berbew | b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/12/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Size

96KB
MD5

fcc56bc3ccb6826683ff9b06e6836be0
SHA1

a4df070bd32b81e5d141b79b773b4dd8144e45be
SHA256

b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa
SHA512

cd3b164eee1dd0bcdef52b7afee59b41a3cceb429aaf6b957e1f6f17360f514e50fddf3c60bb8ef34dae8b36638954dc9d18bc043b82ced61f125672134de1d3
SSDEEP

1536:OAS1OqY36IknNNynDrUJtaCmnfl0mxiqTgX41qeto/YtMiBkWjaAjWbjtKBvU:5SCKIknNNynDrSUCmnfCm04AetXSqkww

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeenochi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oancnfoe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2732	Olonpp32.exe
2640	Oomjlk32.exe
2632	Odjbdb32.exe
2456	Oopfakpa.exe
1084	Oancnfoe.exe
1864	Ohhkjp32.exe
2420	Onecbg32.exe
2932	Oqcpob32.exe
2924	Ocalkn32.exe
1332	Pqemdbaj.exe
692	Pmlmic32.exe
1700	Pcfefmnk.exe
704	Pqjfoa32.exe
2972	Pbkbgjcc.exe
1536	Pmagdbci.exe
2364	Pbnoliap.exe
2064	Pdlkiepd.exe
1920	Pndpajgd.exe
2024	Qbplbi32.exe
2268	Qijdocfj.exe
1012	Qodlkm32.exe
3064	Qqeicede.exe
2220	Qkkmqnck.exe
2908	Aaheie32.exe
2628	Aganeoip.exe
2092	Ajpjakhc.exe
536	Anlfbi32.exe
592	Aeenochi.exe
2404	Annbhi32.exe
2324	Aaloddnn.exe
2684	Afiglkle.exe
1264	Ajecmj32.exe
2448	Amcpie32.exe
1508	Apalea32.exe
1524	Acmhepko.exe
2356	Abphal32.exe
2136	Afkdakjb.exe
3000	Ajgpbj32.exe
1520	Alhmjbhj.exe
2004	Apdhjq32.exe
308	Abbeflpf.exe
2280	Afnagk32.exe
2416	Bilmcf32.exe
2592	Bmhideol.exe
1748	Blkioa32.exe
884	Bnielm32.exe
2652	Bbdallnd.exe
2816	Becnhgmg.exe
2680	Bhajdblk.exe
896	Blmfea32.exe
780	Bnkbam32.exe
2060	Bajomhbl.exe
2832	Beejng32.exe
2368	Bhdgjb32.exe
2880	Bjbcfn32.exe
2232	Bbikgk32.exe
644	Behgcf32.exe
2468	Bdkgocpm.exe
1948	Bjdplm32.exe
3004	Boplllob.exe
1112	Baohhgnf.exe
2552	Bdmddc32.exe
1880	Bfkpqn32.exe
1660	Bobhal32.exe

Loads dropped DLL 64 IoCs

pid	Process
2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
2732	Olonpp32.exe
2732	Olonpp32.exe
2640	Oomjlk32.exe
2640	Oomjlk32.exe
2632	Odjbdb32.exe
2632	Odjbdb32.exe
2456	Oopfakpa.exe
2456	Oopfakpa.exe
1084	Oancnfoe.exe
1084	Oancnfoe.exe
1864	Ohhkjp32.exe
1864	Ohhkjp32.exe
2420	Onecbg32.exe
2420	Onecbg32.exe
2932	Oqcpob32.exe
2932	Oqcpob32.exe
2924	Ocalkn32.exe
2924	Ocalkn32.exe
1332	Pqemdbaj.exe
1332	Pqemdbaj.exe
692	Pmlmic32.exe
692	Pmlmic32.exe
1700	Pcfefmnk.exe
1700	Pcfefmnk.exe
704	Pqjfoa32.exe
704	Pqjfoa32.exe
2972	Pbkbgjcc.exe
2972	Pbkbgjcc.exe
1536	Pmagdbci.exe
1536	Pmagdbci.exe
2364	Pbnoliap.exe
2364	Pbnoliap.exe
2064	Pdlkiepd.exe
2064	Pdlkiepd.exe
1920	Pndpajgd.exe
1920	Pndpajgd.exe
2024	Qbplbi32.exe
2024	Qbplbi32.exe
2268	Qijdocfj.exe
2268	Qijdocfj.exe
1012	Qodlkm32.exe
1012	Qodlkm32.exe
3064	Qqeicede.exe
3064	Qqeicede.exe
2220	Qkkmqnck.exe
2220	Qkkmqnck.exe
2908	Aaheie32.exe
2908	Aaheie32.exe
2628	Aganeoip.exe
2628	Aganeoip.exe
2092	Ajpjakhc.exe
2092	Ajpjakhc.exe
536	Anlfbi32.exe
536	Anlfbi32.exe
592	Aeenochi.exe
592	Aeenochi.exe
2404	Annbhi32.exe
2404	Annbhi32.exe
2324	Aaloddnn.exe
2324	Aaloddnn.exe
2684	Afiglkle.exe
2684	Afiglkle.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	Odjbdb32.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Pcfefmnk.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pqemdbaj.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Odjbdb32.exe	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pqjfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Olonpp32.exe	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Ipfhpoda.dll	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
File created	C:\Windows\SysWOW64\Oepbgcpb.dll	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Blkioa32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Ajcfjgdj.dll	Oomjlk32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Afiglkle.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File opened for modification	C:\Windows\SysWOW64\Aeenochi.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Acmhepko.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bjdplm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2688	2752	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olonpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqemdbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomjlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onecbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Aeenochi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Pdlkiepd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oomjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhihkig.dll"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqemdbaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqemdbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2732	2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	30
PID 2968 wrote to memory of 2732	2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	30
PID 2968 wrote to memory of 2732	2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	30
PID 2968 wrote to memory of 2732	2968	b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe	30
PID 2732 wrote to memory of 2640	2732	Olonpp32.exe	31
PID 2732 wrote to memory of 2640	2732	Olonpp32.exe	31
PID 2732 wrote to memory of 2640	2732	Olonpp32.exe	31
PID 2732 wrote to memory of 2640	2732	Olonpp32.exe	31
PID 2640 wrote to memory of 2632	2640	Oomjlk32.exe	32
PID 2640 wrote to memory of 2632	2640	Oomjlk32.exe	32
PID 2640 wrote to memory of 2632	2640	Oomjlk32.exe	32
PID 2640 wrote to memory of 2632	2640	Oomjlk32.exe	32
PID 2632 wrote to memory of 2456	2632	Odjbdb32.exe	33
PID 2632 wrote to memory of 2456	2632	Odjbdb32.exe	33
PID 2632 wrote to memory of 2456	2632	Odjbdb32.exe	33
PID 2632 wrote to memory of 2456	2632	Odjbdb32.exe	33
PID 2456 wrote to memory of 1084	2456	Oopfakpa.exe	34
PID 2456 wrote to memory of 1084	2456	Oopfakpa.exe	34
PID 2456 wrote to memory of 1084	2456	Oopfakpa.exe	34
PID 2456 wrote to memory of 1084	2456	Oopfakpa.exe	34
PID 1084 wrote to memory of 1864	1084	Oancnfoe.exe	35
PID 1084 wrote to memory of 1864	1084	Oancnfoe.exe	35
PID 1084 wrote to memory of 1864	1084	Oancnfoe.exe	35
PID 1084 wrote to memory of 1864	1084	Oancnfoe.exe	35
PID 1864 wrote to memory of 2420	1864	Ohhkjp32.exe	36
PID 1864 wrote to memory of 2420	1864	Ohhkjp32.exe	36
PID 1864 wrote to memory of 2420	1864	Ohhkjp32.exe	36
PID 1864 wrote to memory of 2420	1864	Ohhkjp32.exe	36
PID 2420 wrote to memory of 2932	2420	Onecbg32.exe	37
PID 2420 wrote to memory of 2932	2420	Onecbg32.exe	37
PID 2420 wrote to memory of 2932	2420	Onecbg32.exe	37
PID 2420 wrote to memory of 2932	2420	Onecbg32.exe	37
PID 2932 wrote to memory of 2924	2932	Oqcpob32.exe	38
PID 2932 wrote to memory of 2924	2932	Oqcpob32.exe	38
PID 2932 wrote to memory of 2924	2932	Oqcpob32.exe	38
PID 2932 wrote to memory of 2924	2932	Oqcpob32.exe	38
PID 2924 wrote to memory of 1332	2924	Ocalkn32.exe	39
PID 2924 wrote to memory of 1332	2924	Ocalkn32.exe	39
PID 2924 wrote to memory of 1332	2924	Ocalkn32.exe	39
PID 2924 wrote to memory of 1332	2924	Ocalkn32.exe	39
PID 1332 wrote to memory of 692	1332	Pqemdbaj.exe	40
PID 1332 wrote to memory of 692	1332	Pqemdbaj.exe	40
PID 1332 wrote to memory of 692	1332	Pqemdbaj.exe	40
PID 1332 wrote to memory of 692	1332	Pqemdbaj.exe	40
PID 692 wrote to memory of 1700	692	Pmlmic32.exe	41
PID 692 wrote to memory of 1700	692	Pmlmic32.exe	41
PID 692 wrote to memory of 1700	692	Pmlmic32.exe	41
PID 692 wrote to memory of 1700	692	Pmlmic32.exe	41
PID 1700 wrote to memory of 704	1700	Pcfefmnk.exe	42
PID 1700 wrote to memory of 704	1700	Pcfefmnk.exe	42
PID 1700 wrote to memory of 704	1700	Pcfefmnk.exe	42
PID 1700 wrote to memory of 704	1700	Pcfefmnk.exe	42
PID 704 wrote to memory of 2972	704	Pqjfoa32.exe	43
PID 704 wrote to memory of 2972	704	Pqjfoa32.exe	43
PID 704 wrote to memory of 2972	704	Pqjfoa32.exe	43
PID 704 wrote to memory of 2972	704	Pqjfoa32.exe	43
PID 2972 wrote to memory of 1536	2972	Pbkbgjcc.exe	44
PID 2972 wrote to memory of 1536	2972	Pbkbgjcc.exe	44
PID 2972 wrote to memory of 1536	2972	Pbkbgjcc.exe	44
PID 2972 wrote to memory of 1536	2972	Pbkbgjcc.exe	44
PID 1536 wrote to memory of 2364	1536	Pmagdbci.exe	45
PID 1536 wrote to memory of 2364	1536	Pmagdbci.exe	45
PID 1536 wrote to memory of 2364	1536	Pmagdbci.exe	45
PID 1536 wrote to memory of 2364	1536	Pmagdbci.exe	45

C:\Users\Admin\AppData\Local\Temp\b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe
"C:\Users\Admin\AppData\Local\Temp\b5f18a10ed48c8b0d4bd053cd2b55892fd835b7ee6f9ec86817cc5a04117bbaa.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\Olonpp32.exe
  C:\Windows\system32\Olonpp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Oomjlk32.exe
    C:\Windows\system32\Oomjlk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\Odjbdb32.exe
      C:\Windows\system32\Odjbdb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Pqemdbaj.exe
        
        C:\Windows\system32\Pqemdbaj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Aeenochi.exe
        
        C:\Windows\system32\Aeenochi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        68⤵
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 140
        72⤵
        Program crash
        
        PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
d7e32925bde0830fc8c8aa6216098187

SHA1
ee18b965095cd65890a275c445a602d65c33b8e9

SHA256
b9e0c832a26eaf19d54ebaf7a59305ee60b21a5ac625ceb2010f4347b14784b6

SHA512
2133817db69fa01858d2ff147611dc54fb4cb1cd56480a772edab99f0685558ec9ed389d91f99449c5c143fc1fd1a7aca38fce6c84dba552f63364d993aa92e4

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
96KB

MD5
1f6810d29e22e5523bd4da234ed14fc9

SHA1
c006e885cdec6bc7d4a6b7e64af4b094569ab1fa

SHA256
54964b01d0f7aa69dffbb4f6467dc27713771e55f43e2e0ac8bc1a950a6f75df

SHA512
60dc76b42f3e12232802756190a564794d661055734ced8f869f234baec4440896c2f327bd75868344638d2284c0c90c80729fb73109da75e7a2f64a473ca89a

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
96KB

MD5
f6b60267ecfdb4794cc94b68eae76680

SHA1
48934ed87c8862b6b87180f2657f9f5bcc9e28f7

SHA256
765479f0aaf4c8f891851e78d6aba2705341db633a0e0252676529afbfece3ae

SHA512
12e4bbe1e40372f623805d2b6146e076a22ddcfef9ec0ff71bed01e8030b2f4e1001d4ba89307c2d0d9d373ff83ea8f78ead7ef461e25d279464760934731eac

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
96KB

MD5
6a4a39f55bedf9257de108bd0ca5fa1e

SHA1
0220d920f6b0a6b368fb2b9ea5412e59fcd7ddec

SHA256
8701371ebd103e0e87658ad84fc944cd952c7afbd6e3f6944a5717fe5ecc9fcc

SHA512
5946f24e6b5efd95ecc744f6c76144e4aac7b5117b31588996eed2dc57b5f2d0b3c122958deb2e074e5e1dfbf963c8efd6dadd1c9774dd490c893b189e5cb63e

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
96KB

MD5
7059c38b9936d88be36ff1972dadeed2

SHA1
685e4d9122b3cd706daf721af26bb8390b6103b9

SHA256
16850ae2c1c0ef1c57792e7c6d5fa80761ef074bacc8ae86bc7f91aff04fe0d7

SHA512
b562569f47589ea1c6958992c5c4f11d385a04338f40fe370b1fe61f7af0ad21113e1ced6dc8580d9a3b6a038404c6484c1f4df78059debbd1d9ce11edc31cb0

Download Submit
C:\Windows\SysWOW64\Aeenochi.exe

Filesize
96KB

MD5
89cc798cb48618a49ca939a885fe5eef

SHA1
75647a85484b602a47e29a13f8540eb965b57444

SHA256
b8344882f316e14b1179341b0d6abcf293458bcfe878110ab55046926180884a

SHA512
9b9477aba5500a7f012e5dff95b03d4be5fcb7d6bab397bf27bbc8715a784233a0fd039500b97b2520863eb8903d198c5121e97e1f0b6f58dd918eea757ee285

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
96KB

MD5
0fee17267e213082b15b822c28d8355b

SHA1
c7ee149a32a4e42ce6c4e9f521aa0037bfb1b300

SHA256
7cfc6efc178b28b9bb0abfe21b38175917ea2ee1a421f94a6588ca4b2e47da29

SHA512
eccec21f16d5210114e4a76d4a6e49a1c1dbd0bec48b4cec9d3adc891c9278f9933d3f5cd0709ac77e03ea0a82ac7fa6011f4967eb2bdae0b744b9b3af988b5c

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
96KB

MD5
74adf542dcfa0e0037eba54e6d675d13

SHA1
cb45fe8f18408b5dfa6173715101afb56e928692

SHA256
77ebcf5c03583ae2418485da2388816bc1bbcc6d9ba5f1429433b491fb15777b

SHA512
2010bf42036b1a991db36b2aee7e618ec60723e7445feeded3f2af29be041f990933f40b7010ec490b2dc2d8e2231e430b7e6b71c992e5f0d3787ef7d11934f4

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
96KB

MD5
9a3697534b4e79dcee7d0a438444c466

SHA1
e054f74399a8c91c1d236fa6aacf4d2ba4efe00f

SHA256
ba522c3188c13ab150347b6f6e006c020d1e10a59b6c2d04dc28b57c7567d45a

SHA512
2f3ab26600b9c4433a6842118d9077bf4f92ba12574f32b24cc3d18638dd85e53e1478c834b1a4dbdb21f24d76045605d309bba6e9bb4a76f57d4936c8a7eac6

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
96KB

MD5
0b2783613abf365c289e85e9fcc4008b

SHA1
92aa735d14bd88403f0b0e012ee1abbf2beda60d

SHA256
01f89d83b648868d511508c52a758f5e05b5f812c8a908b782aa8f825262ce0a

SHA512
9cb01d8ae8f5510741c6af0d45b10cd0d57f385a15d9bf7de6bb923322d37cdce45c6de73fa4c2694ac74d9af3aefa5413eb419b605ee68dc9a403b136a45cf5

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
96KB

MD5
b60ce958e2b3b917d3ff34df9904dfe1

SHA1
f4e164f2dd3a6c9fd0993064bec5bbab4b58f504

SHA256
95b9ee0c5777ed74d2605b8c56ff65fa47da4520f565fb53c0c34387fde4b31a

SHA512
c1e27886b10e4287688589bd3ce457cef63d29a38eef535ea22bfeb00a455bd7189318232e930d82c0f8e675ffc324def675c3d8efc2037bbb71524de6c06b82

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
96KB

MD5
f09c98fc3d9175750e4f877a68756492

SHA1
69984669427e3b085d7f42b373636c31aad8cf71

SHA256
b34c532107e424337614ad8e73c609732a19018176aa2c7f46c11ace30979e34

SHA512
3f755621b32195c0cba6dac173f79c36e68a07ae53daf6137f3fb6c4b3b69dc2fc9b5ee8471bbd7991e3769853bc36c6b5a39f754584aefca7ab010d714cac67

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
96KB

MD5
00482e9a70eb6c3880e54033dfe9f846

SHA1
0eae4f4198fe10d5ad37368aebb14c799b5eb81c

SHA256
a26b97262c0ca0df566d87ae043d8f8ba775284968ad38f203841b67df00f44c

SHA512
1d46d838ab46fd0fe68adcc8e6514788b95bb68e16e68c03c838e058f58541c5d9a26ab691acb38d0e17de8e1426c2dec1d96d7fa82dfbc8dc1984b0f90518a9

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
96KB

MD5
f6c72d921cd469e9c73eba5b4ccffd2c

SHA1
1f15d9f17bce316c3e53973585176085bf54db7c

SHA256
8a66a2cf3fbfb25126d94c155e02a5664873281311f7b289ca371c7766aa6cc6

SHA512
db9e14d72a5f6e34b4d564f72d6871409e25cb7a01477b11159d78c8634019d91b270fef3666b626914c4beae3533f8fd92b79d4b59a9df506a2ea3fcbabde27

Download Submit
C:\Windows\SysWOW64\Aliolp32.dll

Filesize
7KB

MD5
66db4a32aa60753bae4d5df91c5b0168

SHA1
251df22cd9c75dad6d5ef406072cb23bff83cef8

SHA256
eee151cab2b3c0a51b9ccd49c4a3ad87c5f538efb010e9bb7c02e615b794d328

SHA512
04fdf29badd3ecc56cd77940cf70d3a75889907a254ec6b1cccc5e37c7340a95ec748ccd3f4205d36f290e42b9b5978b473178ce3e9dd42613abe9115b3000a4

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
96KB

MD5
bcefaae30fa11c69a968ff4691765b81

SHA1
5706f0f5739d0429885a0075ef33842eae0da94f

SHA256
fb36eaa9ddaeb7f6ad1e7bf95c6a55cee8f8a31f3750068c6f217a87271963a1

SHA512
e7753ad553d104658f96ba92636c260f1690fc89de65f18fe973e035c23447beb6605a66cbf7641e514537354c05720059f3e9c820e7195078a7a0b3719a1da3

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
96KB

MD5
9442bd0ee8514b12e486a682e0e8f1d3

SHA1
9dece704fc3996079a10e24ea1cad80a6bc8ac3f

SHA256
1db7473ac900a403d55350bee5ca6ad1e85e0a2c5b56c659e4a089f9c4623f9e

SHA512
2f08eb8e1969cb62c0c93cea23e861780aa5dd527485bd5f30b36012b4ebfcfd8564bd7551861e8c78285782192ee2219ef6bc830b05194cfbb92c948fde5e2a

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
96KB

MD5
d4adefde7bfe16f22e063327f77bba7e

SHA1
d218f81a191567aceb20051ea7d3fa901405d9ce

SHA256
6cc3b80f95cd4b7b6af8753c71446166104a39bf7e6596d70f19c5dcf60e2c36

SHA512
41448833a9e96414581fdc4c835004b3acbf7cd54427eee6d0f732a8eabab72ee1b1f6a8c4a9ccf04ec0981ab82f3fc4839bfe6083ceb55d51385742e9bac1c7

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
96KB

MD5
abbbad0bac5642a1d95ce80d141d1e43

SHA1
443d4a9851978b4e6f8c08eac9fc5c681077b673

SHA256
57030e535ff69f8c76fc7b00dc1f06abd23025cf3df7903c1c6295a713269b11

SHA512
37b95dd43c48d081b69a2eb06a310ba44e7ef047554d153007270987e901f6789e49fbaa6f8cdbf0ad5e5e1818bf16f81097adc8f083c9f5c3103e3a51a1c890

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
96KB

MD5
e84e8af727e7e9b01adcab139e4f6e60

SHA1
b42b653735d8138f9d2a709214fdeee26f25ccbe

SHA256
f04317d11d8a264bdde409dbecf53373fe095bc6df543f97d9a318976a07665e

SHA512
2cc8c622c2f00cda081167232e9c3af128eea653491feab5afc9d7bd706ddc81804274fcfcf3f38367f33a58a42a1ae64c2918e0b16c9e169851cbba10c7bc02

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
96KB

MD5
099c1c98429507bba07f880ef7b41fc7

SHA1
800575cb67bf1294251bc05d8215a211fbadb0f8

SHA256
ea7679d8b409498ebd642a13f07f23e5c573dc1d6e08de3f5439d77cd7dea250

SHA512
eebe91da2c901b8e2d19a9845651254b031866fe1b986c7bb2b16ff4f24d9c3c3bb4b85f40b76d1bb7ceb176a728957d847ee3f9370309b1dc452740d8faf2e1

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
96KB

MD5
edbe7904950b6fc468818e46f89e08e5

SHA1
1e23d9a7f4640c94dbaadd81d6aafc5a884843f6

SHA256
233314dc882011a29336cf06f7c82bfa68358b2ad39420f907ea42a692388830

SHA512
124162165c1eceecede7c24e1d9fd7e5147a19fff3aa7480e8c494a376df185cc748a601e56f2914bcc573c334d5a3c42630e7c1d5608f648a9d4fba43d05948

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
df7baed57b2df83f8803d7c3962c9038

SHA1
40be48aae35189e576f68ca20f8584faae16e4f1

SHA256
3e002fad2736a14b4df37d5b8e440f484fd00080f024b9db3090ff38c5695902

SHA512
e845a3ceb20e78ccd12f65a5ccf5dea882bed8fa29847624f9a87590f4728868a4aaa01dc38ce54751f78d8822ce45a45f8676ab50b336f829e75ad000b3c583

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
96KB

MD5
be29ab353d8d77473d0c46ce7a3ee891

SHA1
c8d775e505b6894df1b9cb63480f7e142d2cd1a5

SHA256
fa7cf623b39e9f2c1f3c90b9c305e82637478f9d40b6274a38d1a42c3de3e3d7

SHA512
6641f22dcade802430d47cf5c024427c5d9c752925c08635069939e01774ef68bf6a193df9ce0f506a3edd77ee306a391673788a0a9d21ad21aaf66573046b0a

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
f59b09e1432b94ca64958c8e30529b31

SHA1
03ffab7945517c7767c068fa9b241fa57b0ea547

SHA256
e758dc2cc40530c00d3242b55460fae283de2a0cc70edfa9267581323e039869

SHA512
ed0b096a9b64c11d5c068923ec61ba4a6b157007612d583084051226c40a9f3702a7f13c0bec28b45c6a4e31cf37072afec633d84c7e75bd12a7aa31c36e5a66

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
96KB

MD5
bd81cd6df214557be199963b091893f9

SHA1
eb586771ec8cfd77ba10f69d215cd079383e7cf0

SHA256
abc75e1daecf340d339818ca67f1712aa778a159ae11571162873268a07acde0

SHA512
ad22873ea198d33eedb1eb17953e9730043cee43d8d6828515ca8a6121559ee6ebe1511b9cb4dc192d15d84be05b526565e4ecdee11ba0c2ccd3a13b69fc664b

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
96KB

MD5
44b7accf9cd4ecf85e242911f03f3444

SHA1
15effd883cc51bfe8ab98b40bab0241556cbd40d

SHA256
75a6c398bb4bfd15c1e052f4d97458b485ddd7dd8d1afc32971af0064e9e1622

SHA512
c15e2c8fde99828482c103f1a331175bd51088ada471d256a6e1b0fdc47e51b5ab56f2d6a15482f9641e889638f5b518c9ea920ce080bf1551cd8f0fb58ae319

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
96KB

MD5
f87b41a4f748065ba34f61ae4143df3b

SHA1
28870d4f2dcdf2ab625df553e8fa1988c71d5f35

SHA256
dbdeff144624ddaf274c6332c3405d99813b055d5fb689588bc6c956a3a8ac1e

SHA512
680df36eae4a88f85ff66797623bf39c6a4f471b5cbf36463fe80a3bd287312379b959b4d42ba29f28f323c30beef0c8ac8e0391571748bfac8bb503bb494d5e

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
96KB

MD5
e1e0afa2331fc6afcf1ec6cc4aa3b865

SHA1
d918eaf27b5b251c5c8540083baef8c720773ea9

SHA256
1fa4ae96c5e7fb5ee67779dfebf6b9b7c651316beb98e84557a29f3eeebd0165

SHA512
e4a384d81b44f5bd623b2cc1a48d9d8371531260a2b084be23b2d893e2f21fdad836d014dd7edb0bb41f0c94894d9f1b28a0ebd16b6bd32018781799816b8196

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
96KB

MD5
3a64f0cd8e6d54432926130dbbc3a03f

SHA1
dd1ee7183d786c6b2dfc9fef06aee3c4cad27386

SHA256
178ba7703c4ddabbe65180ce0212c7c359fb44df79c642bbb497b32fbf39a29f

SHA512
312a4abe0eee0b1c52d49027cbdfc4123b5250a1f8eb8c6e6acb83b23d4f17e78d69d954f51ea113aa4d09c633aaf1e88eb2c2263abd9c1380c0ffcdf67831bb

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
96KB

MD5
678c24b67448eb734bc77935887250dd

SHA1
28eba834f0032683f89fbad349d640e8056773f1

SHA256
4af3b8feba0ddeee34d9a01c7ea7f5dbb57cc7e8b7474852a347f89948aa8aad

SHA512
ae682205a8069a9a4aea0cfc5f95442ebc35461ffd1bdedbadf937a97cf9ec11355f68d1be85bde1e326ffc4dd497e54c6791c14d3ac0db8687cfb6a1261a367

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
3bea8f5d2bc265ffa1cf05d6420a26a7

SHA1
a2b8f3ee2c72ec0d1c65d3ad255483f3367d94ac

SHA256
06f0aa52a4b13a480efbe644799b7ff5b1bfbd31f68f5a6f4dc4734eefa93e3e

SHA512
d5270019323c80703a705dea62520b2029b31b78a1f88de65b771cefcc92a5359b858ceaa771f0a6e737e15eb9868587c3d80e6bdccdd7748b767320c054287c

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
96KB

MD5
f75c228c00582970528483cd08fd614b

SHA1
d2e51eada87050c7fbf0f99936e42cf7ec72f2bb

SHA256
3b4d2fc16c7a28a45466953f5ab0cbd5b9b43d3a1363654d6a35ede6c73dd0d3

SHA512
b607de2db52aaaf69f3c167a306adc75f705f492563ab919ad889c64c35798b2bf852b50426891bdd62e5a9060082f90e347cfe23759089bd40d086d4863595a

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
96KB

MD5
f61200cebfcc78ff2fe4276f127bff83

SHA1
c3d727a274024ae49f958653d2838b04b441cd3c

SHA256
3caea80704d24d864e6443e2154f834d5d5f0dcd9ede78184dd8ddc63bfa0200

SHA512
af23516c2ae667a70427838d7f23039f0bfa92ab72f31d9cf398a9a560f09b0b3e349c0de19a486b6fa958bb75a0bda3dd6da2ff52a3dccceb47f5923fa7973b

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
96KB

MD5
0091762bc7bdfed5bcc30942a9bd307d

SHA1
d13fca7636a33816ceec2b9ed0c9bad18cb374dd

SHA256
861395db201f6ae3e36070d6db572058354981f905611b2ee5a9e4027f89e2f0

SHA512
ffad12fe6600e6ab478ae57c422acc0b2db3dd3f788f0fa0e35c44640d51cd195a6ebf8dcf142530a59de7dc148164d9e1fe060ab50efd1a92d942567a50af85

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
96KB

MD5
d8f83904fb977e998f2edfe6c8044e19

SHA1
59196a65d7c46a2090146ef02ef66441ec8661ba

SHA256
f63c963175b26b682313430804728eda6a9fae92a9289ef671f2c5898abbb174

SHA512
3b660f03e90a02d1da58155488a3c6667e533223a0dc33becc149fe8a8ad4d3229a07e4dd46db9dfed34ba03aea5343aafb31cfd5457429f9a4efabc0e41db28

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
96KB

MD5
23201cbc69f692a4eb5d5cdd1940d493

SHA1
0433f6cde021637ee453615add2a8c71f89acbb5

SHA256
55d55319d230d299561094bcf6e67979af4a293ab52df2a83b9808ff3c2dfadd

SHA512
a18a4f7b74b06535a54f5e6f414e579ac2ab54ec8b4a820b1b4fa05d14c9f2ddbdb5871dcc01dd05e999b16529ff08325202234bf653e8e4fed3b18e5328f1b0

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
96KB

MD5
a3cca08a3b5c65d496a854877c791c60

SHA1
fc7a622683854bd3673d967ab22c270d4abb2349

SHA256
5ff725ad050c7cd50e3596b98e78ac0f97965137016f1ab68a8182392a5034b2

SHA512
1c102cc01aee0877876bb169d375a7b02c6996c05037908182bc1e2708f8df28ea33b644862689213a23838efdc141d7c7c7fdd528faa6e53d8a88282bc93510

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
96KB

MD5
1895b7e8f8405642d18d2584fa90a11b

SHA1
70421e4e7499f3b047e763bc67d142886a177d2a

SHA256
8d675ebe94d0bbbc7b097576511da3a97097999c2af2524a7468ba76b8a69237

SHA512
527cf9ac9b25f4f94eb869f1befc2cf341f3e1430e05cfe1fd7b8fc57ed62d0dbbf55d1f4048b4359782c75ac4d7683a9bf12a0e20f3969d59ad995230430d1c

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
96KB

MD5
b46a220184caaf3eb1e2170da01dd28a

SHA1
fd80740138450f1881c86a8955b7e2b4f09a1b0a

SHA256
76358177ff6f5cd8f773cd6e13f606277dc7056e2f97acfde68f94fc094d257e

SHA512
e90c706a7410d5d7702b9add320f15d6d727aa128ade85c3cd510a910e271603233a2152cdd5b8cac1d66bbf9e3655732679d0319de1cf766cbf2589c91ff6b6

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
96KB

MD5
60936f7ee23aab5f0f185af26153332a

SHA1
938f7cff362bdb6076b1bb0bb97cadb4d294bf26

SHA256
779fa32da760ae5dcbd79f0db6ddcdc7285aa367e378e3fd83ed780c0cd76022

SHA512
4b257ffe10c11e8492fe92678472c4fdc09c3b8ea25048dfceb0b80be3bf722c8f46ec70746bc8bca2807fb3857d4e9f395ef3db251cbbd44fc50fbfc3746280

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
96KB

MD5
bb7618dbad973a3fb98c16d73b0e10c0

SHA1
99cd075378d7c1d89b79ead99490fb4496b9daee

SHA256
2fdff349bf8f18a6d5b9920a7e8ff8dd03c8e739394cc05f8b4dfc5a01e081c0

SHA512
8eea9f7837d47a2356f52a3146a8e8be803c1f29e970f1e6f3e4f5a8c222fe7e2b3183a99457ce8c7f2a57d0439043dd81a0a84dec1c657479b0e655c93d03b0

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
96KB

MD5
a4af91dddf12ce0001c550963163c066

SHA1
50583ecdf83692608bdd4a4e64e6dc70d14d6d1a

SHA256
8bb4170ea9776fc3cae05fbaf7bab949cc99d77de5d6b58c855de2796a4ce945

SHA512
cf44d65296e45759c95aa6fd786c16b1edbc8c9ef0fd2e55c295dd68ef14cab54c9a7362f78f2f71ef9c9e677a5d83dbd54e06e49212b702868820c2df5a4126

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
96KB

MD5
b6e61171bdeaff64f60794e4566c6e79

SHA1
188e397bde84e8a61b3ca9fb0eca29fcfef69f88

SHA256
1af4f93c00e944a73f3338855f066e7c26f2d42a43a72b62ca168df0c622b0b9

SHA512
fb51a036eeba40e1e56cf21310866239fb30f9e6a0b21c93938e82f3758cebb6bcb852f74497454dbb43adbb5a121c3ef95180631329173fa92bc2c1400e6885

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
96KB

MD5
b3b60920a35f0156f446c96066977042

SHA1
720d1a6b05cc617fdc92ddd8e97fce4e6ddfc512

SHA256
ca6a4ae418019cc9962b80fde816950e7f7020ab2f2d93e1ea44589ff6465fc5

SHA512
f7376cefe69aa444901c53d3423356cec69b8ef081f109f7b25c9d1b18f9dd680d8295b2dbafe5542fa78b53501025b621f49a77a3b732eb9a883c9a9ad1a986

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
96KB

MD5
55c84f4b93e6130e49085d3d765cbcfb

SHA1
7545c3f79bd3cb40981dc5ca2c994e2fbb517ebe

SHA256
1e7c20e3de77e6f65f9077d983daceccab3d2e8faf1eaa404bebf8765224be83

SHA512
16501283a93ce9210abbc5ef2c2045c4f552cc20d8a2e2b984ba842e7b38f62ef37bfe5031b4f6a19ad3e79bae10bd9fb8680095f435cd6646ab429a8a21db8d

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
96KB

MD5
6f2a6f6016b944bfc49fbc544da0c406

SHA1
a322fcbc821bfbfd6f2e5a55502f38f50e491eb5

SHA256
f64eb5569828f58625f61d028b5860807cafa0317ba9cf255f85239d564138b4

SHA512
25b442f95eca0286d0be7c52c26711e06624df8975ed20cebc034f4e146176a0e7c03c3d56cb1a67bbbe6fc1d99a5b80b55e6f266bf330cb708ab6b501da2ead

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
96KB

MD5
b52dab8111e94ae90ac584833a88717b

SHA1
6bf6677eb9f3a1f46b7a7e92bf6862376f7da99f

SHA256
f47b090f52260a9e2abaeb36753f10cfa091fbce240b2c1937b7417e65254f1b

SHA512
126971ddbd973f053618dddf5306cfddfd85ad263b44568b7d71485159c6736c0a9c2fccaa56577e8030e7fbe1b72bb3faf9dec8fc5bb95591497e388b680aed

Download Submit
C:\Windows\SysWOW64\Olonpp32.exe

Filesize
96KB

MD5
51faaeb302f97e4179ef452e191791eb

SHA1
4eb6f59cbf0b1c179e5c2eb5f760a4bd684bcac3

SHA256
d2fcf659ff9a66f81fccd23febac9d430abccffafa6cbb47f9a3111b09cce067

SHA512
e6e871d72d1beab5ac1f174ddbffc9d781098f0d4a27059a7c5a4b9465dcb1cade8867fb9eeb743e4b9ce184c164a70549b27ba5187515d34766bf223e4466ab

Download Submit
C:\Windows\SysWOW64\Oomjlk32.exe

Filesize
96KB

MD5
9bb2699dbcdab493d25804f9dcf045b4

SHA1
fbb5f8618fe68b14e4ddaab08a2c3e384bae6e0d

SHA256
bf9f777c245577ce4fe4d90f088122f89a39c9c20856ab5b68181ea17717b040

SHA512
f15ccf7845869ecc6030c9577d92a53f58784e5f2547093a37bb3ae5d13dadbe6aa54b2d11872abd17abcc7ce8b31e6998c1622ac97cd9f867b35f2d287d6e17

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
96KB

MD5
8423919e9a54aaa5d9ecf36db2f2f9f3

SHA1
8be0c497ad292583e45d6e5b9cdac7ba959eb5ce

SHA256
4fca2cc049b8145a87504032ef638ea9ce6af964c0306d70054c7fbb6a43fcbc

SHA512
feb6740a6b214439505a3aa7a9fb2062fe3af07c271b3b74b8d18f710d2feb93ed0c17be62d921a4619ec4f3488521edc9d9f06ffdeee9fb66d6c3300ca1e862

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
96KB

MD5
efa4fda5621f472f312d0f631e07c62d

SHA1
6c29c8afdc1b5a3fdcf3d8ca091af2dc7d22ba98

SHA256
9ca50660ddcbb6df246001320ad3537432d4841ce870e22fdb769836f026080f

SHA512
c02e6462f86fe94ca36e9d17aa09ebb9a687e221628d2ea35551ca57e0414516f336a6ad70fc90f28090fb1c9f12c44da37f63931b6503640fc8c64055f04e9b

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
96KB

MD5
0272a94200ecf352b40ab9f080848b40

SHA1
94c1dc0af00ed3284784485397a01377ae363e93

SHA256
522bc93fb2f3f96de5c6b7f7e3c4811b5da7ee3aa9d925437fd03196f4678b67

SHA512
f23dd738c75673b45726cd7873d05602125594479147b1a7adfe2bd479347cc12795327f77ffc8daf85c47794e7d25b3754dd073425e4f5710c4b3ad7acc87e9

Download Submit
C:\Windows\SysWOW64\Pqemdbaj.exe

Filesize
96KB

MD5
59e07fd6071443f7bfc5849894ce3416

SHA1
02a130cd9017c1268530e684a044c2f23b665d19

SHA256
2841075cea852c4fee6357ed4794248c00a6d0ddb43f0e2a0abf448242390fca

SHA512
dea6c5ba5bbce6fa30bb823e3aba7bec7e7c0420e06bb3202f01c215c5457e710ca1fd6482806e9c0b76864489bf6aa6b7240b8c2667ba4836a95ddb94c4adbf

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
96KB

MD5
50493bedb244fd7a1d07f6f3849a5ca4

SHA1
53cf55960d06c432f726c2db62ffd7e233c85a5b

SHA256
4b72b0cf332839b9df6f24b52e660162baa1f2bb730442149aa676e9308b22df

SHA512
55da0666164d419d3d4caf6c09c90f3ea2dd52e93a42415e310348955c3129a158b53f19002658cb193d35b54d7036f239f6c65b7faa94650f45e5f7f451f079

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
96KB

MD5
f0db06e5ba9890bf6681a8bf5d2775f0

SHA1
6b6a606e0950be13d21d54341b135d735695ff9c

SHA256
4da3a205df9a5e1b0a84abf28ec199c89b0657afa18dbf60831ed5f260465e00

SHA512
cfe60c49d2752035b972791ec6a964eb4b206fb386ca92868e2f4e9a487773fc95e8351414224ce2e229fc05997edfc98315894072a5e891033954a1f7721e54

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
96KB

MD5
7506b4a87ffbd3cf849700ca6fa25229

SHA1
9b5256d941bc10e6661e9f6c7947037a1c73e287

SHA256
42f397139fdf16ba3aef25026725c2c799355811ba290de1ceeba6dcb7ab49a6

SHA512
a8a703baa6edea4beb587bdc55f25baea42981f22752bb3712d9141975a66e054e9d2b4a7624f2837c03caadda3640be3ad354e9aaad7a709637a32e185f003d

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
96KB

MD5
43a019314cf002e9cf929f3f6a4ac450

SHA1
ed86fe813eb00cf5b8a525d9f57d6b8c77f212ea

SHA256
72c76a631c13854976f8dfbc1eea8ca537e6daa9520c498251ccfca00a76f9a2

SHA512
382c164fa4f95db26ba5a296be9561a2a37e4d805dfbc1ea933f831c0e52d2d93eec5155e92e6df2e73a7f57e1f25dfc147c8dcdbd0c30dde8b047a0bfee6dac

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
96KB

MD5
c66a1963a4bdec897f78f4b82ecd405e

SHA1
20e1bf03a5136939f8276f491e330e4dacd5eb8c

SHA256
adeec5eb6830f36e7a564bba445bde6c23d20ad6bdf42470c9293ff74f9e3471

SHA512
0cdd33483c3d8aff91706ae28ce297000fb094217e8533ec4cd06da50ffd96c59f3e74ac6cc36e63a93cf90d36c311695a8a5394d55f9e10e35b8cf7fd2bb9f3

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
96KB

MD5
43fea715fbbec800312df28b71fa8322

SHA1
709b310f43362828d46669f8151a06d1e5f28791

SHA256
9360cb7ae381ba67a7a76619625c34ca40a6f19a574485def40c2d5b200ec7a9

SHA512
c65ac4c7c6514a0ef2bf11049c4ca4fffd4b96ce5f82942bf9bff1c970ae033303f6039a122a659c119f13b86db76cb21320b5e9bb1aa5f5c74c86b5477aaba3

Download Submit
\Windows\SysWOW64\Ocalkn32.exe

Filesize
96KB

MD5
163d224ecd404501b06147bee3e8ef9c

SHA1
cbd210200ad58de99b1497939fbe445ce7d0ef7d

SHA256
2a2e5f0fdb4a6589cca639b1ae6decd45da8e9e568d396e039d014fabf74a8ed

SHA512
69329c7b57902ae4278c10267a83f47809bdb3e3a48f4a800d7a2cc623d2d803659ce17e8a04b27eb150c37fcb354135f33c2224eb534c66f8cdd23c1497d8bb

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
96KB

MD5
ad9485a2ed4e331322844d4dfc26cf01

SHA1
79e24eed64ff9c7ea0f0b5404b6e66dae6bc3a87

SHA256
78d5ffb30d89a749fee3cc09d7a28d2ac2f5b81f31b03afb46b3af630a83c1f6

SHA512
ccfbd9f55962bec97fa5c231af08e953786917d8cd7d2668c72c335f3645f89bf9f83baa595620c1f613c8ee04990ab3eb37f855f3254d06e74a7b2e347d0de2

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
96KB

MD5
b1dccd7a8e1f03738624d1f7e4a0d9ce

SHA1
b8e8dc71e3229415ac131cd19f45f678dac98151

SHA256
2d0dcd9ee189567c04353c03acf3b4fb5c9c78ffadc433d1a733bc7380a9ceca

SHA512
8891bfd8876e13dfad7a9a2ceb51e834275f5c396c4ac46f5838a5c219c288c0da4e91b9f3207b7cd849c6f6c02f6459b009702427969034485e03099331363b

Download Submit
\Windows\SysWOW64\Onecbg32.exe

Filesize
96KB

MD5
939ec6e36d34a40f123b3759320ad080

SHA1
87d211f8e1c3af1800cfade9f511e7276bca0c27

SHA256
a3ec40a2fc6bbcc7947ecaf1b630aec8e48502ba6325317eab2107b8583330cc

SHA512
07e49e41506d9bac2a48a67378c1c33cef03b903feb136da4469364d154702147277506facac71f1dce0655a03df46cd7230b909aa13683e1168b2b30a36abe4

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
96KB

MD5
07f3a6ed81e8a9815cb70cad0141e55c

SHA1
ef7924757f0b242e6c1e6bb1e7f18456c6c6eec3

SHA256
c1ff05b88f48573639376a1ef49894704b916dd421a9b68e738b0fbbcfb9cde1

SHA512
ff10283d46747b5cbd9d7b38c85c4d18253921be20f29810504c892a1a9861dce0b5dd36b5d6964c9c0ba87d8195d44c1e1b28fc26d786cd0397d8faad620221

Download Submit
\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
96KB

MD5
a48098c40cb7e64eeccdfa4e3697a7e8

SHA1
42d7639a03e501adfb30e6251d0b0f30c702a524

SHA256
6db06ab83b319f53978e6e1cdc75adcb43534a5ea32fcde0049c9a3b56f3fc4b

SHA512
be8656d3107ca41ccd20adb6aed05e0d7302a0b6515a1c96f7d14de3d5ce46d4b29da8b170101a160c25769629378c499897c41fc52a0f10b78825f910c75bee

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
96KB

MD5
5a2e8e09dbefd9d8c3d7951fa59ed253

SHA1
51e9d4c8cf174120d245bb7115d4898f7d562bc6

SHA256
2b138beaeb74c5b7d50c2b0f845eb35fae181878818c7d4b5f546dc57d375656

SHA512
84920a7501ac73d75918ca7b189108f2fc7d5b3081c30dfb930c56ef4ca7f83ad240af2dac32da26dd381c4c47ec5d23678821a6b027ab90b59c80084f3d0d3e

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
96KB

MD5
5916717811ebbc9a995359a247662ee6

SHA1
27051f01a4330918af609e4d9e1d089737348034

SHA256
09804ccaf7ee9cf334b881905527e0ab27d23718f57893b5edc290a4f2106250

SHA512
20515906f89d71e3c477d4e4d7100d255a861946691e3bd4320c0438480e904984ec5c187b0cd0d2104b40eeb8468fe9fd6458e9762f4d5b97eb561b96a40fb3

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
96KB

MD5
3c98637b0d65f26104ac3fe38e43d539

SHA1
e2025448b85379cc5a46406f9c43d4a6333d4885

SHA256
913f24d18ac257fd642fc3e1b4137dddcf566515be61b5615a0ec6d82ef7f04b

SHA512
38f05faa883db6ab77e2c70e9d011b8428319814f4477898f7f0e46a75da24c3285198de4eb3761a7098a3ebe59c0c173c5beb616768b5b29d851e4ff1ea8203

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
96KB

MD5
0f6b007d4dffcf99500eeaba4c643cdb

SHA1
4db3a619e8c5ec6fb28351b1c6272a4179dcc6a7

SHA256
5f5f2497e9855c30fd168719369ee5d2aaba16beaf2adf79ab373f84e07a016e

SHA512
3fe156055002b80849d376f5c4645452cdb54d312edbcaf7b74b256f9d9daab0831e6ce41bac7186b49afdd1ded1d28ca25bd116b7bfc0f034a7e9907b1edd3e

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
96KB

MD5
a1fd71ff9a985e36b6221516dd54fd94

SHA1
2bbd746e81bf41034f55f79b7f126618403b592d

SHA256
ed70bdcaf0f94114727fb5850ebf1f8deb4bafa29c1894b182b1ee16c4f0959a

SHA512
1c7ef1a183018058bdb7aeb8493b452ce6602fbbf65fe2402da2c378a0164e09482829d19417f7a2a3c7cdac55b32d73bd0aea91e2526098c11f7e3a791f9e93

Download Submit
memory/536-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-374-0x00000000005D0000-0x000000000060F000-memory.dmp

Filesize
252KB

Download
memory/592-389-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/592-387-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/692-175-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/692-222-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/692-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/692-237-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/692-178-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/704-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/704-209-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/704-262-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1012-310-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1012-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-129-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-83-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1084-145-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1332-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-155-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/1536-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1536-286-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1536-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-189-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1864-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-94-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1864-99-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/1864-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-274-0x0000000000270000-0x00000000002AF000-memory.dmp

Filesize
252KB

Download
memory/1920-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-323-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2024-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-285-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/2064-311-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2064-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2064-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-366-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2220-330-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-335-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2220-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-287-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-294-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2268-299-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2364-252-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2364-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-247-0x00000000002E0000-0x000000000031F000-memory.dmp

Filesize
252KB

Download
memory/2364-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2404-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2420-170-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2420-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2420-115-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2420-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-67-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2456-101-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-356-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2632-45-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-53-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2640-34-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2640-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-21-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2732-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-68-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download
memory/2908-342-0x00000000006B0000-0x00000000006EF000-memory.dmp

Filesize
252KB

Download
memory/2908-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-124-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2932-130-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2932-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-186-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2932-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2968-17-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/2968-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-216-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2972-263-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-270-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2972-224-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2972-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-319-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads