243e1d346a4750cc1028fa0bc95

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
352KB

MD5
4c993820f039c53a6ae62768e907f6c9

SHA1
7e2b23a06bb9e1b8f7b03f5ec41c24fa6dc99c22

SHA256
88120f866b39e8af574ffc8df7c9a5a7c48418b32a6a653d88e5a160d124a0f3

SHA512
04802fa3959271dfcdbfd2f7d8c4565f2ba3ac1c4fe91bdb97267b3997a2d8db8de1b0b4a01cbb4e462b483460607912996968dde4d1d182f8388bbacaba064e

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
352KB

MD5
8b7afd9b14c4a114a3843998b7f1e802

SHA1
e4c07604750b2c80bc81dd9ee22b33d20c50d8eb

SHA256
7124286d88949ad8ddf307d7265df3fb12e807cc1e8592a8567bfd73cf3c643c

SHA512
76efeb1c20f8616dbb6582d5c43ba252a96541731044bd0b7f393a09d8ac907e7cd7c5142f2598ebcfe96e82f94607cc918efb9da9a86f50c42044be0a94a6ec

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
352KB

MD5
2785271928c863a24e054e6786ace533

SHA1
80f0cb8e7017dd2c59b09a4a9a583fe2210131f4

SHA256
c2be6940272858c0c4dfe12d085d83449662bf60fa4ec93e23bb2f6498b41020

SHA512
2eb6ddfea81e158b830b68e5ab86e90d3de0d82405ab25860d7e09631faec119f301863e2b364b2dcd0fa39395eed1ac9f0a588e9ad2e8e311972b08d50fa862

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
352KB

MD5
761e8fccaa35f53d1421bb34f1934e5d

SHA1
bde2446cee8b5bcdf1636d07a227f05d4d287476

SHA256
e313963ae28df4ba38320cdd6792d084f77e10a5bb978d23c562c90aa586e56b

SHA512
9659e9d9c3fca1d53662fb78127dc803bc6111dd1a7c9a7f559310cb34238859c44b3cccd0ce9d2b789759cbb40ef8b02e3fa079d0ebfb1c17efd0f4efecf5db

Download Submit
C:\Windows\SysWOW64\Docdkd32.dll

Filesize
7KB

MD5
9e4849477e47ef07ade532d28251c940

SHA1
c61539d9a94dec4981bb0edecbf51af741bb01df

SHA256
012467b35199c59d2382dda67496ec6c2ed339cfe98625fa57858797e73dc293

SHA512
e55a282eeb3967b9667994f71bf2dbebdf0c6e1f9be457509afe3a11f1f46282a610ff24ad82b447e1c77022c0ba80a352ab0e7b12e9a2471f00c3f0848c05e2

Download Submit
C:\Windows\SysWOW64\Nadpgggp.exe

Filesize
352KB

MD5
9fada14650a09796ecc176664060eef7

SHA1
c145ae6b2adcaceed4516b5002b446a6b03b2f9a

SHA256
9f33217111f8558bbb5fa167558f7018e7edc7aa290dbcc60c7171cc629e703d

SHA512
0b47776517454aff08578e1dc482b4290c920186a504e4132fca3c93d483f949be93cb4dd6fd010ba5011e63c03f8008e61c31806306757fef3292721d858eb7

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
352KB

MD5
d0ca9bb527c401580ee7a7b5f8a928fe

SHA1
5d9160559c079030e1dd0b8aa09bd163dd83c876

SHA256
e08a4fdc5d43ec524e28a34357807ae3be3df981b4667ee221538bbda4a8d14a

SHA512
22cbdbf953bffe03c86add4c38608b81169bcde78ce1aa960c5e933c4e11beade157f72ae5152090f2bcc2dfcf97d15a6df48d8195054ce3c5b1038c0c7c96f8

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
352KB

MD5
4be1cc67f9642a06684712e6c1e769f6

SHA1
040e856b61fa673e65ec02988996d12340105897

SHA256
4f82ed362cee2357130eafcab300135294eaa5f0e65fe373c6911d68a9e7c0f5

SHA512
2bb768c17960d89b92fb0c485758985e55c73252c0a23545750cf9522c0f11dacdd94d8a7acf1026acdfc4fe66b29f7567e7d7bd357ad77ea146a5259677809b

Download Submit
C:\Windows\SysWOW64\Ocfigjlp.exe

Filesize
352KB

MD5
e0b34cb85847cf17bc60bd04079f2770

SHA1
16a42b79a4c259d799a69598bedf80222370c96d

SHA256
4b45cff25936372869f5d546d6aa88eb11f1f2c9639631b9f77606148cf1d54e

SHA512
032dbd1d58df86303113de92d58f2fc5f1a999b9a0c6d6341cf8448df476ed03c7c8ae4d8e73aed2c5bfb6087397d69ba48e2f2928aa9d3ba78dd9718d1f8bb5

Download Submit
C:\Windows\SysWOW64\Odeiibdq.exe

Filesize
352KB

MD5
3dcca95c87e1159b9f590619b8610629

SHA1
4c8c1d191db395aeb5f8fccf281b735fd24b6004

SHA256
8a3316eeb79eb623ac67df5e9c55a84def447dfda5b26ee7f2e7632d2f0da044

SHA512
f1d5fee2d82259ca6580654bf9f61870a082e3e9869fd240bc51192dfdc8edd8dc3a0689313fe89d9fa38cba9bab4ee3a6f5906b7312710460dbfe3dfc4923b4

Download Submit
C:\Windows\SysWOW64\Odlojanh.exe

Filesize
352KB

MD5
0a519409758270db46ba5eb2683b440d

SHA1
8170f89029ffaaa245b0073594d6afbf3475afc0

SHA256
78922e236ff9f11ec8d34d29c229be84975d5de9f76808d52f962f2e53c117fd

SHA512
df51f03549f397a5d2faf76f038ec10f9d002dd79330f2d57bad096f8ce208538d86866ed8115f742163459f52ef989118eac295c11eae0a231a256ecebfaa2a

Download Submit
C:\Windows\SysWOW64\Oegbheiq.exe

Filesize
352KB

MD5
d56294074fc75ddb928190f20970ad3d

SHA1
f7f849315f6eb5089045b885e4d72996a92a9d13

SHA256
ccadc694c7fcc20710e75c1d7aa7420806b951932b54fabbce2853f8212ff0de

SHA512
1bd6db828e84e7902a51999a27a8425e76cff7f2696620b2b29c8cdbbd6d2c3779b60a074c32fa360673c3b819c678b91db22f68eba15d6d9581faf604d90073

Download Submit
C:\Windows\SysWOW64\Pcfefmnk.exe

Filesize
352KB

MD5
bd17936956e3db869ad6e02581dd3bec

SHA1
ccd0b78c4a1b88ffe439cb922816c80531d17cd8

SHA256
04a87bfdda26ef8e83632f8d6252d96ba3b4cc8e693c90551712000709b6d675

SHA512
3d7a0e5a66629643f0bcf728a3a7367396c9d57240bc7c78125726e73cbafe7f7a519b42d20293d293cee2dde1cb3fa7ff97ad3d2b6aeeecb0cd1ba5fb11716e

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
352KB

MD5
fc4e58b40562b24d1abe7983c34d3791

SHA1
0605b91977ef7a84f23eeef47945d452750545fd

SHA256
93dcf33a06f9eba8e4681d4065954e73365c025eb0b062c4780066d27fcd931d

SHA512
11edb3a139f3c96cfe6952e9f60bd8677d36417c4889200553d7bbeb2bd9f32003cb1fa440964048ddc2b64910b37ac5c59e80d44f7a6dd2ebd5b9761b4f461d

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
352KB

MD5
c08f6ede96d5bdf047e72a782c12828d

SHA1
4d479c3c9cc6f2029306c63191f25456ba272834

SHA256
f44e41db4f9a0c9b9f1caa5e69747bf51ce8a1da9121665d6a6bf4b7de61a09d

SHA512
ded024bd98f6679f0f377005947cf133789471c5cd4befb5750028f512b32ba5a9a1c5616f68989e203bb2ecfb01d1603ab6eee3757ea6c6b56e5b88be940d67

Download Submit
C:\Windows\SysWOW64\Pgpeal32.exe

Filesize
352KB

MD5
0e755a364087ab323de458f0f3eda210

SHA1
517697a0970f9625affa2eb9664dbef6eb664a8b

SHA256
8916acdaf610aa1d88b3ba15868b0c90d124062f481a7470f91285be2e92fe1a

SHA512
72cc87f042571e07f508f76dd2f69e9460e22131f89faae3d4b7a67d052a9e5ca3cc1b84d605cf2a2c79167ae7752d42f43320aa19c79871b591d611149394d4

Download Submit
C:\Windows\SysWOW64\Picnndmb.exe

Filesize
352KB

MD5
dc2f4cebdf39442d73796b77a66622e9

SHA1
b2a2498f28647c17b89dc5898733efd22dd26901

SHA256
af69762e1a8154ce12f86fb3a813dc2c92b31272fe8d8e237bc5b588df145464

SHA512
2810d859c8d78f6162a67da7a7a3c97a0b0b5f116cd16b7a7587ab147b7989d3668450f0a4f34456af0301b95c9b184de7217a7da0058a4a52c4f8de99729e27

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
352KB

MD5
e062e4938cfc9624e6f8848d86b023ba

SHA1
61cc8fb90008d73b85fa6ce8926ddb2221f156b5

SHA256
be499e43cbd22f2c3b889b8aa9c133d43e43d93dc5d6265c8eac665cabcf417c

SHA512
d29588e8131b0ad9dfdee147517364f825440c3300254c048f11b98d1fbd77ebfcc55e7ff831b5e830c388c8df401b5aa45b7a06f4405736e64b0aab2fd88f01

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
352KB

MD5
cf8620707880e9d77b3351751ef4211e

SHA1
71a0493052ba0a307c18f67addcc41ab1eeb72fd

SHA256
3529866608957d188729886f7cf465173f67753f608a6c5d7ebbab8926f34283

SHA512
bcca2ebbb8c7182460bda74b900019a20d60caf5636eaefaf2d9a494f2b004d6eea3e7f407df1538a06507f50d3c12190999648af3e9e75c9e206cba40f3dc13

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
352KB

MD5
3b38ca7da56f967cf4eb1d4d50316b12

SHA1
47ae6877dbc9695e09979c81d5ebe942a2b976fc

SHA256
c1797f2fa7fe7e64aaac51dfdf36ffcc761978a457881c500332ae2348a32c24

SHA512
9f0adfad402b7b229ea490653af3aa80e727a305b146ce7e8ae00b40e10adfed41119bb17c0a7f6367c423e96910534e8f4bcf34537ef611a78e1313023578e8

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
352KB

MD5
a135b5e6e533b47b58f699cd96c3d269

SHA1
4135afeae8c34f3e7a4537e054993d79b1dfbadb

SHA256
c03b254ee68cb91009cf6f6542678fab2914c1b44e8e7d553cceb49c6bc2d2bc

SHA512
4e571d21f62042787e6dc21b75570ffdf4dd95f1c7b6dce74b4bab51a3d3b07e7664be8423082812a43626af363fded49b65bb1a401de6f1177d17c39061bfc8

Download Submit
C:\Windows\SysWOW64\Pnimnfpc.exe

Filesize
352KB

MD5
a8957b0d022ffae9acaa84c5d0858fcb

SHA1
d5bc14c1731dd332152c9c8343651492f2fae1c5

SHA256
a75855ececbd666dca7dd375231cafdc59c187cd45e07f49d37552d4f2059ddd

SHA512
db98acf55408504d1952394efeef63db01169c7192c263d0640227c075a29f53a930d8eae92e440300ae23d2d7b438e5d926f74d84dba616cbadcaa08280f17b

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
352KB

MD5
c6892fd7a0ec5e977552d3a71008735e

SHA1
ff14f7dcf1abca90443bfcd77fdb6f1d7762fbce

SHA256
90c1fe85e75c5f5c892209a0b098d9542cf428716d96d7fe40539aedf3304c0e

SHA512
6caa6289a82d201b48496463c93d97a37afb7e1118aba57efc61b4bf5bf5a7624ce237b84b92000234949027775ce1e1ab08c4d5d1cf3201acec929f4d51e422

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
352KB

MD5
92892946b654e767be5552e4f1e748f1

SHA1
020be37f3c6243b732f971fdf7ea65217f5b5e06

SHA256
e466911fcb69f25dd3ad1884f4bd41963bb4b80d935e6158545781a89ed1dc59

SHA512
134e4fefcf5d5fa5a66edc84e76281e48a1477c5c91ec88949ad8b9a6b6ff88576cea0e5068d3e30c6e50060256d8dab9f7b60aa717d4347b6d50f99e615d9ec

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
352KB

MD5
a1253948f2d8505d2196008beaeedcf5

SHA1
0ddd159450ce69d1c01253e4747d46dfd58cd0e6

SHA256
f5be9e1d75341969d45800c37c66354b12f1551c0738ea577e0b873b870fba8a

SHA512
5e72bc2cb5c39861882c659d48a1057a0b7cb914fc3bc0877e9bd82532ca1df017b8c889d313730c52ef68ebd8774ad5edfd48f4e5f57b18b34ae3d541cd196c

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
352KB

MD5
8b977707523d6136f22c745ecf364acb

SHA1
f2af26f8eb6b762acf4ea3e4e6057add72e7c441

SHA256
fc24455852daec78b71109401c2a317bb37c34690b6d32293758933f2a758590

SHA512
e96696c3bc9e25c185d7573102a6a90446448944291895dc7ad1c01c1eab685aff6e12ba7eed966d6f7511da200624720a9b5b6af80ba471ce8c5697640080e3

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
352KB

MD5
0c9a7466ab776ee87434cb7ce10b056e

SHA1
49d2337a1fdd11bcbdf56d59d229d1eb9ea7bafa

SHA256
86c50f69943d5150a91ca8017d698c6d2e14674b5daa6b4a530913831c1de49c

SHA512
e42968caac85615769329058bd25370314a465ff1926b55c266527919f191b2a6cfcaa2b2eae6178be525e01c3c0b3d5c3f881b66fe00b0ac58b532b6a44be10

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
352KB

MD5
69ae2b20b32a7e4e53714a7d62609f9a

SHA1
46fb9af07711a97b062338c24fe1b2dde430eff1

SHA256
9ecc91e1e790cf58afddf0c9047b082b865ffb1062cff786ffae1a8b8d3b405c

SHA512
b35666057438940087806198c16a9a60ced59e017cfdc7d88e0dd80584415f8de31a7b7aba07a98719ff4dd1c9dfb43f9ef8dfe8c4a5e6c4b48b98eeaf9b1ccc

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
352KB

MD5
abaa4498e36514cac6e43c5a111d9089

SHA1
6bb3838a405c2e77f94643bcf200646d33becc7f

SHA256
5bf820db32fd004278b8161c85fdd12d12a3d597293e57a164af600587569c77

SHA512
5fa565343a811a80a7b6d207c6fe9789bd02f037d028e60fd1aeff5702c436bd96c8f5fa731ab7f154d5746564504a8a5d0d6cfbf93ef5c349eade1d3934c4cf

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
352KB

MD5
c4c42ce41055db497cb04968c96ce748

SHA1
c9224974438fdb0409fdfcf0aca4109e36b6a5a1

SHA256
9c82e820e85cd11514c463f6fc00b05a474fcb02d9286cfa9fbf660f88ad8c60

SHA512
455d7bafd4e6788d9d9d9c4e46c3acea16c74bd6fe2957e0aac1d620cc68e80c539a750bcc95e59ba87229a4ac611f018865c358b4b79f5066495afba1d7a04e

Download Submit
\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
352KB

MD5
9db3005ea7ac95a24630c3f194a28c57

SHA1
8c33aeb87da288002ec09943eb68d927d78ee27b

SHA256
9f6ceba4561a0571fa02d6433865fa188ba5278e52792d6e87aa16683fd19045

SHA512
defb599992cca26bf4e2c23f184bc3221339dd26e86325937f9b94089c003c5989418dc0c803d294a6ab9ed4d3cb1d6aa0863ccdea7727e3bcc62ba0209eee8f

Download Submit
\Windows\SysWOW64\Nofdklgl.exe

Filesize
352KB

MD5
46a277139db5e15b567a5bab5bc0d9a4

SHA1
e660a24ddb53ebc78ac188cfaebfec48be8e0c2c

SHA256
2bcac0cdc50f10aa353f64c9d5bc4dc89a0f57735b9f322acf32d943e7d6d427

SHA512
93d32c44ab951da408a27796b639221463ef769953b08da88103a27c55b6aaca9bfe1ede2461cbf56bda41529369dedcc9eea0e232a42a7c6b5abafc9609fd11

Download Submit
\Windows\SysWOW64\Oagmmgdm.exe

Filesize
352KB

MD5
3cae4f784d3f722008bc2db50030a01d

SHA1
421514041f5d19a6edd7e0019acf74d71a6b1cae

SHA256
434036d55901d8825863b0095813c6182454bbda3019bf637be57c6cce249823

SHA512
f4d95cc251eb57f708e5f05c3a703a3955390b27addb6ff2e5eef6d8af36c26a5d8e9ea81e249316345ac1bde5c01723c06fe8b6d1a4812114c82a55583f18df

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
352KB

MD5
26e671817039da9ab2dcc0b7c8107b88

SHA1
0608a1ab241bfd3b97ffeb4ef55244a24ea963d9

SHA256
6cf7ee7b74b6bc80a69336f58f07361a76a23d8938a52e563cefb46938df4540

SHA512
879001790938117ad816594e2d0f5ba704c630bf222e55abe7b9059340c3bc78e8fd696fdbce45302e2b0fb1e28654b15f118a090cefb4aac79eb6764f3146b6

Download Submit
\Windows\SysWOW64\Odhfob32.exe

Filesize
352KB

MD5
b8b2638a5d71b8a0e5d36989b9a68b49

SHA1
29f870b4048d7cc881c10c829b92cabd5f631dbd

SHA256
7a6d32cbfae67c35fd88af10ce2e9c92cfc0859befa794a57104e57c36387d4b

SHA512
46d909591187a9b89c33458a987a00f3316ecf5cf8d305fd5210595e4e3fb1c0d60d29e1f3857c81fd3d50c0fffdd73c34a370923c11b9ca13d118edcd7c11e8

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
352KB

MD5
43b1399021e68772fec30b1ebe0acf93

SHA1
0e0aba9ee817586f043e6666fddcfbbe7e98cee8

SHA256
4ceffd7f1fc69eaf74e471198fc737803128a61c442f7c25aed9f3ef7a8084be

SHA512
515c47777701d6066c1bb0ffd6300fcad8b9f907686594331ef0687e9f15f1e81f936d166bdb52b30fb41265f1e7d58ab81c35c50c1744c9f87146232579ef66

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
352KB

MD5
e803bae75aa7dc94a118d3ba49930abb

SHA1
9819e1b877fa0ed947f10510f4e8885dbc60eb02

SHA256
30cec83b0c5ffdb43f17c68a041d98aa530c46f52a6d529295a1ce30220fec26

SHA512
910267a8dfa52291497d5256216e18499df7a4e27af8e2725342018e44074a8b9e0ca09da78690bdf7dcf17cddc6828e062c49682df0f2b229131f7e48342709

Download Submit
memory/108-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/108-498-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/528-373-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/528-382-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/540-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/540-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-200-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/696-361-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-370-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/696-372-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/856-142-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/856-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/860-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-179-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1152-187-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1248-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-226-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1276-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-172-0x0000000000320000-0x0000000000363000-memory.dmp

Filesize
268KB

Download
memory/1360-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1492-243-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1492-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1656-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1732-278-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1732-274-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1732-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-233-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1760-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1796-267-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1796-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-256-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1920-257-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1920-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-155-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1976-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-427-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1992-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1992-90-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1992-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2064-322-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2064-323-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2072-103-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2072-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-299-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2096-295-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2224-215-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2224-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-425-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2244-424-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2264-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-470-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2288-458-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2288-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-403-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2320-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2320-289-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2320-288-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2344-341-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2344-340-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2344-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-413-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2380-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-67-0x0000000000370000-0x00000000003B3000-memory.dmp

Filesize
268KB

Download
memory/2392-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-480-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2476-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-360-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-21-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/2632-49-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2632-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2632-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-329-0x0000000001FB0000-0x0000000001FF3000-memory.dmp

Filesize
268KB

Download
memory/2644-330-0x0000000001FB0000-0x0000000001FF3000-memory.dmp

Filesize
268KB

Download
memory/2644-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-449-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2680-459-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2680-134-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2708-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-34-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2888-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-11-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2888-12-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2908-309-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2908-305-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/3024-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3024-116-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads