berbew | 6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe
Size

97KB
MD5

fa7a8a86aa595068d961278beffee462
SHA1

9bafebc15b508c4cd30972da4afd8a36c6580bd5
SHA256

6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc
SHA512

3bd628c0a82e44fcc0a8d3644733bb33c08ed829b14f6d3f59900fa23de694b6c7a4538f4a50f823115a1e9b5e043a321e5f71f748dd88855109459632d917db
SSDEEP

3072:VfjNeeWUdY7mvjfBknXN0/CZgKfPzwm7pJXeKE:emLcgKHz/7zeD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3896	Ndhmhh32.exe
3024	Nfjjppmm.exe
1120	Nnqbanmo.exe
432	Olcbmj32.exe
4816	Oponmilc.exe
4016	Ocnjidkf.exe
3056	Ogifjcdp.exe
4948	Oflgep32.exe
2404	Oncofm32.exe
3088	Olfobjbg.exe
1748	Opakbi32.exe
2200	Ocpgod32.exe
4924	Ofnckp32.exe
5112	Ojjolnaq.exe
1936	Olhlhjpd.exe
2524	Odocigqg.exe
956	Ocbddc32.exe
1604	Ofqpqo32.exe
512	Ojllan32.exe
2184	Olkhmi32.exe
1584	Oqfdnhfk.exe
4240	Ocdqjceo.exe
5024	Ogpmjb32.exe
744	Ojoign32.exe
1532	Onjegled.exe
1580	Olmeci32.exe
3008	Oddmdf32.exe
5008	Ocgmpccl.exe
2884	Ofeilobp.exe
3472	Ojaelm32.exe
3328	Pnlaml32.exe
4860	Pqknig32.exe
3664	Pdfjifjo.exe
4904	Pgefeajb.exe
4376	Pfhfan32.exe
4780	Pjcbbmif.exe
2584	Pmannhhj.exe
952	Pmannhhj.exe
4872	Pqmjog32.exe
1140	Pclgkb32.exe
4448	Pggbkagp.exe
3564	Pfjcgn32.exe
2752	Pjeoglgc.exe
3620	Pmdkch32.exe
2632	Pqpgdfnp.exe
4420	Pcncpbmd.exe
4204	Pgioqq32.exe
628	Pflplnlg.exe
1884	Pjhlml32.exe
4916	Pmfhig32.exe
1488	Pqbdjfln.exe
1896	Pdmpje32.exe
1028	Pcppfaka.exe
464	Pgllfp32.exe
4128	Pjjhbl32.exe
2036	Pnfdcjkg.exe
4468	Pmidog32.exe
1384	Pqdqof32.exe
3520	Pcbmka32.exe
4996	Pgnilpah.exe
3400	Pfaigm32.exe
4392	Pjmehkqk.exe
1868	Qmkadgpo.exe
764	Qqfmde32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5200	5356	WerFault.exe	244

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 3896	4336	6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe	82
PID 4336 wrote to memory of 3896	4336	6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe	82
PID 4336 wrote to memory of 3896	4336	6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe	82
PID 3896 wrote to memory of 3024	3896	Ndhmhh32.exe	83
PID 3896 wrote to memory of 3024	3896	Ndhmhh32.exe	83
PID 3896 wrote to memory of 3024	3896	Ndhmhh32.exe	83
PID 3024 wrote to memory of 1120	3024	Nfjjppmm.exe	84
PID 3024 wrote to memory of 1120	3024	Nfjjppmm.exe	84
PID 3024 wrote to memory of 1120	3024	Nfjjppmm.exe	84
PID 1120 wrote to memory of 432	1120	Nnqbanmo.exe	85
PID 1120 wrote to memory of 432	1120	Nnqbanmo.exe	85
PID 1120 wrote to memory of 432	1120	Nnqbanmo.exe	85
PID 432 wrote to memory of 4816	432	Olcbmj32.exe	86
PID 432 wrote to memory of 4816	432	Olcbmj32.exe	86
PID 432 wrote to memory of 4816	432	Olcbmj32.exe	86
PID 4816 wrote to memory of 4016	4816	Oponmilc.exe	87
PID 4816 wrote to memory of 4016	4816	Oponmilc.exe	87
PID 4816 wrote to memory of 4016	4816	Oponmilc.exe	87
PID 4016 wrote to memory of 3056	4016	Ocnjidkf.exe	88
PID 4016 wrote to memory of 3056	4016	Ocnjidkf.exe	88
PID 4016 wrote to memory of 3056	4016	Ocnjidkf.exe	88
PID 3056 wrote to memory of 4948	3056	Ogifjcdp.exe	89
PID 3056 wrote to memory of 4948	3056	Ogifjcdp.exe	89
PID 3056 wrote to memory of 4948	3056	Ogifjcdp.exe	89
PID 4948 wrote to memory of 2404	4948	Oflgep32.exe	90
PID 4948 wrote to memory of 2404	4948	Oflgep32.exe	90
PID 4948 wrote to memory of 2404	4948	Oflgep32.exe	90
PID 2404 wrote to memory of 3088	2404	Oncofm32.exe	91
PID 2404 wrote to memory of 3088	2404	Oncofm32.exe	91
PID 2404 wrote to memory of 3088	2404	Oncofm32.exe	91
PID 3088 wrote to memory of 1748	3088	Olfobjbg.exe	92
PID 3088 wrote to memory of 1748	3088	Olfobjbg.exe	92
PID 3088 wrote to memory of 1748	3088	Olfobjbg.exe	92
PID 1748 wrote to memory of 2200	1748	Opakbi32.exe	93
PID 1748 wrote to memory of 2200	1748	Opakbi32.exe	93
PID 1748 wrote to memory of 2200	1748	Opakbi32.exe	93
PID 2200 wrote to memory of 4924	2200	Ocpgod32.exe	94
PID 2200 wrote to memory of 4924	2200	Ocpgod32.exe	94
PID 2200 wrote to memory of 4924	2200	Ocpgod32.exe	94
PID 4924 wrote to memory of 5112	4924	Ofnckp32.exe	95
PID 4924 wrote to memory of 5112	4924	Ofnckp32.exe	95
PID 4924 wrote to memory of 5112	4924	Ofnckp32.exe	95
PID 5112 wrote to memory of 1936	5112	Ojjolnaq.exe	96
PID 5112 wrote to memory of 1936	5112	Ojjolnaq.exe	96
PID 5112 wrote to memory of 1936	5112	Ojjolnaq.exe	96
PID 1936 wrote to memory of 2524	1936	Olhlhjpd.exe	97
PID 1936 wrote to memory of 2524	1936	Olhlhjpd.exe	97
PID 1936 wrote to memory of 2524	1936	Olhlhjpd.exe	97
PID 2524 wrote to memory of 956	2524	Odocigqg.exe	98
PID 2524 wrote to memory of 956	2524	Odocigqg.exe	98
PID 2524 wrote to memory of 956	2524	Odocigqg.exe	98
PID 956 wrote to memory of 1604	956	Ocbddc32.exe	99
PID 956 wrote to memory of 1604	956	Ocbddc32.exe	99
PID 956 wrote to memory of 1604	956	Ocbddc32.exe	99
PID 1604 wrote to memory of 512	1604	Ofqpqo32.exe	100
PID 1604 wrote to memory of 512	1604	Ofqpqo32.exe	100
PID 1604 wrote to memory of 512	1604	Ofqpqo32.exe	100
PID 512 wrote to memory of 2184	512	Ojllan32.exe	101
PID 512 wrote to memory of 2184	512	Ojllan32.exe	101
PID 512 wrote to memory of 2184	512	Ojllan32.exe	101
PID 2184 wrote to memory of 1584	2184	Olkhmi32.exe	102
PID 2184 wrote to memory of 1584	2184	Olkhmi32.exe	102
PID 2184 wrote to memory of 1584	2184	Olkhmi32.exe	102
PID 1584 wrote to memory of 4240	1584	Oqfdnhfk.exe	103

C:\Users\Admin\AppData\Local\Temp\6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe
"C:\Users\Admin\AppData\Local\Temp\6901121b15694bc7524dcb108bfd7130fdab77d030865b911ff8d871545577fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        30⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        36⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        46⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        47⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        49⤵
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        61⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        65⤵
        Executes dropped EXE
        
        PID:764
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        67⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        69⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        71⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        75⤵
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2896
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4132
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        82⤵
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        94⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        95⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        96⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        99⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        100⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        101⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        102⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        110⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        115⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        118⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        122⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        125⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        126⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        130⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        131⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        133⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        134⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        137⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        139⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        140⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        143⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3980
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        146⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        147⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5676
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        151⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6024
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        157⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        160⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        164⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 212
        165⤵
        Program crash
        
        PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5356 -ip 5356
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
97KB

MD5
ee498dc069e06efc8fc20edd83cea708

SHA1
24a057436e5fc277344b389e9988c8ff0aed0f4c

SHA256
4b0562890c2eb99f979062f61b405a1167dde5d605f1c34e79dcd461ca748417

SHA512
76e433933b31a114bcd56271930e077a4b015f974600c880b79bada92c9db3776bd3230d3ba6a3e6b1e3b62c67518ad0d5cc4d99ab448df52b61e4ef1778468a

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
97KB

MD5
287129cf3a3e3e6bed7ffbb03624784e

SHA1
9f407f0f8a8282d029d7d60cb61f4356aaff38c4

SHA256
25942647e6c4de6385c41bb6ff2c86eb9d8f967f4b818cb752ab174184ac3623

SHA512
40ade66d887b4114b0fa78aceeca65f30b41f33c38b4bb66f197d6c98f208dac404ea09b822cd7f0024bb258848653460f36617c803c377682073b8449747302

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
97KB

MD5
423839f8bba8e61b9892aac978eb15d3

SHA1
7b15a91421ad97b287170bd5de6154543c75b2f9

SHA256
cecf210f4859a62bf5f12f0f8065c4a908de3fc783ba1b771ce5a11d88919cb6

SHA512
d4909102f1e8774a32174f10bde962566b3663264be4485d6cedb80fb9255f9043a3ba639fb969144baff431352cf9dcf4ae381d62d94f9c07ad133af0e761f8

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
97KB

MD5
13623ac747112858edf66d99b9408fd4

SHA1
6a59483341e71c3946bb4dba869346cf66cfe82a

SHA256
bc9506a91d7cc9558cd51154f00c36199c4709883a2dd5bed551a7afe3cc44e0

SHA512
be8afc451362971d4da648bebcc40fd2dcc3b41ff909ad99599e503ecb25723833d2e749471056958ade69cf306d5f6862ecb605282b775ec90d68e456a271a4

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
97KB

MD5
85079dcb156532cabab6fb4c3270c543

SHA1
0cae95894f1f449761c220b5cd3fee624cc0fcd2

SHA256
91c6dbd2160eac43e67577297b9fb863d6605d7215822544d215e3b853f2fcda

SHA512
f3e8c6fa094f41bca31e5146160f6fcde236952c619beb07e594f6d1cbb34bfbeb2fb1f46e8789c5dca1b9996c515b966115e64e6e3c57c9e45e927b485e711f

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
97KB

MD5
fca6321881d9b63b07cfe4ed8b1043ee

SHA1
0ead9a8f6d272ee1d120cb00134a74031d9bcaa4

SHA256
9de2919cf2c6a0c1e61d7659348e60fdfc06b6efb21c062234949704298b824e

SHA512
cf2a7107eb61765403d93ade4a76831a280d91c7f78a9a9be2148b686047468739370a2ad787f3bbd12cc1845ef7b51ee58cd7e573c8108f05609e444dee88ca

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
97KB

MD5
2c1327e74a5f89cf705c5b6c78a8c71a

SHA1
fddd96eb4f93b6d8e8653cf20976ef60bf3fe186

SHA256
2b936c3e431ed279e9c113803414385debe9e67b2fe7a51532ff0e40bac15b58

SHA512
ee532861d0cfeab5e8cfca678be1997eefb084c9c657943f92e38fb1e7a6fb7228256b0753df20fec5eaae9df3dfaf213376997b08d8a9e43c5b25419e4eaf20

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
97KB

MD5
88f3a60135845aeca43b8dd79f74e496

SHA1
2a9f617750c57396add19c99fdd90fea5974ba1f

SHA256
d93a003b58c4713cd1b5063cffa29be43559e5860650d840c99eab4458f8d3c9

SHA512
f81b2cfeb767e8886a405a8f1bbdc5536ff9d7c1c758f609905553f26d99cb155c69cb20873aec47d9924a2baefee554eb9e8955a7c7a24dbbbad03bb6b517c8

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
97KB

MD5
4682b969d25cc3c45782cfc57d1e0fb4

SHA1
e5abba19903ddc5f1da69f974aa0e7a1451c9709

SHA256
f0ae66b526dd713facf2338336163f6651b240ddd9f4b74af6589ac3363087a7

SHA512
529722f3ac2c5aaa63105eb2cdb359580ba72fa3a067afc08a915ef057bad2a050a596c4add284718fa19a66e514a603798cb0caf36a105c479b17995673985a

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
97KB

MD5
b59d8830cf32b36fd033cbd59ab45f05

SHA1
6392817b038b7acc8fddc4084858944aae07d919

SHA256
de07bc2d23a6c99aebaab3333ebd78c9ed5cd5cf3a09039d460d6354c12f9ad0

SHA512
118d709e44391afee77a9c6550e0222ca2b6ed506888baca462839cdc7f25d8a0752ae145516931e7159e99a903a28fc9f2e08662dbfb50110f5489b24542ff8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
97KB

MD5
e51b93eb350e1a57e626a2d3867626bd

SHA1
944889ddd8686f5eeec79ad0d5cfb5f3562f7aa9

SHA256
da9b810dc7f4905fa1942459e16a69be82d0aeb052eb6688c7e040213da93b6a

SHA512
78e417cc309240a2fb88c353cebe67f24468738cb29cfd5bb1995003b9a2b735277972d653683fb7a3268f412a2399957df5ab4b04082675484fd3690d1e7b91

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
97KB

MD5
4adf356c76ac13de303b237622097266

SHA1
e580f2d0e20ea8216b44b3003a8ded0e433149c9

SHA256
d70404e582bfd7ad0d0931d8d781daaab4707df017b6041c697d4301a8637c85

SHA512
cba6f9dba237b59f5aaac29083af98f31eda3b66d89aa85bd416aa234a90e9acf32331d22942daaf1088f20b9235e3a1d9ffcacfb70fa5a277003a63a0dc0f3d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
97KB

MD5
e45271d8b2bc0de10dc7d94694fcffc2

SHA1
39e5a04c0bdf6fa4af0542ed90151c63ea66ad1b

SHA256
e06025a0f868b240dd3facf08985a67c169dc936654b36ac9b3b804e7d56f5c2

SHA512
bdcea2552bdd071075883cdc5a0f0030e80625b00a317a1425f63ecf77ae6b956ef8b21441d54c159bc3f2a48e6183f9498c14da738e504771538302370d776a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
97KB

MD5
ebbd3c62daf6156f0cbd3241acb5b57c

SHA1
8f1e993ee75e048e3ccd359a477ddf57a3c7d431

SHA256
aa4b1d3695f05f8a41411592ea920eb2c0e43a35d9fcc6ef853e536b27c307b1

SHA512
5754a789ca3bee22dc8a6144411b75608352582156725e9b024501f7c7034be54705957c3b03663e344f4190beacd1423ac38851061b2883e9f378b1d3110f61

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
97KB

MD5
1aa3386fc3cbc4471b095202be252447

SHA1
74ca6e9747fcf11a543cc82ca48000b9d302793f

SHA256
9d257e87bf0e821a8baa5dfac222f37473b53a75201dbd6da72e760756e688d5

SHA512
da01b6b5e2266077b6ccd85575225ee20bb19dab4b62e12ef945fccede8dfa5b0fe924db7040e2a550ba4c2a66614262570beace8cbd5ea472534326ab511151

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
97KB

MD5
050ada6ec08a8691d0fce585c7241e1a

SHA1
06e20d3ac42e9953bdd07ea2becf0f8136da5994

SHA256
661e699f069a29db4b18641e6186a912d0148a46d7d09a34bedaf5c9559c01b4

SHA512
537f32c60a89c7b39ac593f98e75d962f51142bc5a44f710cb8d03c33dc4e4d2ac1c20a8e8fda5ea4c8be99079b134320c1c7b4906524b17fc5437edb84933b4

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
97KB

MD5
865e49577939cce265a5dc83f7943c2a

SHA1
42c881954531bc16656e779d0f9f700e8df0a30b

SHA256
86af970800dbfcbb4b47e118aab867b462c180c77f4f4fd2fbf769ad61cfdc1c

SHA512
6697b424741f5b1950a74f85b177d23baebc56dace020d8544b92e56ecaadb412053b0fab17a65b4261d24a64ec50ceee8d1299414f64c87539b668d7677f962

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
97KB

MD5
bc6c82605e694984ef041a0f6e3dd05c

SHA1
9e059fb84e1b472615e78ad6ef1e35d5be6bc314

SHA256
7a7c4c86f27c69bc06a99e44d85df881ebb86e8ab8736350a0e7965334f6352f

SHA512
2056b5eebc83f4d8696cf2e6cc08ee10071b366254ffdf2ebb6d6931f6c3a856eca65e10f57768f0f26c7e7e993ebde78965878878cb0122e7953251818f2b78

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
97KB

MD5
4148fd6709758c049d58dac1f7c6593e

SHA1
e1dbafc280d0daba427fdb79949fdbb1c0f68351

SHA256
23c502cc91b65b1e1cb9f4bc325c77cad2bffc12910f0aec2c472eb9f9614797

SHA512
9efe95a68d0594a06ae3c2d01891927e2375130f0c9cf060f062357ffc4688f8ee42baf990e1f98e9d0d21e4bd8d91c0c821af1d9dae0973580975f487292214

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
97KB

MD5
48cfb6d1a231bcb70cd5196597c3f2d7

SHA1
e0cab7677e68e2912eaab7e1260b9ff447d6385c

SHA256
03cd8a579839b94bb4ff70e81fb82acb7061c8bc8c8b98466e4e31f2b67c200b

SHA512
1e74bcd497d15b8f2d6442a971e799085beb54233b63ae44e31599e86262403dbede8326499b03c62dcc4fda87c527f678dbff31c46813733c82405a8f717d26

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
97KB

MD5
298fa20ceea003a1aa137309cf2632b5

SHA1
856fb09b6bfc9958ebca553b8381068cc1858df8

SHA256
03d94c18e87a3b98108b79d91c7aff4005238494d08d1b6cece02eb89d0173c5

SHA512
73f9ed6077a9d13810ec7aa41f2346f68c616b688ab2eca75eaae12c0a11bd56048df419e328e2690466f22d3daaf193641396e14fc9f9ecb23e037452872ea7

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
97KB

MD5
199f285fc7ddb87f02d65e29d4b171bb

SHA1
886530745ecd27e7379c8b72a9294bec23bf6fd3

SHA256
2eee1c2f620ab97557b21690c64193a6efaffb005a68a15a23f1457f48610b76

SHA512
135544c553e7444916b505ec80041fdbb5db821a86ceffc5f001f6dd7bb106f2e1c1dfb4e9f9ff1861f694d81cd01119a5adc832bbd417242252cf660a120020

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
97KB

MD5
6315aaf654da48b7b9e508d3a03cebe5

SHA1
2c54572a78b18b11701e105da6b9f87e4ca283ab

SHA256
f22a940ee501282fdabaf820d94afd11965057609a3549051b5bb7e3357a9869

SHA512
1c5c252c3c210c4fa654656105182f8fa9ff0fe51492c1cf8658f967dfeee684947cf124fecd8b5939822c5218fab71ac1ff277ed975ff001e575d4257d24653

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
97KB

MD5
57a08e8a25ad69124a4bb574bbb06a8e

SHA1
8079615b95e612d553c1c6179dc54aebb3c85414

SHA256
a13768198467fd749f71016502c85aa092a0154333259bcd89c7a2d66191b899

SHA512
19b15896b15ce5d5bc09b85c0548f45fbcdac59d8fbdfac3b9439e0157fbf75b37279bffd78172a10a229705463a08a7503ab0dda237bb882da9db01b123fd3d

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
97KB

MD5
a5988869150c69501dc1406ba1160ae7

SHA1
e2ce01e4d28a2d93837c677ac51e854414e5e100

SHA256
e313cf3878f52d27d98977559c0da3e44fd4f77e25bc95984a7aa36e9eff2dcb

SHA512
2df9285999ef1ea2a37b868cf3b0c1b6dfa4206eee85df86b01acb6f5d417ffdebd271287736d24f5394dcc272b09ffee5ff9a2cf54d0879c51ef4d24e9a4622

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
97KB

MD5
ce186e9c0289d8a62a9648284d657dbf

SHA1
84eca910ac784cd2d2f133660679250587345444

SHA256
5256f292d6b61e2e632b11c11a50cbbdfb04c674283411b27d19926deb7a6ab2

SHA512
642d248864e91e79c60b40d26d1c046e6d0d7e3f520ccc464a6bbedf19e5a141b40881e58f468f6ff4390440079d7806ea434531f38496e9dbbe3f8dc634f3b5

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
97KB

MD5
3a2d3d4edb62df5583ad57dad4ab2793

SHA1
dc3190e9b67a6f4870a74ed7347287dc79ece2c7

SHA256
ac57670534a140d776b048cf0d7ff57bf2e2bc62273bc8bf22788f71cb0340ac

SHA512
168dce748164ce06c8a196a073b06d3d134a1db040f4469efef0a0a82ebe88b6bebcb57a1002922a129dded8d22894d4c678add92496f8969b9d44048afbde1c

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
97KB

MD5
0c94f508b11c5748334704d0430bfefb

SHA1
e521a76f6fb8699c21ead50db28401ce89b185d2

SHA256
892de786bdc55d7b43e41a907d5fd36d410a37ede2c011eb20649121ad01f4d9

SHA512
625d3764f1fa0a98491f1703bc671f71b60ee48da3e8f1d3da5010f553db1fd698c660af9b32a68541da466221fb706846a4b15772abcd6b409e2f1f59256b41

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
97KB

MD5
569a0cc1b10ad3ad9f312170a31c0105

SHA1
c9ea55714060f1b50802dc842bc671a18894bffd

SHA256
16756cfea12573f3095e3cab04482a2198e6399a3e779714465a1ffce974b4cd

SHA512
bfcd4dc7be324b25d323cb671b1d5e960ab78a87fd09335c77d7cefa704975c4b51331fc80b0c2ce6b6916ea9d370be0454267a850fbd1dbaa27cc20bc579886

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
97KB

MD5
db1098bd5992e2abb7958e296d0d8cac

SHA1
165fc56e2d148bf34866600f87e2ecafde55d109

SHA256
a90ead4bb62c1c154930d85596b705994ee6b85fc440457c227972ea14facfd4

SHA512
f8e648300e051116a2418330113fb2e247ea9c333414e4375f35e812f211ede699aedd4b106a0dc5136dd04963716dba0a9d3ac0a49e656c02233bf2586facb3

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
97KB

MD5
8b96d8c456410f9cb11da6dcdec55f08

SHA1
c6aba18f91175bae13d8dfd409c3a955a3be76c5

SHA256
414281fd3c0878044d38a777952585044cc7ef47b209475781fc0cee8036aca3

SHA512
cd59a2cfc8469cf1efc88201763e45737535567db9be624383ac839cfdec90ac1a0969a622555483bd45357ebb55ee8d29bd8286da8c4190cc3fb8978abb51fc

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
97KB

MD5
25f565d038a84570c5e0ce2257dcc4c0

SHA1
621cbc716c8045175684fbe7d53d6891b5d84a75

SHA256
a339b1d7d7421d5f996ae2272a4440239222fab8be80bbfb9d0da96672ddfeb4

SHA512
b9d63f8c5191d3ae216f05f362a24a343c2a1e532f24b43d37893f663c17dc5f639eb4b16dd6dcd2620593444bb625196da0cad4247156a6b7ffa94373212de0

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
97KB

MD5
4723d00874445c44b2d416348b2887a7

SHA1
f015e134c53cd15e6783052834bd436485d18765

SHA256
392354faf95137fb209bad14fadd8c9af2ffcbdd2dddaa10f6bfc87e28c0fb3b

SHA512
ede3b5092ac78a2c88e1188a8efc8b0a6de132ff5ff069dbf69754a917820840a5f1ad8c19c24ceae6aba37fc78fa7b258f374258ea3330b364120cf58f7b6e0

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
97KB

MD5
d4b0fa492e3d8f8cb473073440f7f9eb

SHA1
c650399c91652b56981f27d0ebd904a18b8adf28

SHA256
6ebb95834fe45e421779a471cd7d994ce64f673b140bfedfb161c906cd276d6e

SHA512
5343220a5ead9561a666d86b954b74c76a45f53981c4923e293db2be10cd1e1216bcda0ab1399e4e6258f8756f1b36d8073cba64ece4e4ccfdc4e366e39f9a31

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
97KB

MD5
1cb530d650ae95f09cc7348120933739

SHA1
62fdee1175674ed2886919c61a8fc04af9022c8f

SHA256
2f2e5fd161df3131fb00724ab8f980ef19d1ac9e5395e9ca23aed00a871d1853

SHA512
98ad0d0815eb5f25f6826517af4c9b61d91734baf3e6de1ebd158615c042f6c4b800bf02cd89909fc77fc18f2ae94a57fb43fb558c0f941b2ec288a1e8829a08

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
97KB

MD5
7b8109b2bc214115fb406305b460c355

SHA1
48fee31759a4b7538ef257117277d6293deee77a

SHA256
b821dd2511508bbd172c78e8b5853992836ebc64bdc50d48aff52af1cc2146c8

SHA512
1166b4c0d188173cc823947ee9014b61336dd13eb1326ac99793deb94bf762536e4dcfb84b16441fd93a424fe6425a405308444e59039d19c3ab9c1c43cdcdac

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
97KB

MD5
52720e3680eb88d322b183decb6c8a21

SHA1
7894c79f3c9d5ed2a2a8eeef76d3249a7486be51

SHA256
a96f55deb46b264d9a938814e8dcf47549881c2d8081f2b142be4cb75a937c8e

SHA512
30bbe0ea3f35a43f2ef7f103ad32dba02dd30edcb2a433155fb088c76241f0b1b61e1c853eb3f65a9025d4639083a13a20de47083e80d0d79bc9b2162b0900ff

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
97KB

MD5
7c1034baac5ef68f9c34929dce5a202e

SHA1
b446d03a48fe80b4d6785f409b0275049208e709

SHA256
81a7f7fc8e4d1b71b5b4732d831557bedb143527f40ba3477d66ec20e7661125

SHA512
6c7be6055e4a39ef1cd8a49c86801261a279d19069d18eecefe95fe6f6e01c3753bdaccd3bbb171484416b8870b78bf7b1a22db80681742120480ac3a93c75fa

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
97KB

MD5
d4b1dbf1d51663d7eaabec18a74575f4

SHA1
7edda2701c2aaf0b0c58c5ec2d2d5a33e9949bfa

SHA256
edf4eebbaf0722691a0e082d4354161c17ee132fb1bb16ccd084058be3ed20c9

SHA512
afaa4053066b44b46e15a43524eff2f25d02f1a01e7a5e9bc8dd9e886db4f89a41ffcf7d195a62a6a0110e9b3b57b67fa895d48007be5b0f46ff32c36d1a1910

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
97KB

MD5
81ab95ae795a080b733dc76df90da625

SHA1
91467565034e7b6ee02ec449eeae401a18594a56

SHA256
60f80e36b5a8879e430cad106bc0b3377379c21bc6f693812bd535c49c79e845

SHA512
c325faaeba85a2e34643feb212b6987f820d0f7aca7741e660a7f3083fbe09fb934bb0e6bce20c6ae2996a3946216dbf4aeef379807921958e475c25c50b6a8a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
97KB

MD5
37fbe26d408412ccbce4b2b50eaf6d04

SHA1
6ccb0106bb8463197e100a78fed84b91b1c440bc

SHA256
16745fe04b6a27813d83ee813b478729840f07a8f7d451fedb2f663b9dada9f4

SHA512
30c32c73b968fa885a9844fae4b35659f17244973f5abcf3fbca6349d7d34a3985b9085b93cb8d4624abc2499cc2e5136ed1b97fb870e5e1fda98f02cc9fa78c

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
97KB

MD5
3c4f9b146dbd37e3b07accf1381f9db4

SHA1
4ac5c3d5ec9386866fdfb13c79a3fc12b5760635

SHA256
429f31ecd9d89c17c8caace39c567975ec2c23692a8e6f85bc986316470c40ee

SHA512
bf6577bfd53217b8b0aa92fb1415388abe5ca3e8ec60063dcac5fe2047450a98c364258e3710f2a4d967db35de6ac4ebb9aadc6cef3536751cdaf8d483d1f693

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
97KB

MD5
af46d480be482e9e3deba56b9981caf8

SHA1
bfb32be44126252e72be823268ca74deda3a344d

SHA256
04472e6c902c08543a1fd40578cab3532e779cae9607054fe005fbc511bd45e4

SHA512
d7e6dbfcebbd7cf2b7d0481422f94ba571f7689df61ec5b7326c9ca513d4a18710653d88513ef61920982bd5cac73722dd17609139bc1ff205bfb888f802c35c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
97KB

MD5
829a178c82a6f61d94e6f871e8ff1eb6

SHA1
19128388297f5b5d49705d33774fb2ac5710292c

SHA256
4113e8abc52b2a4aeb89c3f20a418c8829bbc8d03e3c94de12edabb51b473fa8

SHA512
4beaad1ed2cc1f0912c068843a756c5252f7c82add8cc2d92f7955b78b3137cb5d08bf4188a9264f54a7ea95af19ad230e7c3c96d690c18b72d21dde66516bc9

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
97KB

MD5
2efa0bd300b4737079719153ee526867

SHA1
c9efd8f7f148dfce8ae5e781a54e9e114eec49be

SHA256
b1239f9c889f0ba7a0cec9a9bd184d092266e3476938e691ee755e05b81f22d9

SHA512
bc782b0b1ede5bbd059d299093f1268c68744fa2e5b1f5a7e399665bda50036974025cef038c92c8c6d5a384cf9ed112dd0f34138e636ceddd463be1542620f4

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
97KB

MD5
6461ea4004f494879267cbaf70d12743

SHA1
357c6f1eaab1630a56ce922b560159c3e8502493

SHA256
e682d4b8a1b45894889cc49e758b72808fb26be3c87f058fefaf55d10cba57b9

SHA512
425356beae1e13587e45e54a3e2a5810b7597c18eef78a6e7985bfcec3d0298de76d8cfc84623d4cdd051d4b9aaf64db912e65eb63cd9b1396f06f43c5404485

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
97KB

MD5
b307f97b7f4bb6d678ee935c85953d86

SHA1
e54a77b1c85661845327714303b9495004ede627

SHA256
ac33bb2565388e2bd4cc3ba2c31111997f1801ca3ecaeb0c9d4ede8ae58b8bc9

SHA512
5a6bf405ba17306f19c8f43a30d298483389d711ec4967d1b86c5b727eaefa7023146f8edefb8b38c0528d0a65ddeedb4c0367cc7b780d3804c88d10a5f6a894

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
97KB

MD5
324b543ebead16b3a03d0bb17ad798c6

SHA1
4ff968a3485b862f0770b4210a4b0acb461bec09

SHA256
0a32575e24728b0a94c454bf3fedc84e32453f09d442c7f5f8c4df477d41687b

SHA512
5ed6496b886f417fbb5e28015f160a81a45203e13d28e54d3bc813f34b9854045b2ae6e9bb39f3e081c66257b4ec82a0f596e21d7c46d8c2ef83db59f3b05082

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
97KB

MD5
d00e7153016f7269ca6dcf17a1c582a7

SHA1
81ee988333f0e726a79d6467a8abc9e741459a11

SHA256
42851bc9ca5750f5e0440a2b86c883a5def3f798215324d2965eb39d269b919f

SHA512
fb1e62360124aaf0cdb04855d716b5951301d64332ea16aa516b60c5521df42b4a49c60785d984e4d93a90cd1cf089059c00ca300b98987fbb29727f4074b358

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
97KB

MD5
87cf2fe3438f51c114e7d096086271d5

SHA1
12be4d8112322582c976800103ba60ed2d344cc9

SHA256
bb9cdb6f8056d95756189162cd482aab88581d89a21a342af0dfbf92b10d0db4

SHA512
7cb7bc8ca08cd23f955f464f9a0dfc638e3e3ec221d6d76a062bc3d7da20ce76c105506c77e4d5eae820343e9cd38d29bc083943b4cde7eabd739fd06395abe1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
97KB

MD5
f09f20996a67b26ec82a7aca860046ae

SHA1
404ebdbf917eb872db8181176d984c5636bdcf7e

SHA256
5c5b67cf9b0ccf98133cbc2b24a8839d676deed179680949ffa23c9dda787879

SHA512
b6b614d7af4cd90becc3f3279bf164637a8457d9a26b0191ec3b0ce6eeae5f147c3ebefdc03d676830056ba7bc0dd330f4aae02f52d59f5a5b2a97e8e316676a

Download Submit
memory/392-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/432-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/432-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/512-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-590-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-474-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-462-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-318-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3564-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-1149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4132-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4448-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4948-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5636-1164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5696-1165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads